Summary:


NtAddAtom(>)  1 
NtGdiHfontCreate(>)  2 
NtCreateSemaphore(>)  7 
NtQuerySection(>)  30 

NtAllocateLocallyUniqueId(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenSymbolicLinkObject(>)  7 
NtEnumerateKey(>)  32 

NtCallbackReturn(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQuerySymbolicLinkObject(>)  7 
NtCreateEvent(>)  33 

NtClearEvent(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtReadVirtualMemory(>)  7 
NtCreateFile(>)  33 

NtConnectPort(>)  1 
NtSetEvent(>)  2 
NtUserCallNoParam(>)  7 
NtOpenThreadToken(>)  34 

NtDelayExecution(>)  1 
NtTestAlert(>)  2 
NtQueryVirtualMemory(>)  8 
NtQueryInformationFile(>)  34 

NtDuplicateToken(>)  1 
NtUserCloseDesktop(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtReleaseMutant(>)  38 

NtGdiCreateBitmap(>)  1 
NtUserCreateWindowEx(>)  2 
NtUserGetWindowDC(>)  10 
NtUnmapViewOfSection(>)  40 

NtGdiCreateHalftonePalette(>)  1 
NtUserDestroyWindow(>)  2 
NtUserCallOneParam(>)  11 
NtProtectVirtualMemory(>)  41 

NtGdiCreatePaletteInternal(>)  1 
NtUserGetObjectInformation(>)  2 
NtUserSystemParametersInfo(>)  11 
NtQueryDefaultLocale(>)  42 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserMessageCall(>)  2 
NtWriteFile(>)  11 
NtQueryInformationProcess(>)  47 

NtGdiDoPalette(>)  1 
NtUserWaitForInputIdle(>)  2 
NtSetValueKey(>)  12 
NtUserUnregisterClass(>)  47 

NtGdiInit(>)  1 
NtCreateProcessEx(>)  3 
NtWriteVirtualMemory(>)  12 
NtUserFindExistingCursorIcon(>)  49 

NtGdiQueryFontAssocInfo(>)  1 
NtDuplicateObject(>)  3 
NtNotifyChangeKey(>)  15 
NtCreateSection(>)  60 

NtGdiSelectBitmap(>)  1 
NtOpenMutant(>)  3 
NtOpenProcessToken(>)  15 
NtUserRegisterClassExWOW(>)  65 

NtOpenKeyedEvent(>)  1 
NtOpenProcess(>)  3 
NtRequestWaitReplyPort(>)  16 
NtWaitForSingleObject(>)  66 

NtQueryFullAttributesFile(>)  1 
NtQueryInformationJobObject(>)  3 
NtCreateKey(>)  17 
NtOpenSection(>)  73 

NtQueryInformationThread(>)  1 
NtTerminateProcess(>)  3 
NtDeviceIoControlFile(>)  17 
NtReadFile(>)  77 

NtQueryObject(>)  1 
NtUserOpenDesktop(>)  3 
NtFreeVirtualMemory(>)  17 
NtMapViewOfSection(>)  82 

NtQueryPerformanceCounter(>)  1 
NtUserRemoveProp(>)  3 
NtFsControlFile(>)  17 
NtAllocateVirtualMemory(>)  85 

NtQuerySystemTime(>)  1 
NtWaitForMultipleObjects(>)  3 
NtQueryVolumeInformationFile(>)  17 
NtQuerySystemInformation(>)  89 

NtSecureConnectPort(>)  1 
NtCreateMutant(>)  4 
NtFlushInstructionCache(>)  19 
NtUserGetClassInfo(>)  91 

NtUserBuildNameList(>)  1 
NtCreateThread(>)  4 
NtUserRegisterWindowMessage(>)  19 
NtOpenFile(>)  99 

NtUserGetAtomName(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtEnumerateValueKey(>)  23 
NtOpenProcessTokenEx(>)  111 

NtUserGetDC(>)  1 
NtOpenEvent(>)  4 
NtQueryDebugFilterState(>)  25 
NtOpenThreadTokenEx(>)  111 

NtUserGetForegroundWindow(>)  1 
NtQuerySecurityObject(>)  4 
NtRaiseException(>)  25 
NtQueryInformationToken(>)  129 

NtUserGetGUIThreadInfo(>)  1 
NtResumeThread(>)  4 
NtSetInformationProcess(>)  25 
NtQueryKey(>)  129 

NtUserGetThreadDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtSetInformationFile(>)  27 
NtUserQueryWindow(>)  138 

NtUserSetProp(>)  1 
NtSetInformationObject(>)  5 
NtSetInformationThread(>)  27 
NtQueryAttributesFile(>)  154 

NtAccessCheck(>)  2 
NtUserBuildHwndList(>)  5 
NtReleaseSemaphore(>)  28 
NtQueryValueKey(>)  226 

NtCreateIoCompletion(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtQueryDirectoryFile(>)  29 
NtOpenKey(>)  480 

NtGdiCreateSolidBrush(>)  2 
NtGdiDeleteObjectApp(>)  6 
NtContinue(>)  30 
NtClose(>)  597 


Trace:
 00001   304   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   304   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   304   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   304   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   304   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   304   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   304   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   304   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   304   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   304   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   304   NtClose  (12, ... ) == 0x0
 00014   304   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   304   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   304   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   304   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   304   NtClose  (16, ... ) == 0x0
 00021   304   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   304   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   304   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   304   NtClose  (16, ... ) == 0x0
 00026   304   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   304   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   304   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   304   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   304   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 300, 304, 1431, 0} "\250\345\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 300, 304, 1431, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 300, 304, 1431, 0} "\250\345\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   304   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   304   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   304   NtClose  (16, ... ) == 0x0
 00036   304   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   304   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   304   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   304   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   304   NtClose  (28, ... ) == 0x0
 00041   304   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   304   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   304   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   304   NtClose  (28, ... ) == 0x0
 00045   304   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   304   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   304   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   304   NtClose  (28, ... ) == 0x0
 00049   304   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   304   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   304   NtClose  (28, ... ) == 0x0
 00052   304   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   304   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   304   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   304   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 300, 304, 1435, 0} "\10\240\30\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 300, 304, 1435, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 300, 304, 1435, 0} "\10\240\30\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   304   NtProtectVirtualMemory  (-1, (0x92a000), 49152, 4, ... (0x92a000), 49152, 128, ) == 0x0
 00057   304   NtProtectVirtualMemory  (-1, (0x92a000), 49152, 128, ... (0x92a000), 49152, 4, ) == 0x0
 00058   304   NtFlushInstructionCache  (-1, 9609216, 49152, ... ) == 0x0
 00059   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00060   304   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   304   NtClose  (28, ... ) == 0x0
 00062   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   304   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   304   NtClose  (28, ... ) == 0x0
 00065   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   304   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   304   NtClose  (28, ... ) == 0x0
 00068   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   304   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   304   NtClose  (28, ... ) == 0x0
 00071   304   NtProtectVirtualMemory  (-1, (0x92a000), 49152, 4, ... (0x92a000), 49152, 64, ) == 0x0
 00072   304   NtProtectVirtualMemory  (-1, (0x92a000), 49152, 64, ... (0x92a000), 49152, 4, ) == 0x0
 00073   304   NtFlushInstructionCache  (-1, 9609216, 49152, ... ) == 0x0
 00074   304   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   304   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   304   NtClose  (28, ... ) == 0x0
 00077   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   304   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   304   NtClose  (28, ... ) == 0x0
 00080   304   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00081   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   304   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   304   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   304   NtClose  (28, ... ) == 0x0
 00085   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   304   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   304   NtClose  (28, ... ) == 0x0
 00088   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   304   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   304   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 300, 304, 1438, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 300, 304, 1438, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 300, 304, 1438, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00093   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   304   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x940000), 0x0, 1060864, ) == 0x0
 00095   304   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   304   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   304   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482048, ) == 0x0
 00098   304   NtQueryInformationToken  (-2147482048, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   304   NtQueryInformationToken  (-2147482048, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   304   NtClose  (-2147482048, ... ) == 0x0
 00101   304   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00102   304   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00103   304   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   304   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 00105   304   NtQueryValueKey  (-2147482048,  (-2147482048, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   304   NtClose  (-2147482048, ... ) == 0x0
 00107   304   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 00108   304   NtQueryValueKey  (-2147482048,  (-2147482048, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   304   NtClose  (-2147482048, ... ) == 0x0
 00110   304   NtQueryDefaultLocale  (0, -133461492, ... ) == 0x0
 00111   304   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   304   NtUserCallNoParam  (24, ... ) == 0x0
 00113   304   NtGdiCreateCompatibleDC  (0, ...
 00114   304   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00113   304   NtGdiCreateCompatibleDC  ... ) == 0x8010416
 00115   304   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   304   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   304   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x3050417
 00118   304   NtGdiCreateSolidBrush  (0, 0, ...
 00119   304   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 13959168, 4096, ) == 0x0
 00118   304   NtGdiCreateSolidBrush  ... ) == 0x1100418
 00120   304   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   304   NtGdiCreateCompatibleDC  (0, ... ) == 0x1010419
 00122   304   NtGdiSelectBitmap  (16843801, 50660375, ... ) == 0x185000f
 00123   304   NtUserGetThreadDesktop  (304, 0, ... ) == 0x2c
 00124   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   304   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   304   NtClose  (52, ... ) == 0x0
 00127   304   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   304   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x8127c017
 00129   304   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   304   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x8127c01c
 00131   304   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   304   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x8127c01e
 00133   304   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   304   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x81278002
 00135   304   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   304   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x8127c018
 00137   304   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   304   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x8127c01a
 00139   304   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   304   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x8127c01d
 00141   304   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   304   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x8127c026
 00143   304   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00144   304   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x8127c019
 00145   304   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00146   304   NtAllocateVirtualMemory  (-1, 10907648, 0, 4096, 4096, 32, ... 10907648, 4096, ) == 0x0
 00145   304   NtUserRegisterClassExWOW  ... ) == 0x8127c020
 00147   304   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x8127c022
 00148   304   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x8127c023
 00149   304   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x8127c024
 00150   304   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x8127c025
 00151   304   NtCallbackReturn  (0, 0, 0, ...
 00152   304   NtGdiInit  (... ) == 0x1
 00153   304   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   304   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   304   NtTestAlert  (... ) == 0x0
 00156   304   NtContinue  (1244464, 1, ...
 00157   304   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x92b000,}, 4, ... ) == 0x0
 00158   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243656, ... ) }, 1243656, ... ) == 0x0
 00159   304   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1325376, 1325920, 0, 1243996}  (24, {20, 48, new_msg, 0, 1325376, 1325920, 0, 1243996} "\0\0\0\0\2\0\1\0\224\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 300, 304, 1441, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 300, 304, 1441, 0}  (24, {20, 48, new_msg, 0, 1325376, 1325920, 0, 1243996} "\0\0\0\0\2\0\1\0\224\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 300, 304, 1441, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00160   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243664,  (0x80100080, {24, 0, 0x40, 0, 1243664, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00161   304   NtQueryDirectoryFile  (-2147482048, 0, 0, 0, -519823360, 4096, Names, 1,  (-2147482048, 0, 0, 0, -519823360, 4096, Names, 1, "~1.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00162   304   NtClose  (-2147482048, ... ) == 0x0
 00160   304   NtCreateFile  ... 52, {status=0x0, info=2}, ) == 0x0
 00163   304   NtClose  (52, ... ) == 0x0
 00164   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1242912, ... ) }, 1242912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00165   304   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243644,  (0xc0100080, {24, 0, 0x40, 0, 1243644, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00166   304   NtClose  (-2147482048, ... ) == 0x0
 00167   304   NtQueryDirectoryFile  (-2147482048, 0, 0, 0, -519823360, 4096, Names, 1,  (-2147482048, 0, 0, 0, -519823360, 4096, Names, 1, "~1.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 00168   304   NtClose  (-2147482048, ... ) == 0x0
 00165   304   NtCreateFile  ... 52, {status=0x0, info=2}, ) == 0x0
 00169   304   NtQueryVolumeInformationFile  (52, 1243804, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00170   304   NtQueryInformationFile  (52, 1243696, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00171   304   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 43520, 0x0, 0, ... {status=0x0, info=43520}, ) , 43520, 0x0, 0, ... {status=0x0, info=43520}, ) == 0x0
 00172   304   NtClose  (52, ... ) == 0x0
 00173   304   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00174   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1240368, ... ) }, 1240368, ... ) == 0x0
 00175   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00176   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00177   304   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178   304   NtClose  (52, ... ) == 0x0
 00179   304   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00180   304   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0
 00181   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 60, ) }, ... 60, ) == 0x0
 00183   304   NtQueryValueKey  (60,  (60, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184   304   NtClose  (60, ... ) == 0x0
 00185   304   NtQueryVolumeInformationFile  (52, 1240368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00186   304   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00187   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238352, ... ) }, 1238352, ... ) == 0x0
 00188   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00189   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 60, ... 64, ) == 0x0
 00190   304   NtClose  (60, ... ) == 0x0
 00191   304   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd60000), 0x0, 106496, ) == 0x0
 00192   304   NtClose  (64, ... ) == 0x0
 00193   304   NtUnmapViewOfSection  (-1, 0xd60000, ... ) == 0x0
 00194   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238668, ... ) }, 1238668, ... ) == 0x0
 00195   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00196   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 60, ) == 0x0
 00197   304   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00198   304   NtOpenProcessToken  (-1, 0x8, ... 68, ) == 0x0
 00199   304   NtQueryInformationToken  (68, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00200   304   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00201   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 72, ) }, ... 72, ) == 0x0
 00202   304   NtQueryValueKey  (72,  (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00203   304   NtClose  (72, ... ) == 0x0
 00204   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00205   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00206   304   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00207   304   NtClose  (72, ... ) == 0x0
 00208   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209   304   NtClose  (68, ... ) == 0x0
 00210   304   NtClose  (64, ... ) == 0x0
 00211   304   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00212   304   NtClose  (60, ... ) == 0x0
 00213   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00214   304   NtQueryInformationFile  (60, 1238956, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00215   304   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 60, ... 64, ) == 0x0
 00216   304   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xd60000), 0x0, 1028096, ) == 0x0
 00217   304   NtQueryInformationFile  (60, 1239052, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00218   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00219   304   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00220   304   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00221   304   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00222   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 68, {status=0x0, info=1}, ) }, 3, 16417, ... 68, {status=0x0, info=1}, ) == 0x0
 00223   304   NtQueryDirectoryFile  (68, 0, 0, 0, 1236616, 616, BothDirectory, 1,  (68, 0, 0, 0, 1236616, 616, BothDirectory, 1, "~1.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00224   304   NtClose  (68, ... ) == 0x0
 00225   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00226   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00227   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1236004, ... ) }, 1236004, ... ) == 0x0
 00228   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 68, {status=0x0, info=1}, ) }, 3, 16417, ... 68, {status=0x0, info=1}, ) == 0x0
 00229   304   NtQueryDirectoryFile  (68, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (68, 0, 0, 0, 1235364, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00230   304   NtClose  (68, ... ) == 0x0
 00231   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 68, {status=0x0, info=1}, ) }, 3, 16417, ... 68, {status=0x0, info=1}, ) == 0x0
 00232   304   NtQueryDirectoryFile  (68, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (68, 0, 0, 0, 1235364, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00233   304   NtClose  (68, ... ) == 0x0
 00234   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 68, {status=0x0, info=1}, ) }, 3, 16417, ... 68, {status=0x0, info=1}, ) == 0x0
 00235   304   NtQueryDirectoryFile  (68, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (68, 0, 0, 0, 1235364, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00236   304   NtClose  (68, ... ) == 0x0
 00237   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 68, {status=0x0, info=1}, ) }, 3, 16417, ... 68, {status=0x0, info=1}, ) == 0x0
 00238   304   NtQueryDirectoryFile  (68, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (68, 0, 0, 0, 1235364, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00239   304   NtClose  (68, ... ) == 0x0
 00240   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00241   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00242   304   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00243   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00244   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00245   304   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00246   304   NtClose  (68, ... ) == 0x0
 00247   304   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   304   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00249   304   NtUnmapViewOfSection  (-1, 0xd60000, ... ) == 0x0
 00250   304   NtClose  (64, ... ) == 0x0
 00251   304   NtClose  (60, ... ) == 0x0
 00252   304   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00253   304   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   304   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00255   304   NtOpenProcessToken  (-1, 0xa, ... 60, ) == 0x0
 00256   304   NtQueryInformationToken  (60, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00257   304   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0
 00259   304   NtQueryValueKey  (64,  (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00260   304   NtQueryValueKey  (64,  (64, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (64, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00261   304   NtClose  (64, ... ) == 0x0
 00262   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0
 00263   304   NtQueryValueKey  (64,  (64, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00264   304   NtQueryValueKey  (64,  (64, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (64, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00265   304   NtClose  (64, ... ) == 0x0
 00266   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0
 00268   304   NtQueryValueKey  (64,  (64, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   304   NtClose  (64, ... ) == 0x0
 00270   304   NtQueryDefaultUILanguage  (2013024600, ...
 00271   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00272   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482048, ) == 0x0
 00273   304   NtQueryInformationToken  (-2147482048, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00274   304   NtClose  (-2147482048, ... ) == 0x0
 00275   304   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 00276   304   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00277   304   NtOpenKey  (0x80000000, {24, -2147482048, 0x640, 0, 0,  (0x80000000, {24, -2147482048, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482060, ) }, ... -2147482060, ) == 0x0
 00278   304   NtQueryValueKey  (-2147482060,  (-2147482060, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   304   NtClose  (-2147482060, ... ) == 0x0
 00280   304   NtClose  (-2147482048, ... ) == 0x0
 00270   304   NtQueryDefaultUILanguage  ... ) == 0x0
 00281   304   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00282   304   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00283   304   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00284   304   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00285   304   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00286   304   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00287   304   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00288   304   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00289   304   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00290   304   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00291   304   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00292   304   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00293   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 64, ) }, ... 64, ) == 0x0
 00294   304   NtEnumerateKey  (64, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (64, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00295   304   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 68, ) }, ... 68, ) == 0x0
 00296   304   NtQueryValueKey  (68,  (68, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (68, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00297   304   NtQueryValueKey  (68,  (68, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (68, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00298   304   NtClose  (68, ... ) == 0x0
 00299   304   NtEnumerateKey  (64, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00300   304   NtClose  (64, ... ) == 0x0
 00301   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00316   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00317   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00318   304   NtClose  (64, ... ) == 0x0
 00319   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00320   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00321   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00322   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00323   304   NtClose  (64, ... ) == 0x0
 00324   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00326   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00327   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00328   304   NtClose  (64, ... ) == 0x0
 00329   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00331   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00332   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00333   304   NtClose  (64, ... ) == 0x0
 00334   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00336   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00337   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00338   304   NtClose  (64, ... ) == 0x0
 00339   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00340   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00341   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00342   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00343   304   NtClose  (64, ... ) == 0x0
 00344   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00345   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00346   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00347   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00348   304   NtClose  (64, ... ) == 0x0
 00349   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00350   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00351   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00352   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00353   304   NtClose  (64, ... ) == 0x0
 00354   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00355   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00356   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00357   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00358   304   NtClose  (64, ... ) == 0x0
 00359   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00360   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00361   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00362   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00363   304   NtClose  (64, ... ) == 0x0
 00364   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00365   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00366   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00367   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00368   304   NtClose  (64, ... ) == 0x0
 00369   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00370   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00371   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00372   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00373   304   NtClose  (64, ... ) == 0x0
 00374   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00375   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00376   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00377   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00378   304   NtClose  (64, ... ) == 0x0
 00379   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00380   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00381   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00382   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00383   304   NtClose  (64, ... ) == 0x0
 00384   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00386   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00387   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00388   304   NtClose  (64, ... ) == 0x0
 00389   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00390   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0
 00391   304   NtQueryValueKey  (64,  (64, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (64, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (64, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00392   304   NtClose  (64, ... ) == 0x0
 00393   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00394   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00395   304   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00396   304   NtClose  (64, ... ) == 0x0
 00397   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   304   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00399   304   NtOpenProcessToken  (-1, 0xa, ... 64, ) == 0x0
 00400   304   NtDuplicateToken  (64, 0xc, {24, 0, 0x0, 0, 1240260, 0x0}, 0, 2, ... 68, ) == 0x0
 00401   304   NtClose  (64, ... ) == 0x0
 00402   304   NtAccessCheck  (1332888, 68, 0x1, 1240388, 1240332, 56, 1240416, ... (0x1), ) == 0x0
 00403   304   NtClose  (68, ... ) == 0x0
 00404   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 68, ) }, ... 68, ) == 0x0
 00405   304   NtQueryValueKey  (68,  (68, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (68, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00406   304   NtClose  (68, ... ) == 0x0
 00407   304   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 68, ) }, ... 68, ) == 0x0
 00408   304   NtQuerySymbolicLinkObject  (68, ...  (68, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00409   304   NtClose  (68, ... ) == 0x0
 00410   304   NtQueryInformationFile  (52, 1238720, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 00411   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00412   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00413   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~1.tmp.exe"}, 1237400, ... ) }, 1237400, ... ) == 0x0
 00414   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 68, {status=0x0, info=1}, ) }, 3, 16417, ... 68, {status=0x0, info=1}, ) == 0x0
 00415   304   NtQueryDirectoryFile  (68, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (68, 0, 0, 0, 1236760, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00416   304   NtClose  (68, ... ) == 0x0
 00417   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 68, {status=0x0, info=1}, ) }, 3, 16417, ... 68, {status=0x0, info=1}, ) == 0x0
 00418   304   NtQueryDirectoryFile  (68, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (68, 0, 0, 0, 1236760, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00419   304   NtClose  (68, ... ) == 0x0
 00420   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00421   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00422   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00423   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00424   304   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00425   304   NtClose  (68, ... ) == 0x0
 00426   304   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 68, ) }, ... 68, ) == 0x0
 00427   304   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 64, ) }, ... 64, ) == 0x0
 00428   304   NtClose  (68, ... ) == 0x0
 00429   304   NtQueryValueKey  (64,  (64, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00430   304   NtQueryValueKey  (64,  (64, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (64, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 00431   304   NtClose  (64, ... ) == 0x0
 00432   304   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 14024704, 4096, ) == 0x0
 00433   304   NtAllocateVirtualMemory  (-1, 14024704, 0, 4096, 4096, 4, ... 14024704, 4096, ) == 0x0
 00434   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0
 00435   304   NtQueryValueKey  (64,  (64, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00436   304   NtClose  (64, ... ) == 0x0
 00437   304   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00438   304   NtQueryInformationToken  (60, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00439   304   NtQueryInformationToken  (60, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00440   304   NtClose  (60, ... ) == 0x0
 00441   304   NtCreateProcessEx  (1242996, 2035711, 0, -1, 0, 56, 0, 0, 0, ... ) == 0x0
 00442   304   NtQueryInformationProcess  (60, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=300,}, 0x0, ) == 0x0
 00443   304   NtReadVirtualMemory  (60, 0x7ffdf008, 4, ...  (60, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 00444   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00445   304   NtAllocateVirtualMemory  (-1, 1335296, 0, 8192, 4096, 4, ... 1335296, 8192, ) == 0x0
 00446   304   NtReadVirtualMemory  (60, 0x9800000, 4096, ...  (60, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 00447   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00448   304   NtQueryInformationProcess  (60, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=300,}, 0x0, ) == 0x0
 00449   304   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 14090240, 4096, ) == 0x0
 00450   304   NtAllocateVirtualMemory  (60, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 00451   304   NtWriteVirtualMemory  (60, 0x10000,  (60, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 00452   304   NtAllocateVirtualMemory  (60, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 00453   304   NtWriteVirtualMemory  (60, 0x20000,  (60, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 00454   304   NtWriteVirtualMemory  (60, 0x7ffdf010,  (60, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00455   304   NtWriteVirtualMemory  (60, 0x7ffdf1e8,  (60, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00456   304   NtFreeVirtualMemory  (-1, (0xd70000), 0, 32768, ... (0xd70000), 4096, ) == 0x0
 00457   304   NtAllocateVirtualMemory  (60, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 00458   304   NtAllocateVirtualMemory  (60, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 00459   304   NtProtectVirtualMemory  (60, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 00460   304   NtCreateThread  (0x1f03ff, 0x0, 60, 1241260, 1241980, 1, ... 64, {364, 564}, ) == 0x0
 00461   304   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1326432, 1243080}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1326432, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367w?\0\0\0@\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 300, 304, 1453, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w<\0\0\0@\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 300, 304, 1453, 0}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1326432, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367w?\0\0\0@\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 300, 304, 1453, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w<\0\0\0@\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00462   304   NtResumeThread  (64, ... 1, ) == 0x0
 00463   304   NtClose  (52, ... ) == 0x0
 00464   304   NtClose  (56, ... ) == 0x0
 00465   304   NtQueryInformationProcess  (60, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=300,}, 0x0, ) == 0x0
 00466   304   NtUserWaitForInputIdle  (364, 30000, 0, ...
 00467   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00468   304   NtClose  (56, ... ) == 0x0
 00466   304   NtUserWaitForInputIdle  ... ) == 0x102
 00469   304   NtClose  (60, ... ) == 0x0
 00470   304   NtClose  (64, ... ) == 0x0
 00471   304   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 64, ... 14090240, 8192, ) == 0x0
 00472   304   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 64, ... 14155776, 4096, ) == 0x0
 00473   304   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00474   304   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 64, ... 14221312, 4096, ) == 0x0
 00475   304   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00476   304   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 64, ... 14286848, 8192, ) == 0x0
 00477   304   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00478   304   NtAllocateVirtualMemory  (-1, 0, 0, 26612, 4096, 64, ... 14352384, 28672, ) == 0x0
 00479   304   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00480   304   NtContinue  (1242868, 0, ...
 00481   304   NtAllocateVirtualMemory  (-1, 0, 0, 4220416, 4096, 64, ... 14417920, 4222976, ) == 0x0
 00482   304   NtAllocateVirtualMemory  (-1, 1343488, 0, 45056, 4096, 4, ... 1343488, 45056, ) == 0x0
 00483   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00484   304   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00485   304   NtClose  (64, ... ) == 0x0
 00486   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00487   304   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 18677760, 65536, ) == 0x0
 00488   304   NtAllocateVirtualMemory  (-1, 18677760, 0, 4096, 4096, 4, ... 18677760, 4096, ) == 0x0
 00489   304   NtAllocateVirtualMemory  (-1, 18681856, 0, 8192, 4096, 4, ... 18681856, 8192, ) == 0x0
 00490   304   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 64, ) }, ... 64, ) == 0x0
 00491   304   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x11e0000), 0x0, 12288, ) == 0x0
 00492   304   NtClose  (64, ... ) == 0x0
 00493   304   NtAllocateVirtualMemory  (-1, 18690048, 0, 4096, 4096, 4, ... 18690048, 4096, ) == 0x0
 00494   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00495   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242060, ... ) }, 1242060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496   304   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242060, ... ) }, 1242060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00497   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242060, ... ) }, 1242060, ... ) == 0x0
 00498   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00499   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 60, ) == 0x0
 00500   304   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00501   304   NtClose  (64, ... ) == 0x0
 00502   304   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00503   304   NtClose  (60, ... ) == 0x0
 00504   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00505   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241256, ... ) }, 1241256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00506   304   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241256, ... ) }, 1241256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00507   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241256, ... ) }, 1241256, ... ) == 0x0
 00508   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00509   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 64, ) == 0x0
 00510   304   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00511   304   NtClose  (60, ... ) == 0x0
 00512   304   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00513   304   NtClose  (64, ... ) == 0x0
 00514   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00515   304   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00516   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00517   304   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00518   304   NtClose  (64, ... ) == 0x0
 00519   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00520   304   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00521   304   NtClose  (64, ... ) == 0x0
 00522   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 64, ) }, ... 64, ) == 0x0
 00524   304   NtQueryValueKey  (64,  (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00525   304   NtClose  (64, ... ) == 0x0
 00526   304   NtQueryDefaultUILanguage  (1240416, ...
 00527   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00528   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482132, ) == 0x0
 00529   304   NtQueryInformationToken  (-2147482132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00530   304   NtClose  (-2147482132, ... ) == 0x0
 00531   304   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482132, ) }, ... -2147482132, ) == 0x0
 00532   304   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533   304   NtOpenKey  (0x80000000, {24, -2147482132, 0x640, 0, 0,  (0x80000000, {24, -2147482132, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482056, ) }, ... -2147482056, ) == 0x0
 00534   304   NtQueryValueKey  (-2147482056,  (-2147482056, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00535   304   NtClose  (-2147482056, ... ) == 0x0
 00536   304   NtClose  (-2147482132, ... ) == 0x0
 00526   304   NtQueryDefaultUILanguage  ... ) == 0x0
 00537   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   304   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00539   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 64, {status=0x0, info=1}, ) }, 1, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00540   304   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 64, ... 60, ) == 0x0
 00541   304   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x11f0000), 0x0, 8323072, ) == 0x0
 00542   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00543   304   NtQueryDefaultLocale  (1, 1238452, ... ) == 0x0
 00544   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545   304   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1239308, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1239308, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1@\0\0\0\377\377\377\377\0\0\0\0\20\311V\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\14\360\22\0\0\0\0\0" ... {128, 156, reply, 0, 300, 304, 2292, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1@\0\0\0\377\377\377\377\0\0\0\0\20\311V\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\14\360\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 300, 304, 2292, 0}  (24, {128, 156, new_msg, 0, 1239308, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1@\0\0\0\377\377\377\377\0\0\0\0\20\311V\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\14\360\22\0\0\0\0\0" ... {128, 156, reply, 0, 300, 304, 2292, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1@\0\0\0\377\377\377\377\0\0\0\0\20\311V\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\14\360\22\0\0\0\0\0" )  ) == 0x0
 00546   304   NtClose  (64, ... ) == 0x0
 00547   304   NtClose  (60, ... ) == 0x0
 00548   304   NtUnmapViewOfSection  (-1, 0x11f0000, ... ) == 0x0
 00549   304   NtUnmapViewOfSection  (-1, 0x12f00c, ... ) == STATUS_NOT_MAPPED_VIEW
 00550   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00551   304   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00552   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00553   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00554   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237536, ... ) }, 1237536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00556   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00557   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00558   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238128, ... ) }, 1238128, ... ) == 0x0
 00559   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00560   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00561   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00562   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 56, ) == 0x0
 00563   304   NtClose  (64, ... ) == 0x0
 00564   304   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x11f0000), 0x0, 921600, ) == 0x0
 00565   304   NtClose  (56, ... ) == 0x0
 00566   304   NtUnmapViewOfSection  (-1, 0x11f0000, ... ) == 0x0
 00567   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00568   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 64, ) == 0x0
 00569   304   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00570   304   NtClose  (56, ... ) == 0x0
 00571   304   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00572   304   NtClose  (64, ... ) == 0x0
 00573   304   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00574   304   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00575   304   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00576   304   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00577   304   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00578   304   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00579   304   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00580   304   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00581   304   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00582   304   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00583   304   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00584   304   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00585   304   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00586   304   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00587   304   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00588   304   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00589   304   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00590   304   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00591   304   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00592   304   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00593   304   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00594   304   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1239312, ... ) , 42, 1239312, ... ) == 0x0
 00595   304   NtQueryDefaultUILanguage  (1238028, ...
 00596   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00597   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482132, ) == 0x0
 00598   304   NtQueryInformationToken  (-2147482132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00599   304   NtClose  (-2147482132, ... ) == 0x0
 00600   304   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482132, ) }, ... -2147482132, ) == 0x0
 00601   304   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00602   304   NtOpenKey  (0x80000000, {24, -2147482132, 0x640, 0, 0,  (0x80000000, {24, -2147482132, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482056, ) }, ... -2147482056, ) == 0x0
 00603   304   NtQueryValueKey  (-2147482056,  (-2147482056, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   304   NtClose  (-2147482056, ... ) == 0x0
 00605   304   NtClose  (-2147482132, ... ) == 0x0
 00595   304   NtQueryDefaultUILanguage  ... ) == 0x0
 00606   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00607   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236880, ... ) }, 1236880, ... ) == 0x0
 00608   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00609   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 56, ) == 0x0
 00610   304   NtClose  (64, ... ) == 0x0
 00611   304   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x11f0000), 0x0, 4096, ) == 0x0
 00612   304   NtClose  (56, ... ) == 0x0
 00613   304   NtUnmapViewOfSection  (-1, 0x11f0000, ... ) == 0x0
 00614   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236520, ... ) }, 1236520, ... ) == 0x0
 00615   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237220,  (0x80100080, {24, 0, 0x40, 0, 1237220, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) == 0x0
 00616   304   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00617   304   NtClose  (56, ... ) == 0x0
 00618   304   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x11f0000), {0, 0}, 4096, ) == 0x0
 00619   304   NtClose  (64, ... ) == 0x0
 00620   304   NtUnmapViewOfSection  (-1, 0x11f0000, ... ) == 0x0
 00621   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 64, {status=0x0, info=1}, ) }, 1, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00622   304   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00623   304   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x11f0000), 0x0, 4096, ) == 0x0
 00624   304   NtQueryInformationFile  (64, 1236840, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00625   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   304   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236920, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236920, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1@\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\270\346\22\0\0\0\0\0" ... {128, 156, reply, 0, 300, 304, 2293, 0} "X\12\27\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1@\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\270\346\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 300, 304, 2293, 0}  (24, {128, 156, new_msg, 0, 1236920, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1@\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\270\346\22\0\0\0\0\0" ... {128, 156, reply, 0, 300, 304, 2293, 0} "X\12\27\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1@\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\270\346\22\0\0\0\0\0" )  ) == 0x0
 00627   304   NtClose  (64, ... ) == 0x0
 00628   304   NtClose  (56, ... ) == 0x0
 00629   304   NtUnmapViewOfSection  (-1, 0x11f0000, ... ) == 0x0
 00630   304   NtUnmapViewOfSection  (-1, 0x12e6b8, ... ) == STATUS_NOT_MAPPED_VIEW
 00631   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00632   304   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00633   304   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00634   304   NtUserGetDC  (0, ... ) == 0x1010052
 00635   304   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00636   304   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00637   304   NtUserSystemParametersInfo  (66, 12, 1239332, 0, ... ) == 0x1
 00638   304   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00639   304   NtAccessCheck  (1336952, 56, 0x1, 1238736, 1238680, 56, 1238764, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00640   304   NtClose  (56, ... ) == 0x0
 00641   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00642   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00643   304   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00644   304   NtClose  (56, ... ) == 0x0
 00645   304   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00646   304   NtSetInformationObject  (56, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00647   304   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 64, ) }, ... 64, ) == 0x0
 00648   304   NtQueryValueKey  (64,  (64, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00649   304   NtClose  (64, ... ) == 0x0
 00650   304   NtUserSystemParametersInfo  (41, 500, 1238832, 0, ... ) == 0x1
 00651   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00652   304   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00653   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00654   304   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00655   304   NtClose  (52, ... ) == 0x0
 00656   304   NtClose  (64, ... ) == 0x0
 00657   304   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00658   304   NtUserSystemParametersInfo  (4130, 0, 1239356, 0, ... ) == 0x1
 00659   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 64, ) }, ... 64, ) == 0x0
 00660   304   NtEnumerateValueKey  (64, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00661   304   NtClose  (64, ... ) == 0x0
 00662   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00663   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c03b
 00664   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c03d
 00665   304   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00666   304   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x8127c03f
 00667   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00668   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c041
 00669   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00670   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c043
 00671   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c045
 00672   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00673   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c047
 00674   304   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00675   304   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x8127c049
 00676   304   NtUserGetClassInfo  (1905590272, 1239252, 1239204, 1239280, 0, ... ) == 0xc049
 00677   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00678   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c04b
 00679   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00680   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c04d
 00681   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00682   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c04f
 00683   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c051
 00684   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00685   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c053
 00686   304   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00687   304   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x8127c055
 00688   304   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x8127c057
 00689   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00690   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c059
 00691   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10013
 00692   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c05b
 00693   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00694   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c05d
 00695   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00696   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c05f
 00697   304   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00698   304   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x8127c017
 00699   304   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00700   304   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x8127c019
 00701   304   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10013
 00702   304   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x8127c018
 00703   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00704   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c01a
 00705   304   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00706   304   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x8127c01c
 00707   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00708   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c01e
 00709   304   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00710   304   NtUserRegisterClassExWOW  (1239148, 1239228, 1239212, 1239244, 0, 384, 0, ... ) == 0x8127c01b
 00711   304   NtUserFindExistingCursorIcon  (1238632, 1238648, 1239216, ... ) == 0x10011
 00712   304   NtUserRegisterClassExWOW  (1239144, 1239224, 1239208, 1239240, 0, 384, 0, ... ) == 0x8127c068
 00713   304   NtUserFindExistingCursorIcon  (1238640, 1238656, 1239224, ... ) == 0x10011
 00714   304   NtUserRegisterClassExWOW  (1239092, 1239172, 1239156, 1239188, 0, 384, 0, ... ) == 0x8127c06a
 00715   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00716   304   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00717   304   NtClose  (64, ... ) == 0x0
 00718   304   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {300, 0}, ... 64, ) == 0x0
 00719   304   NtQueryInformationProcess  (64, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00720   304   NtClose  (64, ... ) == 0x0
 00721   304   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00722   304   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00723   304   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00724   304   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 64, ) }, ... 64, ) == 0x0
 00725   304   NtQueryValueKey  (64,  (64, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00726   304   NtClose  (64, ... ) == 0x0
 00727   304   NtUserSystemParametersInfo  (41, 500, 1239992, 0, ... ) == 0x1
 00728   304   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00729   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00730   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00731   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c03b
 00732   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00733   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c03d
 00734   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00735   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00736   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c03f
 00737   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00738   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00739   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ...
 00740   304   NtAllocateVirtualMemory  (-1, 10936320, 0, 4096, 4096, 32, ... 10936320, 4096, ) == 0x0
 00739   304   NtUserRegisterClassExWOW  ... ) == 0x8127c041
 00741   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00742   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00743   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c043
 00744   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00745   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c045
 00746   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00747   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00748   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c047
 00749   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00750   304   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00751   304   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x8127c049
 00752   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00753   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00754   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c04b
 00755   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00756   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00757   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c04d
 00758   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00759   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00760   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c04f
 00761   304   NtUserGetClassInfo  (1999896576, 1240404, 1240356, 1240432, 0, ... ) == 0x0
 00762   304   NtUserRegisterClassExWOW  (1240240, 1240320, 1240304, 1240336, 0, 384, 0, ... ) == 0x8127c051
 00763   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00764   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00765   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c053
 00766   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00767   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00768   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c055
 00769   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c057
 00770   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00771   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00772   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c059
 00773   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00774   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10013
 00775   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c05b
 00776   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00777   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00778   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c05d
 00779   304   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00780   304   NtUserFindExistingCursorIcon  (1239784, 1239800, 1240368, ... ) == 0x10011
 00781   304   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x8127c05f
 00782   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc03b
 00783   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc03d
 00784   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc03f
 00785   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc041
 00786   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc043
 00787   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc045
 00788   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc047
 00789   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc049
 00790   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc04b
 00791   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc04d
 00792   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc04f
 00793   304   NtUserGetClassInfo  (1999896576, 1242156, 1242108, 1242184, 0, ... ) == 0xc051
 00794   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc053
 00795   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc055
 00796   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc059
 00797   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc05b
 00798   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc05d
 00799   304   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc05f
 00800   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00801   304   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00802   304   NtClose  (64, ... ) == 0x0
 00803   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 64, ) }, ... 64, ) == 0x0
 00804   304   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00805   304   NtClose  (64, ... ) == 0x0
 00806   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00807   304   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00808   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00809   304   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00810   304   NtClose  (64, ... ) == 0x0
 00811   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00812   304   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00813   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00814   304   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00815   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 00816   304   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00817   304   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   304   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00819   304   NtClose  (64, ... ) == 0x0
 00820   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 00821   304   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   304   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00823   304   NtClose  (64, ... ) == 0x0
 00824   304   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 64, ) }, ... 64, ) == 0x0
 00825   304   NtOpenEvent  (0x1f0003, {24, 64, 0x0, 0, 0,  (0x1f0003, {24, 64, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00826   304   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00827   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00828   304   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00829   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00830   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00831   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00832   304   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 00833   304   NtCreateMutant  (0x1f0001, {24, 64, 0x80, 0, 0,  (0x1f0001, {24, 64, 0x80, 0, 0, "a1c21d0e0d6af099e3b6ed38f9d85d58ced8"}, 0, ... 52, ) }, 0, ... 52, ) == 0x0
 00834   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1237180, ... ) }, 1237180, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00836   304   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1237180, ... ) }, 1237180, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1237180, ... ) }, 1237180, ... ) == 0x0
 00838   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00839   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 72, ) == 0x0
 00840   304   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00841   304   NtClose  (68, ... ) == 0x0
 00842   304   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00843   304   NtClose  (72, ... ) == 0x0
 00844   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00845   304   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00846   304   NtClose  (72, ... ) == 0x0
 00847   304   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 72, ) == 0x0
 00848   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00849   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 76, ) }, ... 76, ) == 0x0
 00850   304   NtNotifyChangeKey  (76, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00851   304   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00852   304   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 80, ) == 0x0
 00853   304   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 00854   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1237180, ... ) }, 1237180, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00856   304   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1237180, ... ) }, 1237180, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00857   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1237180, ... ) }, 1237180, ... ) == 0x0
 00858   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00859   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00860   304   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00861   304   NtClose  (88, ... ) == 0x0
 00862   304   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 00863   304   NtClose  (92, ... ) == 0x0
 00864   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00865   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1236376, ... ) }, 1236376, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00866   304   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1236376, ... ) }, 1236376, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1236376, ... ) }, 1236376, ... ) == 0x0
 00868   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00869   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00870   304   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00871   304   NtClose  (92, ... ) == 0x0
 00872   304   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 00873   304   NtClose  (88, ... ) == 0x0
 00874   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00875   304   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 18939904, 262144, ) == 0x0
 00876   304   NtAllocateVirtualMemory  (-1, 18939904, 0, 4096, 4096, 4, ... 18939904, 4096, ) == 0x0
 00877   304   NtAllocateVirtualMemory  (-1, 18944000, 0, 8192, 4096, 4, ... 18944000, 8192, ) == 0x0
 00878   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00879   304   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00880   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00881   304   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00882   304   NtClose  (88, ... ) == 0x0
 00883   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00884   304   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00885   304   NtClose  (88, ... ) == 0x0
 00886   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00887   304   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00888   304   NtClose  (88, ... ) == 0x0
 00889   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   304   NtCreateEvent  (0x1f0003, {24, 64, 0x80, 1237312, 0,  (0x1f0003, {24, 64, 0x80, 1237312, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00891   304   NtOpenEvent  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 88, ) }, ... 88, ) == 0x0
 00892   304   NtCreateKey  (0xf003f, {24, 56, 0x40, 0, 0,  (0xf003f, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 92, 2, ) }, 0, 0x0, 0, ... 92, 2, ) == 0x0
 00893   304   NtQueryDefaultUILanguage  (1235548, ...
 00894   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00895   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482132, ) == 0x0
 00896   304   NtQueryInformationToken  (-2147482132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00897   304   NtClose  (-2147482132, ... ) == 0x0
 00898   304   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482132, ) }, ... -2147482132, ) == 0x0
 00899   304   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900   304   NtOpenKey  (0x80000000, {24, -2147482132, 0x640, 0, 0,  (0x80000000, {24, -2147482132, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482056, ) }, ... -2147482056, ) == 0x0
 00901   304   NtQueryValueKey  (-2147482056,  (-2147482056, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   304   NtClose  (-2147482056, ... ) == 0x0
 00903   304   NtClose  (-2147482132, ... ) == 0x0
 00893   304   NtQueryDefaultUILanguage  ... ) == 0x0
 00904   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00906   304   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00907   304   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1250000), 0x0, 593920, ) == 0x0
 00908   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909   304   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00910   304   NtQueryDefaultLocale  (1, 1233584, ... ) == 0x0
 00911   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   304   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234440, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234440, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275,\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 300, 304, 2308, 0} " S\26\0\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275,\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\335\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 300, 304, 2308, 0}  (24, {128, 156, new_msg, 0, 1234440, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275,\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 300, 304, 2308, 0} " S\26\0\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0P\275,\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\335\22\0\0\0\0\0" )  ) == 0x0
 00913   304   NtClose  (96, ... ) == 0x0
 00914   304   NtClose  (100, ... ) == 0x0
 00915   304   NtUnmapViewOfSection  (-1, 0x1250000, ... ) == 0x0
 00916   304   NtUnmapViewOfSection  (-1, 0x12dd08, ... ) == STATUS_NOT_MAPPED_VIEW
 00917   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00918   304   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00920   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00921   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1232124, ... ) }, 1232124, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00923   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00924   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00925   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1232716, ... ) }, 1232716, ... ) == 0x0
 00926   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00927   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00928   304   NtCreateKey  (0x2001f, {24, 56, 0x40, 0, 0,  (0x2001f, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00929   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1237200, ... ) }, 1237200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   304   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1237200, ... ) }, 1237200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1237200, ... ) }, 1237200, ... ) == 0x0
 00933   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00934   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00935   304   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00936   304   NtClose  (104, ... ) == 0x0
 00937   304   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 00938   304   NtClose  (108, ... ) == 0x0
 00939   304   NtAllocateVirtualMemory  (-1, 18694144, 0, 8192, 4096, 4, ... 18694144, 8192, ) == 0x0
 00940   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00941   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00942   304   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00943   304   NtClose  (108, ... ) == 0x0
 00944   304   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 108, ) }, ... 108, ) == 0x0
 00945   304   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   304   NtClose  (108, ... ) == 0x0
 00947   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 108, ) }, ... 108, ) == 0x0
 00948   304   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00949   304   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00950   304   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00951   304   NtQueryValueKey  (108,  (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00952   304   NtClose  (108, ... ) == 0x0
 00953   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 108, ) }, ... 108, ) == 0x0
 00954   304   NtQueryValueKey  (108,  (108, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00955   304   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00956   304   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00957   304   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00958   304   NtQueryValueKey  (108,  (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00959   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236760, ... ) }, 1236760, ... ) == 0x0
 00960   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00961   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 112, ) == 0x0
 00962   304   NtClose  (104, ... ) == 0x0
 00963   304   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1250000), 0x0, 135168, ) == 0x0
 00964   304   NtClose  (112, ... ) == 0x0
 00965   304   NtUnmapViewOfSection  (-1, 0x1250000, ... ) == 0x0
 00966   304   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 00967   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237648, ... ) }, 1237648, ... ) == 0x0
 00968   304   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238316, ... ) }, 1238316, ... ) == 0x0
 00969   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238172,  (0x80100080, {24, 0, 0x40, 0, 1238172, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00970   304   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 00971   304   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1250000), {0, 0}, 135168, ) == 0x0
 00972   304   NtQueryDefaultLocale  (1, 1237980, ... ) == 0x0
 00973   304   NtQueryVirtualMemory  (-1, 0x1250000, Basic, 28, ... {BaseAddress=0x1250000,AllocationBase=0x1250000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00974   304   NtQueryVirtualMemory  (-1, 0x1250000, Basic, 28, ... {BaseAddress=0x1250000,AllocationBase=0x1250000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00975   304   NtReadFile  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 00976   304   NtQueryInformationFile  (112, 1238224, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00977   304   NtSetInformationFile  (112, 1238224, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00978   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00979   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 00980   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 00981   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 00982   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 00983   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 00984   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 00985   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 00986   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 00987   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 00988   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 00989   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 00990   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 00991   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 00992   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 00993   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 00994   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 00995   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 00996   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 00997   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 00998   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 00999   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01000   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01001   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01002   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01003   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01004   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01005   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01006   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01007   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01008   304   NtReadFile  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01009   304   NtQueryInformationFile  (112, 1238224, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01010   304   NtSetInformationFile  (112, 1238224, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01011   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01012   304   NtReadFile  (112, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (112, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 01013   304   NtUnmapViewOfSection  (-1, 0x1250000, ... ) == 0x0
 01014   304   NtClose  (104, ... ) == 0x0
 01015   304   NtClose  (112, ... ) == 0x0
 01016   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236704, ... ) }, 1236704, ... ) == 0x0
 01017   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01018   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 104, ) == 0x0
 01019   304   NtClose  (112, ... ) == 0x0
 01020   304   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1250000), 0x0, 135168, ) == 0x0
 01021   304   NtClose  (104, ... ) == 0x0
 01022   304   NtUnmapViewOfSection  (-1, 0x1250000, ... ) == 0x0
 01023   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 01024   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01025   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 112, ) == 0x0
 01026   304   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01027   304   NtClose  (104, ... ) == 0x0
 01028   304   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 01029   304   NtClose  (112, ... ) == 0x0
 01030   304   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01031   304   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01032   304   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01033   304   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01034   304   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01035   304   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01036   304   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01037   304   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01038   304   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01039   304   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01040   304   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01041   304   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01042   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01043   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01044   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01045   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01046   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01047   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01048   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01049   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01050   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01051   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01052   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01053   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01054   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01055   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01056   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01057   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01058   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01059   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01060   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01061   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01062   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01063   304   NtQueryDefaultLocale  (1, 1235872, ... ) == 0x0
 01064   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1235972, ... ) }, 1235972, ... ) == 0x0
 01065   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236704,  (0x80100080, {24, 0, 0x40, 0, 1236704, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01066   304   NtQueryVolumeInformationFile  (112, 1236864, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01067   304   NtQueryInformationFile  (112, 1236756, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01068   304   NtQueryInformationFile  (112, 1237048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01069   304   NtClose  (112, ... ) == 0x0
 01070   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1235464, ... ) }, 1235464, ... ) == 0x0
 01071   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236196,  (0x80100080, {24, 0, 0x40, 0, 1236196, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01072   304   NtQueryVolumeInformationFile  (112, 1236356, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01073   304   NtQueryInformationFile  (112, 1236248, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01074   304   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 01075   304   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1250000), {0, 0}, 135168, ) == 0x0
 01076   304   NtQueryDefaultLocale  (1, 1236336, ... ) == 0x0
 01077   304   NtQueryVirtualMemory  (-1, 0x1250000, Basic, 28, ... {BaseAddress=0x1250000,AllocationBase=0x1250000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01078   304   NtQueryVirtualMemory  (-1, 0x1250000, Basic, 28, ... {BaseAddress=0x1250000,AllocationBase=0x1250000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01079   304   NtQueryDefaultLocale  (1, 1236336, ... ) == 0x0
 01080   304   NtQueryVirtualMemory  (-1, 0x1250000, Basic, 28, ... {BaseAddress=0x1250000,AllocationBase=0x1250000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01081   304   NtQueryVirtualMemory  (-1, 0x1250000, Basic, 28, ... {BaseAddress=0x1250000,AllocationBase=0x1250000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01082   304   NtReadFile  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (112, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01083   304   NtQueryInformationFile  (112, 1236584, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01084   304   NtSetInformationFile  (112, 1236584, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01085   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01086   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01087   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01088   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01089   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01090   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01091   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01092   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01093   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01094   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01095   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01096   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01097   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01098   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01099   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01100   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01101   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01102   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01103   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01104   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01105   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01106   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01107   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01108   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01109   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01110   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01111   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01112   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01113   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01114   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01115   304   NtReadFile  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (112, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01116   304   NtQueryInformationFile  (112, 1236584, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01117   304   NtSetInformationFile  (112, 1236584, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01118   304   NtQueryInformationFile  (112, 1236584, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01119   304   NtSetInformationFile  (112, 1236584, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01120   304   NtReadFile  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (112, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01121   304   NtReadFile  (112, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (112, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01122   304   NtUnmapViewOfSection  (-1, 0x1250000, ... ) == 0x0
 01123   304   NtClose  (104, ... ) == 0x0
 01124   304   NtClose  (112, ... ) == 0x0
 01125   304   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 112, ) }, ... 112, ) == 0x0
 01126   304   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01127   304   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01128   304   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01129   304   NtQueryValueKey  (112,  (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01130   304   NtClose  (112, ... ) == 0x0
 01131   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   304   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01133   304   NtOpenProcessToken  (-1, 0x8, ... 112, ) == 0x0
 01134   304   NtQueryInformationToken  (112, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01135   304   NtClose  (112, ... ) == 0x0
 01136   304   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01137   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 112, {status=0x0, info=0}, ) }, 7, 16, ... 112, {status=0x0, info=0}, ) == 0x0
 01138   304   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\276\243\272>\7z\366\213\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01139   304   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01140   304   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01141   304   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01142   304   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01143   304   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01144   304   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01145   304   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01146   304   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482132, 2, ) }, 0, 0x0, 0, ... -2147482132, 2, ) == 0x0
 01147   304   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\275\344\221\37\2457\215>\271\36\314)#\215I\366&&7\364vD\227\33K\375\325\213\212\301_\277Q\355\210A\216\3\241\30\342\325\241yw\261\344\30y\12\226\255S!{\335\4\314\333\20\204 \342Z\35r\356\14\367$x\306\365\377\205\320\303\37\303P", 80, ... , 0, 3,  (-2147482132, "Seed", 0, 3, "\275\344\221\37\2457\215>\271\36\314)#\215I\366&&7\364vD\227\33K\375\325\213\212\301_\277Q\355\210A\216\3\241\30\342\325\241yw\261\344\30y\12\226\255S!{\335\4\314\333\20\204 \342Z\35r\356\14\367$x\306\365\377\205\320\303\37\303P", 80, ... , 80, ...
 01148   304   NtSetInformationFile  (-2147482836, -133464452, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01149   304   NtSetInformationFile  (-2147482836, -133464488, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01147   304   NtSetValueKey  ... ) == 0x0
 01150   304   NtClose  (-2147482132, ... ) == 0x0
 01138   304   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "i\351\373X\203`\17\235nQhq{\331\204"\13\274\231\235\322h\374\172H\334=\331\237%\33\244\341\264+\227\240\11\327\36\24\330\22f\357\2770\324PN>\301\265\26#\243xC\263B\265\3432\325h\326X4R\303\357\350\340f&\372\351n(TVAq\217\366u\202 \355\12\304\320Fn\310K\340~\333\346r\226\234<\204,\341,s\227\220\255\270.r\217a\273x\321\362\364}\373p\300\346\244\2001P\301R\313\257\274\\5r\211\340V\353\313zc\23"\235\276&\217p\337%GV\332\211\317\231\371\312\314>\324\227\21\3434(j\205\27o\215T\37,\240\3152\326<$\230\257\322L\330\\272IyN\223\314\233\327B\365x\230\6V\276\314\247\351h\315\274\2061\246\251~Z\225\200\367\12\273w!\365\377\346b\321\177'cc\247r\25\210\27VB\303v[\10\312\364\305\321\360\214\247\236\5", ) \13\274\231\235\322h\374\172H\334=\331\237%\33\244\341\264+\227\240\11\327\36\24\330\22f\357\2770\324PN>\301\265\26#\243xC\263B\265\3432\325h\326X4R\303\357\350\340f&\372\351n(TVAq\217\366u\202 \355\12\304\320Fn\310K\340~\333\346r\226\234<\204,\341,s\227\220\255\270.r\217a\273x\321\362\364}\373p\300\346\244\2001P\301R\313\257\274\\5r\211\340V\353\313zc\23 ... {status=0x0, info=256}, "i\351\373X\203`\17\235nQhq{\331\204"\13\274\231\235\322h\374\172H\334=\331\237%\33\244\341\264+\227\240\11\327\36\24\330\22f\357\2770\324PN>\301\265\26#\243xC\263B\265\3432\325h\326X4R\303\357\350\340f&\372\351n(TVAq\217\366u\202 \355\12\304\320Fn\310K\340~\333\346r\226\234<\204,\341,s\227\220\255\270.r\217a\273x\321\362\364}\373p\300\346\244\2001P\301R\313\257\274\\5r\211\340V\353\313zc\23"\235\276&\217p\337%GV\332\211\317\231\371\312\314>\324\227\21\3434(j\205\27o\215T\37,\240\3152\326<$\230\257\322L\330\\272IyN\223\314\233\327B\365x\230\6V\276\314\247\351h\315\274\2061\246\251~Z\225\200\367\12\273w!\365\377\346b\321\177'cc\247r\25\210\27VB\303v[\10\312\364\305\321\360\214\247\236\5", ) , ) == 0x0
 01151   304   NtClose  (108, ... ) == 0x0
 01152   304   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377]\337f<\4\236\340\362>\0\202\220\227A\26\245\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01153   304   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01154   304   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01155   304   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01156   304   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01157   304   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01158   304   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01159   304   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01160   304   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482132, 2, ) }, 0, 0x0, 0, ... -2147482132, 2, ) == 0x0
 01161   304   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\365\243\360\20\21\343\1%\14\312\363\356\2214\321\227-\2K\330%\256\353+}f\302\255"\264\21v\315\255\240\377\16\264\23\323\2Mb\177\373\240\376e\241Hm\177 \220\11\314K\153\2370E\200\33~\3630, 3,  (-2147482132, "Seed", 0, 3, "\365\243\360\20\21\343\1%\14\312\363\356\2214\321\227-\2K\330%\256\353+}f\302\255"\264\21v\315\255\240\377\16\264\23\323\2Mb\177\373\240\376e\241Hm\177 \220\11\314K\153\2370E\200\33~\363264\21v\315\255\240\377\16\264\23\323\2Mb\177\373\240\376e\241Hm\177 \220\11\314K\153\2370E\200\33~\363200\35\311s\23^\240\245\357", 80, ... ) == 0x0
 01162   304   NtClose  (-2147482132, ... ) == 0x0
 01152   304   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "8\263\203.%!U \20a}\363\37\323=\210\262kD*|m\17\3534s,?\323l\254\20\232!\320u\327\364\367j\351M7(\241oj\356\2\324\5\220D\203\270\330Me\213\200,@\224\374O\277\254\310f\302B\31\361\1\237)\307\265\365a\373\316[\267\0?y\223\6\340\305$[\253\35\264Hj\261\325\360\350\326F\36\367pp~([\313\204\342\342\331\222e\327\14\356\34L\5zK\317\330\14G\233s\231E\312\313\323\260E\347+^%a\3\22:\200\320\335p\275\307\301\17\212\343\336IT\227\330\131u\271\247\370Y\24\20\325\27kgf\13=\222\234.g\340|\316\23{$\362\23y\204\204\364\10I\235\332t\255\376\15\30\34A\301(\201\366@2\253\21Y\365X$mN#g\336@\320\347\233\376\4\275\343\24\201\331\256\272$g /\314\231\315\324\33\375H\211\34Eo\256q\264f\275", ) , ) == 0x0
 01163   304   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377]\337f<\4\236\340\21B\334\200\223sWo;\0\202\220\227A\26\245\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01164   304   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01165   304   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01166   304   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01167   304   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01168   304   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01169   304   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01170   304   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01171   304   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482132, 2, ) }, 0, 0x0, 0, ... -2147482132, 2, ) == 0x0
 01172   304   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\333\340\307\245\205\200/W\36\34\2056\355\7\357\301\332;m\310\364\230;<:\336\2421\25\316GL0\347\315QD\226\353\365\224{\337Q\333l\354\345hl?F5\12\314D(f\266T\1\20Z\264\213\374\320\33\257\347Ie\330\32\234W\202\354#\317", 80, ... ) , 0, 3,  (-2147482132, "Seed", 0, 3, "\333\340\307\245\205\200/W\36\34\2056\355\7\357\301\332;m\310\364\230;<:\336\2421\25\316GL0\347\315QD\226\353\365\224{\337Q\333l\354\345hl?F5\12\314D(f\266T\1\20Z\264\213\374\320\33\257\347Ie\330\32\234W\202\354#\317", 80, ... ) , 80, ... ) == 0x0
 01173   304   NtClose  (-2147482132, ... ) == 0x0
 01163   304   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\232~\277\347\214\232[\301\276\237P7\\331F\303\341\4\17+\373\307n\214\221\371\252\3115_}\354@\372\25\305Z\210\350W\10\313\36\3561.\16#;,\3\224Q\\23\12\225\366W\5\357;\206\210\255\348\367c\11j"\366\240\332'U\17\261\3615\221\319\355e\215=\272,/\3008g\16\356i\351\216e\206\203\355\376\215\314\366'\357?\235\222M\205\355C\246\334e\303xR5\5\21\261-\230\247\303B\204j\306)\351\370m\12<\332\343p\0\217\23>\223^\262\300\24\367\342]\217\306\275\377\301\34\4\320N\372\2021\241\213|\365xH\325\373f\374^\200!#\20\261q\250\212\3117\277uA}\232'\307\244\220\265\10\37\254\344G\224A\3269\363\20\27TBJ\234\301\200\0Z\252:\333\266\352\367N\26Uhy\322\335Kbq\263\304\230E\313\231r\332\24\375\270m \31K\234\305\200\207H;\341", ) \366\240\332'U\17\261\3615\221\319\355e\215=\272,/\3008g\16\356i\351\216e\206\203\355\376\215\314\366'\357?\235\222M\205\355C\246\334e\303xR5\5\21\261-\230\247\303B\204j\306)\351\370m\12<\332\343p\0\217\23>\223^\262\300\24\367\342]\217\306\275\377\301\34\4\320N\372\2021\241\213|\365xH\325\373f\374^\200!#\20\261q\250\212\3117\277uA}\232'\307\244\220\265\10\37\254\344G\224A\3269\363\20\27TBJ\234\301\200\0Z\252:\333\266\352\367N\26Uhy\322\335Kbq\263\304\230E\313\231r\332\24\375\270m \31K\234\305\200\207H;\341", ) == 0x0
 01174   304   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377]\337f<\4\236\340\21B\334\200\223sW\214G\334\200\223sWo;\0\202\220\227A\26\245\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01175   304   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01176   304   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01177   304   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01178   304   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01179   304   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01180   304   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01181   304   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01182   304   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482132, 2, ) }, 0, 0x0, 0, ... -2147482132, 2, ) == 0x0
 01183   304   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\253\15\206F(P\7\212\25L\245\354\216b\313H/\3271\357\355\2\301\321\210\374\231\30\224a\270\322\260\354a\2214\327\25t0\0\231\261\216\240\2329\25\235\322\326\355\6\37\204\234\23q\242, 80, ... ) , 0, 3,  (-2147482132, "Seed", 0, 3, "\253\15\206F(P\7\212\25L\245\354\216b\313H/\3271\357\355\2\301\321\210\374\231\30\224a\270\322\260\354a\2214\327\25t0\0\231\261\216\240\2329\25\235\322\326\355\6\37\204\234\23q\242, 80, ... ) , 80, ... ) == 0x0
 01184   304   NtClose  (-2147482132, ... ) == 0x0
 01174   304   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "6\220\317\7\250\232#\23\243\11\255U\222\240\1c\254Z\255R\3\1\377\207\215\242j(\145\2569\375\204\2c\255j\210\236/}\256\271\251\344\17%]\357\201\3545\36\1\377\30\357E\370\201"G\362\221\254\31\210\270\255N\275O\5\364\343\201\262\250\356M\343A\221\241\3678\352\370;p\332\366\312\314v\23:\31\25,\212\254\341\301\20\233H\214\314S\252:9(\325\331]\326!\311q\216\227=P\233\323\355t\22\273hl\277\317p3\330"z\222\263 \220\346\247\346\2\235$\315\367\362;|{\346\311\354\315\317C\371\210\377h\254Q\206\361\231\264/M\10*\331\226\207'\207D\226\25\32\325\255\352\238\266Q^\236X\340u\311p T\273\332>LB\10\211\317\275p\314nR;W\253l\267\216\301\344{*g\255(\373\272E\361\6w\342r\24\204\323\\3415HM\276\332UR\213\231Q\203/\233\2425", ) G\362\221\254\31\210\270\255N\275O\5\364\343\201\262\250\356M\343A\221\241\3678\352\370;p\332\366\312\314v\23:\31\25,\212\254\341\301\20\233H\214\314S\252:9(\325\331]\326!\311q\216\227=P\233\323\355t\22\273hl\277\317p3\330 ... {status=0x0, info=256}, "6\220\317\7\250\232#\23\243\11\255U\222\240\1c\254Z\255R\3\1\377\207\215\242j(\145\2569\375\204\2c\255j\210\236/}\256\271\251\344\17%]\357\201\3545\36\1\377\30\357E\370\201"G\362\221\254\31\210\270\255N\275O\5\364\343\201\262\250\356M\343A\221\241\3678\352\370;p\332\366\312\314v\23:\31\25,\212\254\341\301\20\233H\214\314S\252:9(\325\331]\326!\311q\216\227=P\233\323\355t\22\273hl\277\317p3\330"z\222\263 \220\346\247\346\2\235$\315\367\362;|{\346\311\354\315\317C\371\210\377h\254Q\206\361\231\264/M\10*\331\226\207'\207D\226\25\32\325\255\352\238\266Q^\236X\340u\311p T\273\332>LB\10\211\317\275p\314nR;W\253l\267\216\301\344{*g\255(\373\272E\361\6w\342r\24\204\323\\3415HM\276\332UR\213\231Q\203/\233\2425", ) , ) == 0x0
 01185   304   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377]\337f<\4\236\340\21B\334\200\223sW\214G\334\200\223sW\214G\334\200\223sWo;\0\202\220\227A\26\245\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01186   304   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01187   304   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01188   304   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01189   304   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01190   304   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01191   304   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01192   304   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01193   304   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482132, 2, ) }, 0, 0x0, 0, ... -2147482132, 2, ) == 0x0
 01194   304   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\376c{|\234\4\23\210\327|\301\222\331L\371\32\321S\374G\334\373w\302\322\1\253g\346C\356Q\204\366\203\337sl\326P\15\260\236\302\206\375\331w\347\0\340\334\271\325\312\253\10\367\257|{\310\265\202\356\311p\222\10\17,\237 _alb\356Y", 80, ... ) , 0, 3,  (-2147482132, "Seed", 0, 3, "\376c{|\234\4\23\210\327|\301\222\331L\371\32\321S\374G\334\373w\302\322\1\253g\346C\356Q\204\366\203\337sl\326P\15\260\236\302\206\375\331w\347\0\340\334\271\325\312\253\10\367\257|{\310\265\202\356\311p\222\10\17,\237 _alb\356Y", 80, ... ) , 80, ... ) == 0x0
 01195   304   NtClose  (-2147482132, ... ) == 0x0
 01185   304   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\205\247\360z\347M\250Y`1i\30\211\334\243\277H&\266'\232\377\346{\330b\234S\206\16\310}\262\307L8};I\252ct\304\346\307\370\221\22\243\277o\361\311\367\225\302\226\30)9i\12]17\30'\352\205"m\204\235\3321\261\356\351\305\351?\322\36\330oPWH\3243\301\326\252D\357T\230\256$\200s7\341\252\375$\320\227\220\242\355\15d\360l\7YYLh\315L\226!\250\351|\354\0\377V\335\3174\223\320\23\367m\354bU\202\214\310\260\232\350\262h\332\354\31\225\306zV\214\373n\0a\200/ik\336\262\344\373\271k\237\276\323\14\10<\23\220\255\325\344\346NXX\227P\333\20yT\324\373\245\302n5B \227\371x\301\275m\206\247\213nZ\265\60\337D\12\36\377$(\37\324\224\374>`\331\6\17\256M\33\304\12\13\323O\246\224\324}\317\232\340ooQ\221\231WW6\252", ) m\204\235\3321\261\356\351\305\351?\322\36\330oPWH\3243\301\326\252D\357T\230\256$\200s7\341\252\375$\320\227\220\242\355\15d\360l\7YYLh\315L\226!\250\351|\354\0\377V\335\3174\223\320\23\367m\354bU\202\214\310\260\232\350\262h\332\354\31\225\306zV\214\373n\0a\200/ik\336\262\344\373\271k\237\276\323\14\10<\23\220\255\325\344\346NXX\227P\333\20yT\324\373\245\302n5B \227\371x\301\275m\206\247\213nZ\265\60\337D\12\36\377$(\37\324\224\374>`\331\6\17\256M\33\304\12\13\323O\246\224\324}\317\232\340ooQ\221\231WW6\252", ) == 0x0
 01196   304   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377]\337f<\4\236\340\21B\334\200\223sW\214G\334\200\223sW\214G\334\200\223sW\214G\334\200\223sWo;\0\202\220\227A\26\245\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01197   304   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01198   304   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01199   304   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01200   304   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01201   304   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01202   304   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01203   304   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01204   304   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482132, 2, ) }, 0, 0x0, 0, ... -2147482132, 2, ) == 0x0
 01205   304   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\361\220e\342K\27\311i\16y\263V\274B\342\202\27\216.\222\266\252$V|\345~\264a|GU\303g\272]\34\4`\271\256|"\335\310\305\365\201rY\233H\313\266(\17\270T&\334\20*7\235f\251\11\320\217\232w\341M\3009Q\375\215{\251", 80, ... ) , 0, 3,  (-2147482132, "Seed", 0, 3, "\361\220e\342K\27\311i\16y\263V\274B\342\202\27\216.\222\266\252$V|\345~\264a|GU\303g\272]\34\4`\271\256|"\335\310\305\365\201rY\233H\313\266(\17\270T&\334\20*7\235f\251\11\320\217\232w\341M\3009Q\375\215{\251", 80, ... ) \335\310\305\365\201rY\233H\313\266(\17\270T&\334\20*7\235f\251\11\320\217\232w\341M\3009Q\375\215{\251", 80, ... ) == 0x0
 01206   304   NtClose  (-2147482132, ... ) == 0x0
 01196   304   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\34\344\355&\215\24@\266\252\327E\177\252\275\272\236Y\24\375\367\372\340=\337\220R\26\177us\306\3262\337ay\265\2tKN\315\361\265n\336\326f\375\374\26\253\200\270\\350|\237F\274\26z\277\375\241\302\344\250*\24\11bI\337,\16\204\267\306\212\215pn\2407\343k\32\36\203\340\265@0\10`\304ojI\3\341(\17"\302\351\357\302\216"\12(\310 b\6{\360s\201\24\317k\235K\224\23\\277\273\367\262\205\216\332\227\3708\244\313\223\353\332/\354\353\230$Y\236Ki\306:)\272\324d=\315\337\373\336\220\336a\274\364`\360\301\266\270\230I\10\347\210\353|'4\26s\355\321\202\226a46\333h`g\257\351\341\364\36\321\344l\355\212\354\15\252\27\21i\3023\341\23\274'+}v\337\36\311\274\373\272\3620\355,\16d\52\2757\313\327\24*\300A\366\243\277\376\212\344\302\310\227<\252\277", ) \302\351\357\302\216 ... {status=0x0, info=256}, "\34\344\355&\215\24@\266\252\327E\177\252\275\272\236Y\24\375\367\372\340=\337\220R\26\177us\306\3262\337ay\265\2tKN\315\361\265n\336\326f\375\374\26\253\200\270\\350|\237F\274\26z\277\375\241\302\344\250*\24\11bI\337,\16\204\267\306\212\215pn\2407\343k\32\36\203\340\265@0\10`\304ojI\3\341(\17"\302\351\357\302\216"\12(\310 b\6{\360s\201\24\317k\235K\224\23\\277\273\367\262\205\216\332\227\3708\244\313\223\353\332/\354\353\230$Y\236Ki\306:)\272\324d=\315\337\373\336\220\336a\274\364`\360\301\266\270\230I\10\347\210\353|'4\26s\355\321\202\226a46\333h`g\257\351\341\364\36\321\344l\355\212\354\15\252\27\21i\3023\341\23\274'+}v\337\36\311\274\373\272\3620\355,\16d\52\2757\313\327\24*\300A\366\243\277\376\212\344\302\310\227<\252\277", ) , ) == 0x0
 01207   304   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377]\337f<\4\236\340\21B\334\200\223sW\214G\334\200\223sW\214G\334\200\223sW\214G\334\200\223sW\214G\334\200\223sWo;\0\202\220\227A\26\245\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01208   304   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01209   304   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01210   304   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01211   304   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01212   304   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01213   304   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01214   304   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01215   304   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482132, 2, ) }, 0, 0x0, 0, ... -2147482132, 2, ) == 0x0
 01216   304   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "]j\227^a\345\332\33IV\243]VA^ \355\233!\300\215o\270o\373$z\36\15\364\231\262\3233q\347WxLI\230\24n\213\326\267J\351\231\206\33$\364\342v\217\324\S\327j9\240\321V\217\236D\356j\7j:~\367\274d\200\202\205", 80, ... ) , 0, 3,  (-2147482132, "Seed", 0, 3, "]j\227^a\345\332\33IV\243]VA^ \355\233!\300\215o\270o\373$z\36\15\364\231\262\3233q\347WxLI\230\24n\213\326\267J\351\231\206\33$\364\342v\217\324\S\327j9\240\321V\217\236D\356j\7j:~\367\274d\200\202\205", 80, ... ) , 80, ... ) == 0x0
 01217   304   NtClose  (-2147482132, ... ) == 0x0
 01207   304   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "p\352\33\222Q\356\340\13Y\310\372\244\244\216\220g\223\3467\11\253V\377S\377\364d\16\306u\367\346\362\351\35\236\4/\247\0\373\305>\3\370%\211/\265\336o>\331_Ww8\341L\\213m\313G6\215\356W\310\4\33G]0\303S\33-\333K\272\30\356\356\375\362j\230\232\325[\213\17w\235\242\363q\332\231\371x\234\367*\262\376n\33@\260\U\227_\215\30\5\303\323\327\3{\276n\253Qm\305\324|\3557\324R\6\32^#\272\221\12\276\364\7F\310\210\30\375\301n\373\373\271\15\356\317\333\35\333.l\253"Hg7\323r \25Hr-NO\232\241"\354\3!\2622\201D\374ZZu}\260\227\347\177\366?\370\231i\376\302t\314\1\330\247z5\211\24\200\315HqlSr\35(\333\15=A\230\371]\371x\273\255\303X@\204!o\362:4\213Es>X\5\334\310c]\203\243\22", ) Hg7\323r \25Hr-NO\232\241 ... {status=0x0, info=256}, "p\352\33\222Q\356\340\13Y\310\372\244\244\216\220g\223\3467\11\253V\377S\377\364d\16\306u\367\346\362\351\35\236\4/\247\0\373\305>\3\370%\211/\265\336o>\331_Ww8\341L\\213m\313G6\215\356W\310\4\33G]0\303S\33-\333K\272\30\356\356\375\362j\230\232\325[\213\17w\235\242\363q\332\231\371x\234\367*\262\376n\33@\260\U\227_\215\30\5\303\323\327\3{\276n\253Qm\305\324|\3557\324R\6\32^#\272\221\12\276\364\7F\310\210\30\375\301n\373\373\271\15\356\317\333\35\333.l\253"Hg7\323r \25Hr-NO\232\241"\354\3!\2622\201D\374ZZu}\260\227\347\177\366?\370\231i\376\302t\314\1\330\247z5\211\24\200\315HqlSr\35(\333\15=A\230\371]\371x\273\255\303X@\204!o\362:4\213Es>X\5\334\310c]\203\243\22", ) , ) == 0x0
 01218   304   NtDeviceIoControlFile  (112, 0, 0x0, 0x0, 0x390008,  (112, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377]\337f<\4\236\340\21B\334\200\223sW\214G\334\200\223sW\214G\334\200\223sW\214G\334\200\223sW\214G\334\200\223sW\214G\334\200\223sWo;\0\202\220\227A\26\245\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01219   304   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01220   304   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01221   304   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01222   304   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01223   304   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01224   304   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01225   304   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01226   304   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482132, 2, ) }, 0, 0x0, 0, ... -2147482132, 2, ) == 0x0
 01227   304   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\210\236\316\342\241\262\337\33\267\253\321p\324$F\207\3223vM[\264\256\353y\376\371F\24\1\320\326h.\225\367\264\346\\360\246q\270D\364\360\257R(i^\370\324\362)\207f\373\360\15\35\2736\241\312\270\30[\363\222\326\222\224A\217Z\267\300\354", 80, ... ) , 0, 3,  (-2147482132, "Seed", 0, 3, "\210\236\316\342\241\262\337\33\267\253\321p\324$F\207\3223vM[\264\256\353y\376\371F\24\1\320\326h.\225\367\264\346\\360\246q\270D\364\360\257R(i^\370\324\362)\207f\373\360\15\35\2736\241\312\270\30[\363\222\326\222\224A\217Z\267\300\354", 80, ... ) , 80, ... ) == 0x0
 01228   304   NtClose  (-2147482132, ... ) == 0x0
 01218   304   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "Emp\7Dv\2266\353\213\264\371\317\2475\37p\26\242\377\315\217\240\236'\271J\272De\203\2s-\343\375\256U\275)\365\267ThY\252.\241\206oQ\257\355z\3444\245I\226dI\266\15V-\335\257\372\331d\266\255.\233a]Q\3726\303\314o\336\35\255+.\343F\371\210W\257\236\26\324\371\240\343r\363C%Y$\370\31W\177\272\266:\246\363\236\314\266\357cD!\217E\3\210\353[\0N\357\5~WLZ)\3\221\26\32\252d\225\255&\307\220\327\36$\306\374B\325I\315\256D\336q/\36\337\322\355\235\0\361\377\370B\2419\355r\371do/\345\372\13R\21\235\315\312\5\3\334\265\352\224\323\20\236\312\253\221\361\342\314@\227\344\300\235, ) , ) == 0x0
 01229   304   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 108, {status=0x0, info=1}, ) }, 3, 33, ... 108, {status=0x0, info=1}, ) == 0x0
 01230   304   NtQueryVolumeInformationFile  (108, 1237952, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01231   304   NtClose  (12, ... ) == 0x0
 01232   304   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winIogon.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01233   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237172,  (0x80100080, {24, 0, 0x40, 0, 1237172, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 01234   304   NtQueryInformationFile  (12, 1238108, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01235   304   NtQueryInformationFile  (12, 1238080, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01236   304   NtQueryInformationFile  (12, 1238032, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01237   304   NtAllocateVirtualMemory  (-1, 1392640, 0, 8192, 4096, 4, ... 1392640, 8192, ) == 0x0
 01238   304   NtQueryInformationFile  (12, 1389224, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01239   304   NtQueryInformationFile  (12, 1236576, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01240   304   NtQueryInformationFile  (12, 1236420, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01241   304   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1236428,  (0x40110080, {24, 0, 0x40, 0, 1236428, "\??\C:\WINDOWS\System32\winIogon.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01242   304   NtClose  (-2147482132, ... ) == 0x0
 01241   304   NtCreateFile  ... 104, {status=0x0, info=2}, ) == 0x0
 01243   304   NtQueryVolumeInformationFile  (104, 1235800, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01244   304   NtQueryInformationFile  (104, 1235760, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01245   304   NtQueryVolumeInformationFile  (12, 1235800, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01246   304   NtQueryVolumeInformationFile  (12, 1235484, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01247   304   NtSetInformationFile  (104, 1235588, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01248   304   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 116, ) == 0x0
 01249   304   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1250000), {0, 0}, 118784, ) == 0x0
 01250   304   NtClose  (116, ... ) == 0x0
 01251   304   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]c\221?P\0\0\0\0PE\0\0L\1\7\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\0\260R\0\0\20\0\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`S\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\0M\3208\0\0\0\0\0\0\0\0\0\240R\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.idata\0\0\0`\1\0\0\20\0\0\243\253\0\0\0\4\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01252   304   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "`\0Q\371\33\311\353\12@H\350\1o\350\6/3\217\205\324\14\337\312\343\5\10\15\345Y/\370\14\34\0C\37,>\35T\\22\25UB\3663\16\14\215@\15\220\11\240I5\205\16!7\21\341\34\352\270\32f&!.\15\367\320\220\5\323CdB\17\212\3510D\337&\252\0K[b!\6\24EG\12@3U\351\232\331\352\17E3\352\233\232\360\273\175\1\216\32\211\30\203\300\4X\226@\333)N\215t\226r\16\352\2053\3516\226\14\0\14X\63\159L\37\5\31S$=\366m7\3566R\366jC\315\2\273\26B\3765\224j\207\322\221\350\344J5\352\322\340\24&XV\0\23\33\2\27^O/\22\32\13HaD\15\362\26\261\332\14DeJf\351@!\16H?\24\366t\3010Jm\216\16R\15\211\366\25\247\20\351\330\14\24B\7"\15GQd@\7_\12.\0&#\22<\4!=4\221\257Q\352\33r\254\255\200n\366\273\11w\221Uv4LcH\4\215[\205tpe\169\342\200\344\22\21\201M3\0\33\4L[\25\2<\26\340G\22;'\353|R\351\215\277C\230\340\263>$\242\254Ru\220\350\336\360\344!,\26\372`\7\12]\14\21\13 Q\17\34=\20U\20\350\337\215\207\333\5\342\272\3413\15\374\231N\332/\240\273R\263\247o\217\317\224/\212\345j\201\25D\37\14\27\304)K\11S\30\26\11\200\231\17HP\16\12:!3\366m\323\374i\35\250\10m\347\25*m\327\335\243\330 \5\333\231\1H\17R\34\335\240O\21I\3\10\3P:\26T\250\270;\2$F\b\36\353E\33D\351x\352\223P\20\337\301\224g\312zKs\310\352\361\35164,\337\333\300V\114<\0\16#E16\30c\352\217nP\344\300x", 56832, 0x0, 0, ... {status=0x0, info=56832}, ) \15GQd@\7_\12.\0&#\22<\4!=4\221\257Q\352\33r\254\255\200n\366\273\11w\221Uv4LcH\4\215[\205tpe\169\342\200\344\22\21\201M3\0\33\4L[\25\2<\26\340G\22;'\353|R\351\215\277C\230\340\263>$\242\254Ru\220\350\336\360\344!,\26\372`\7\12]\14\21\13 Q\17\34=\20U\20\350\337\215\207\333\5\342\272\3413\15\374\231N\332/\240\273R\263\247o\217\317\224/\212\345j\201\25D\37\14\27\304)K\11S\30\26\11\200\231\17HP\16\12:!3\366m\323\374i\35\250\10m\347\25*m\327\335\243\330 \5\333\231\1H\17R\34\335\240O\21I\3\10\3P:\26T\250\270;\2$F\b\36\353E\33D\351x\352\223P\20\337\301\224g\312zKs\310\352\361\35164,\337\333\300V\114<\0\16#E16\30c\352\217nP\344\300x", 56832, 0x0, 0, ... {status=0x0, info=56832}, ) == 0x0
 01253   304   NtUnmapViewOfSection  (-1, 0x1250000, ... ) == 0x0
 01254   304   NtSetInformationFile  (104, 1238032, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01255   304   NtClose  (12, ... ) == 0x0
 01256   304   NtClose  (104, ... ) == 0x0
 01257   304   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winIogon.exe"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 01258   304   NtSetInformationFile  (104, 1238232, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01259   304   NtClose  (104, ... ) == 0x0
 01260   304   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winIogon.exe"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 01261   304   NtSetInformationFile  (104, 1238232, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01262   304   NtClose  (104, ... ) == 0x0
 01263   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237936,  (0x80100080, {24, 0, 0x40, 0, 1237936, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01264   304   NtQueryInformationFile  (104, 1237988, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01265   304   NtClose  (104, ... ) == 0x0
 01266   304   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1237936,  (0x40100080, {24, 0, 0x40, 0, 1237936, "\??\C:\WINDOWS\System32\winIogon.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01267   304   NtSetInformationFile  (104, 1237988, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01268   304   NtClose  (104, ... ) == 0x0
 01269   304   NtOpenFile  (0x10080, {24, 108, 0x40, 0, 0,  (0x10080, {24, 108, 0x40, 0, 0, "rczxtgv.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270   304   NtCreateFile  (0x40100080, {24, 108, 0x40, 0, 1238184,  (0x40100080, {24, 108, 0x40, 0, 1238184, "rczxtgv.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=2}, ) == 0x0
 01271   304   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del rczxtgv.bat\15\12", 123, 0x0, 0, ... {status=0x0, info=123}, ) , 123, 0x0, 0, ... {status=0x0, info=123}, ) == 0x0
 01272   304   NtClose  (104, ... ) == 0x0
 01273   304   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1231524, ... ) }, 1231524, ... ) == 0x0
 01275   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01276   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 12, ) == 0x0
 01277   304   NtClose  (104, ... ) == 0x0
 01278   304   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1250000), 0x0, 262144, ) == 0x0
 01279   304   NtClose  (12, ... ) == 0x0
 01280   304   NtUnmapViewOfSection  (-1, 0x1250000, ... ) == 0x0
 01281   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01282   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01283   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01284   304   NtAllocateVirtualMemory  (-1, 1400832, 0, 16384, 4096, 4, ... 1400832, 16384, ) == 0x0
 01285   304   NtUserRegisterClassExWOW  (1233608, 1233688, 1233672, 1233704, 0, 384, 0, ... ) == 0x8127c038
 01286   304   NtUserGetAtomName  (49208, 1232372, ... ) == 0x15
 01287   304   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01288   304   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01289   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229896, ... ) }, 1229896, ... ) == 0x0
 01290   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01291   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 104, ) == 0x0
 01292   304   NtClose  (12, ... ) == 0x0
 01293   304   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1250000), 0x0, 204800, ) == 0x0
 01294   304   NtClose  (104, ... ) == 0x0
 01295   304   NtUnmapViewOfSection  (-1, 0x1250000, ... ) == 0x0
 01296   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230212, ... ) }, 1230212, ... ) == 0x0
 01297   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01298   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 12, ) == 0x0
 01299   304   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01300   304   NtClose  (104, ... ) == 0x0
 01301   304   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01302   304   NtClose  (12, ... ) == 0x0
 01303   304   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01304   304   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01305   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01306   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01307   304   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01308   304   NtClose  (12, ... ) == 0x0
 01309   304   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01310   304   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 104, ) }, ... 104, ) == 0x0
 01311   304   NtQueryValueKey  (104,  (104, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   304   NtClose  (104, ... ) == 0x0
 01313   304   NtClose  (12, ... ) == 0x0
 01314   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01315   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01316   304   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01317   304   NtClose  (12, ... ) == 0x0
 01318   304   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01319   304   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 104, ) }, ... 104, ) == 0x0
 01320   304   NtQueryValueKey  (104,  (104, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321   304   NtClose  (104, ... ) == 0x0
 01322   304   NtClose  (12, ... ) == 0x0
 01323   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1229712, ... ) }, 1229712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01324   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "UxTheme.dll"}, 1229712, ... ) }, 1229712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01325   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1229712, ... ) }, 1229712, ... ) == 0x0
 01326   304   NtUserGetProcessWindowStation  (... ) == 0x28
 01327   304   NtUserGetObjectInformation  (40, 2, 0, 0, 1232008, ... ) == 0x0
 01328   304   NtUserGetObjectInformation  (40, 2, 1354456, 16, 1232008, ... ) == 0x1
 01329   304   NtUserGetGUIThreadInfo  (304, 1231964, ... ) == 0x1
 01330   304   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1231784, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1231784, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 01331   304   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 300, 304, 2310, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 300, 304, 2310, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 300, 304, 2310, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01332   304   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 300, 304, 2311, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 300, 304, 2311, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 300, 304, 2311, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01333   304   NtUserCallNoParam  (29, ...
 01334   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229256, ... ) }, 1229256, ... ) == 0x0
 01333   304   NtUserCallNoParam  ... ) == 0x0
 01335   304   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01336   304   NtGdiHfontCreate  (1231336, 356, 0, 0, 1363392, ... ) == 0x90a0311
 01337   304   NtGdiHfontCreate  (1231336, 356, 0, 0, 1363384, ... ) == 0x90a0344
 01338   304   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 300, 304, 2312, 0} "\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 300, 304, 2312, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 300, 304, 2312, 0} "\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01339   304   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1250000), {0, 0}, 331776, ) == 0x0
 01340   304   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01341   304   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01342   304   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01343   304   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01344   304   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01345   304   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01346   304   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01347   304   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01348   304   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01349   304   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01350   304   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01351   304   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01352   304   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01353   304   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01354   304   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01355   304   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01356   304   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01357   304   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x11100338
 01358   304   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01359   304   NtUserCallNoParam  (29, ...
 01360   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1228700, ... ) }, 1228700, ... ) == 0x0
 01359   304   NtUserCallNoParam  ... ) == 0x0
 01361   304   NtUserCallNoParam  (29, ...
 01362   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1228696, ... ) }, 1228696, ... ) == 0x0
 01361   304   NtUserCallNoParam  ... ) == 0x0
 01363   304   NtUserMessageCall  (0x100e6, WM_NCCREATE, 0x0, 0x12cda0, 0, 670, 0, ... ) == 0x1
 01364   304   NtUserMessageCall  (0x100e6, WM_NCCALCSIZE, 0x0, 0x12cdc8, 0, 670, 0, ... ) == 0x0
 01365   304   NtUserSetProp  (65766, 43288, -1, ... ) == 0x1
 01287   304   NtUserCreateWindowEx  ... ) == 0x100e6
 01366   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 01367   304   NtQueryValueKey  (116,  (116, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 120, ) }, ... 120, ) == 0x0
 01369   304   NtQueryValueKey  (120,  (120, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370   304   NtClose  (120, ... ) == 0x0
 01371   304   NtClose  (116, ... ) == 0x0
 01372   304   NtAllocateVirtualMemory  (-1, 1417216, 0, 24576, 4096, 4, ... 1417216, 24576, ) == 0x0
 01373   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01374   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01375   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 01376   304   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377   304   NtClose  (116, ... ) == 0x0
 01378   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379   304   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 01380   304   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 01381   304   NtQuerySystemTime  (... {-1101442322, 29873131}, ) == 0x0
 01382   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 01383   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01384   304   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01385   304   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01386   304   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01387   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 01388   304   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0
 01389   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 01390   304   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 01391   304   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01392   304   NtClose  (140, ... ) == 0x0
 01393   304   NtClose  (136, ... ) == 0x0
 01394   304   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 136, ) == 0x0
 01395   304   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 140, ) == 0x0
 01396   304   NtDuplicateObject  (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0
 01397   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01398   304   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01399   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01400   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01401   304   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232136,  (0xc0100080, {24, 0, 0x40, 0, 1232136, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01402   304   NtSetInformationFile  (152, 1232192, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01403   304   NtSetInformationFile  (152, 1232184, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01404   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01405   304   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01406   304   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20n$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01407   304   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20n$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20n$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01408   304   NtClose  (148, ... ) == 0x0
 01409   304   NtClose  (152, ... ) == 0x0
 01410   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1232180, ... ) }, 1232180, ... ) == 0x0
 01411   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01412   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01413   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "rczxtgv.bat"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 01414   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01415   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01416   304   NtCreateSemaphore  (0x1f0003, {24, 64, 0x80, 1326432, 0,  (0x1f0003, {24, 64, 0x80, 1326432, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 152, ) }, 0, 2147483647, ... 152, ) == STATUS_OBJECT_NAME_EXISTS
 01417   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01418   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01419   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01420   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01421   304   NtQueryValueKey  (148,  (148, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01422   304   NtClose  (148, ... ) == 0x0
 01423   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01424   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01425   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01427   304   NtQueryValueKey  (148,  (148, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428   304   NtClose  (148, ... ) == 0x0
 01429   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01430   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01431   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01433   304   NtQueryValueKey  (148,  (148, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434   304   NtClose  (148, ... ) == 0x0
 01435   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01436   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01437   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01439   304   NtQueryValueKey  (148,  (148, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   304   NtClose  (148, ... ) == 0x0
 01441   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 148, ) }, ... 148, ) == 0x0
 01442   304   NtEnumerateKey  (148, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (148, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 01443   304   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 156, ) }, ... 156, ) == 0x0
 01444   304   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   304   NtClose  (156, ... ) == 0x0
 01446   304   NtEnumerateKey  (148, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (148, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 01447   304   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 156, ) }, ... 156, ) == 0x0
 01448   304   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   304   NtClose  (156, ... ) == 0x0
 01450   304   NtEnumerateKey  (148, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (148, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 01451   304   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 156, ) }, ... 156, ) == 0x0
 01452   304   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453   304   NtClose  (156, ... ) == 0x0
 01454   304   NtEnumerateKey  (148, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (148, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 01455   304   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 156, ) }, ... 156, ) == 0x0
 01456   304   NtQueryValueKey  (156,  (156, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457   304   NtClose  (156, ... ) == 0x0
 01458   304   NtEnumerateKey  (148, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01459   304   NtClose  (148, ... ) == 0x0
 01460   304   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   304   NtOpenProcessToken  (-1, 0x8, ... 148, ) == 0x0
 01462   304   NtQueryInformationToken  (148, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01463   304   NtClose  (148, ... ) == 0x0
 01464   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01465   304   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 148, 2, ) }, 0, 0x0, 0, ... 148, 2, ) == 0x0
 01466   304   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0, ""}, ... 156, ) == 0x0
 01467   304   NtCreateKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "SessionInfo\00000000000090de"}, 0, 0x0, 1, ... 160, 2, ) }, 0, 0x0, 1, ... 160, 2, ) == 0x0
 01468   304   NtClose  (156, ... ) == 0x0
 01469   304   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470   304   NtClose  (160, ... ) == 0x0
 01471   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01472   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01473   304   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01474   304   NtClose  (160, ... ) == 0x0
 01475   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 160, ) }, ... 160, ) == 0x0
 01476   304   NtSetInformationObject  (162, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01477   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01478   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 156, ) }, ... 156, ) == 0x0
 01480   304   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01481   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01482   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01483   304   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01484   304   NtClose  (164, ... ) == 0x0
 01485   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01486   304   NtQueryValueKey  (158,  (158, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487   304   NtClose  (158, ... ) == 0x0
 01488   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01489   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 156, ) }, ... 156, ) == 0x0
 01491   304   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01492   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01493   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01494   304   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01495   304   NtClose  (164, ... ) == 0x0
 01496   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01497   304   NtQueryValueKey  (158,  (158, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01498   304   NtClose  (158, ... ) == 0x0
 01499   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01500   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01501   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 156, ) }, ... 156, ) == 0x0
 01502   304   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01503   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01504   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01505   304   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01506   304   NtClose  (164, ... ) == 0x0
 01507   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01508   304   NtQueryValueKey  (158,  (158, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (158, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01509   304   NtClose  (158, ... ) == 0x0
 01510   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 01512   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 156, ) }, ... 156, ) == 0x0
 01514   304   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01515   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01516   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01517   304   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01518   304   NtClose  (164, ... ) == 0x0
 01519   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01520   304   NtQueryValueKey  (158, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (158, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01521   304   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01522   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01523   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01524   304   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01525   304   NtClose  (164, ... ) == 0x0
 01526   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01527   304   NtQueryValueKey  (158,  (158, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01528   304   NtClose  (158, ... ) == 0x0
 01529   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01530   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01531   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 156, ) }, ... 156, ) == 0x0
 01533   304   NtQueryValueKey  (156,  (156, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   304   NtClose  (156, ... ) == 0x0
 01535   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 156, ) }, ... 156, ) == 0x0
 01536   304   NtQueryValueKey  (156,  (156, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01537   304   NtClose  (156, ... ) == 0x0
 01538   304   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 156, ) }, ... 156, ) == 0x0
 01539   304   NtQueryValueKey  (156, " (156, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (156, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 01540   304   NtClose  (156, ... ) == 0x0
 01541   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01542   304   NtQueryVolumeInformationFile  (156, 1232320, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01543   304   NtOpenMutant  (0x120001, {24, 64, 0x0, 0, 0,  (0x120001, {24, 64, 0x0, 0, 0, "ShimCacheMutex"}, ... 164, ) }, ... 164, ) == 0x0
 01544   304   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 01545   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "ShimSharedMemory"}, ... 168, ) }, ... 168, ) == 0x0
 01546   304   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x12b0000), {0, 0}, 57344, ) == 0x0
 01547   304   NtQueryInformationFile  (156, 1232284, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01548   304   NtQueryInformationFile  (156, 1232324, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01549   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01550   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01551   304   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01552   304   NtClose  (172, ... ) == 0x0
 01553   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01554   304   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 01555   304   NtClose  (156, ... ) == 0x0
 01556   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 156, ) }, ... 156, ) == 0x0
 01557   304   NtQueryValueKey  (156,  (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01558   304   NtClose  (156, ... ) == 0x0
 01559   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1230072, ... ) }, 1230072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "CLBCATQ.DLL"}, 1230072, ... ) }, 1230072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01562   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1230072, ... ) }, 1230072, ... ) == 0x0
 01563   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01564   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 172, ) == 0x0
 01565   304   NtQuerySection  (172, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01566   304   NtClose  (156, ... ) == 0x0
 01567   304   NtMapViewOfSection  (172, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 01568   304   NtClose  (172, ... ) == 0x0
 01569   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1229268, ... ) }, 1229268, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01571   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "COMRes.dll"}, 1229268, ... ) }, 1229268, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1229268, ... ) }, 1229268, ... ) == 0x0
 01573   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01574   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 156, ) == 0x0
 01575   304   NtQuerySection  (156, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01576   304   NtClose  (172, ... ) == 0x0
 01577   304   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 01578   304   NtClose  (156, ... ) == 0x0
 01579   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 156, ) }, ... 156, ) == 0x0
 01580   304   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01581   304   NtClose  (156, ... ) == 0x0
 01582   304   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 156, ) }, ... 156, ) == 0x0
 01585   304   NtQueryValueKey  (156,  (156, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   304   NtQueryValueKey  (156,  (156, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01587   304   NtClose  (156, ... ) == 0x0
 01588   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1230100, ... ) }, 1230100, ... ) == 0x0
 01589   304   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590   304   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01591   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 156, ) }, ... 156, ) == 0x0
 01592   304   NtQueryValueKey  (156,  (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01593   304   NtClose  (156, ... ) == 0x0
 01594   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 156, ) }, ... 156, ) == 0x0
 01595   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01596   304   NtNotifyChangeKey  (156, 172, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01597   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 176, ) }, ... 176, ) == 0x0
 01598   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01599   304   NtNotifyChangeKey  (176, 180, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01600   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01601   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 188, ) }, ... 188, ) == 0x0
 01602   304   NtSetInformationObject  (188, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01603   304   NtNotifyChangeKey  (188, 184, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01604   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 192, ) }, ... 192, ) == 0x0
 01605   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 196, ) == 0x0
 01606   304   NtNotifyChangeKey  (192, 196, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01607   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01608   304   NtNotifyChangeKey  (188, 200, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01609   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 204, ) }, ... 204, ) == 0x0
 01610   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01611   304   NtNotifyChangeKey  (204, 208, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01612   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 212, ) }, ... 212, ) == 0x0
 01613   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 216, ) == 0x0
 01614   304   NtNotifyChangeKey  (212, 216, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01615   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 220, ) }, ... 220, ) == 0x0
 01616   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 01617   304   NtNotifyChangeKey  (220, 224, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01618   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 228, ) }, ... 228, ) == 0x0
 01619   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 232, ) == 0x0
 01620   304   NtNotifyChangeKey  (228, 232, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01621   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 236, ) }, ... 236, ) == 0x0
 01622   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 240, ) == 0x0
 01623   304   NtNotifyChangeKey  (236, 240, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01624   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 244, ) == 0x0
 01625   304   NtNotifyChangeKey  (188, 244, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01626   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 248, ) }, ... 248, ) == 0x0
 01627   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 01628   304   NtNotifyChangeKey  (248, 252, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01629   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 256, ) }, ... 256, ) == 0x0
 01630   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 260, ) == 0x0
 01631   304   NtNotifyChangeKey  (256, 260, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01632   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 264, ) }, ... 264, ) == 0x0
 01633   304   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 268, ) == 0x0
 01634   304   NtNotifyChangeKey  (264, 268, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01635   304   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ... 1441792, 4096, ) == 0x0
 01636   304   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01637   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 272, ) }, ... 272, ) == 0x0
 01638   304   NtQueryValueKey  (272,  (272, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (272, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01639   304   NtClose  (272, ... ) == 0x0
 01640   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01641   304   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01642   304   NtOpenSection  (0x4, {24, 64, 0x0, 0, 0,  (0x4, {24, 64, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 272, ) }, ... 272, ) == 0x0
 01643   304   NtMapViewOfSection  (272, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x12c0000), {0, 0}, 24576, ) == 0x0
 01644   304   NtAllocateVirtualMemory  (-1, 18702336, 0, 8192, 4096, 4, ... 18702336, 8192, ) == 0x0
 01645   304   NtAllocateVirtualMemory  (-1, 18710528, 0, 8192, 4096, 4, ... 18710528, 8192, ) == 0x0
 01646   304   NtOpenSection  (0x4, {24, 64, 0x2, 0, 0,  (0x4, {24, 64, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01647   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 276, ) }, ... 276, ) == 0x0
 01648   304   NtQueryValueKey  (276,  (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01649   304   NtClose  (276, ... ) == 0x0
 01650   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01651   304   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01652   304   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 19726336, 65536, ) == 0x0
 01653   304   NtAllocateVirtualMemory  (-1, 19726336, 0, 4096, 4096, 4, ... 19726336, 4096, ) == 0x0
 01654   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01655   304   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01656   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01657   304   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01658   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01659   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01660   304   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01661   304   NtClose  (280, ... ) == 0x0
 01662   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01663   304   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01664   304   NtClose  (278, ... ) == 0x0
 01665   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01666   304   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01667   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01668   304   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01669   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01670   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01671   304   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01672   304   NtClose  (280, ... ) == 0x0
 01673   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01674   304   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServer32"}, ... 280, ) }, ... 280, ) == 0x0
 01675   304   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ... 1445888, 4096, ) == 0x0
 01676   304   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01677   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01678   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01679   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01680   304   NtClose  (284, ... ) == 0x0
 01681   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01682   304   NtQueryValueKey  (282,  (282, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01683   304   NtClose  (282, ... ) == 0x0
 01684   304   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01685   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01686   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01687   304   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01688   304   NtClose  (280, ... ) == 0x0
 01689   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01690   304   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01691   304   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01692   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01693   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01694   304   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01695   304   NtClose  (280, ... ) == 0x0
 01696   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01697   304   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01698   304   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01699   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01700   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01701   304   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01702   304   NtClose  (280, ... ) == 0x0
 01703   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01704   304   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServer32"}, ... 280, ) }, ... 280, ) == 0x0
 01705   304   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01706   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01707   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01708   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01709   304   NtClose  (284, ... ) == 0x0
 01710   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01711   304   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01712   304   NtClose  (282, ... ) == 0x0
 01713   304   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01714   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01715   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01716   304   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01717   304   NtClose  (280, ... ) == 0x0
 01718   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01719   304   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01720   304   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01721   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01722   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01723   304   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01724   304   NtClose  (280, ... ) == 0x0
 01725   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01726   304   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01727   304   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01728   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01729   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01730   304   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01731   304   NtClose  (280, ... ) == 0x0
 01732   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01733   304   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01734   304   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01735   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01736   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01737   304   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01738   304   NtClose  (280, ... ) == 0x0
 01739   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01740   304   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01741   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01742   304   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01743   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 01744   304   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01745   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01746   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01747   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01748   304   NtClose  (284, ... ) == 0x0
 01749   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01750   304   NtQueryValueKey  (282,  (282, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01751   304   NtClose  (282, ... ) == 0x0
 01752   304   NtClose  (278, ... ) == 0x0
 01753   304   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {300, 0}, ... 276, ) == 0x0
 01754   304   NtQueryInformationProcess  (276, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01755   304   NtClose  (276, ... ) == 0x0
 01756   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01757   304   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01758   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01759   304   NtClose  (278, ... ) == 0x0
 01760   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 01761   304   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01762   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01763   304   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01764   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01765   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01766   304   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01767   304   NtClose  (280, ... ) == 0x0
 01768   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01769   304   NtOpenKey  (0x2000000, {24, 278, 0x40, 0, 0,  (0x2000000, {24, 278, 0x40, 0, 0, "InprocServer32"}, ... 280, ) }, ... 280, ) == 0x0
 01770   304   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01771   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01772   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01773   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01774   304   NtClose  (284, ... ) == 0x0
 01775   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01776   304   NtQueryValueKey  (282,  (282, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (282, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 01777   304   NtClose  (282, ... ) == 0x0
 01778   304   NtClose  (278, ... ) == 0x0
 01779   304   NtAllocateVirtualMemory  (-1, 1449984, 0, 8192, 4096, 4, ... 1449984, 8192, ) == 0x0
 01780   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01781   304   NtOpenKey  (0x20019, {24, 162, 0x40, 0, 0,  (0x20019, {24, 162, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01782   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 276, ) }, ... 276, ) == 0x0
 01783   304   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01784   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01785   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01786   304   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01787   304   NtClose  (280, ... ) == 0x0
 01788   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01789   304   NtOpenKey  (0x1, {24, 278, 0x40, 0, 0,  (0x1, {24, 278, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01790   304   NtClose  (278, ... ) == 0x0
 01791   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1226492, ... ) }, 1226492, ... ) == 0x0
 01792   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01793   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 276, ... 280, ) == 0x0
 01794   304   NtClose  (276, ... ) == 0x0
 01795   304   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x12e0000), 0x0, 1339392, ) == 0x0
 01796   304   NtClose  (280, ... ) == 0x0
 01797   304   NtUnmapViewOfSection  (-1, 0x12e0000, ... ) == 0x0
 01798   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1226808, ... ) }, 1226808, ... ) == 0x0
 01799   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01800   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 280, ... 276, ) == 0x0
 01801   304   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01802   304   NtClose  (280, ... ) == 0x0
 01803   304   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 01804   304   NtClose  (276, ... ) == 0x0
 01805   304   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 01806   304   NtQueryDefaultUILanguage  (1225172, ...
 01807   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01808   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482132, ) == 0x0
 01809   304   NtQueryInformationToken  (-2147482132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01810   304   NtClose  (-2147482132, ... ) == 0x0
 01811   304   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482132, ) }, ... -2147482132, ) == 0x0
 01812   304   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01813   304   NtOpenKey  (0x80000000, {24, -2147482132, 0x640, 0, 0,  (0x80000000, {24, -2147482132, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482056, ) }, ... -2147482056, ) == 0x0
 01814   304   NtQueryValueKey  (-2147482056,  (-2147482056, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01815   304   NtClose  (-2147482056, ... ) == 0x0
 01816   304   NtClose  (-2147482132, ... ) == 0x0
 01806   304   NtQueryDefaultUILanguage  ... ) == 0x0
 01817   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01818   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 276, {status=0x0, info=1}, ) }, 1, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01819   304   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 276, ... 280, ) == 0x0
 01820   304   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x12e0000), 0x0, 1339392, ) == 0x0
 01821   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01822   304   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 01823   304   NtQueryDefaultLocale  (1, 1223208, ... ) == 0x0
 01824   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01825   304   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1224064, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1224064, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\24\1\0\0\377\377\377\377\0\0\0\0\10\3409\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\200\264\22\0\0\0\0\0" ... {128, 156, reply, 0, 300, 304, 2313, 0} " S\26\0\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\24\1\0\0\377\377\377\377\0\0\0\0\10\3409\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\200\264\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 300, 304, 2313, 0}  (24, {128, 156, new_msg, 0, 1224064, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\24\1\0\0\377\377\377\377\0\0\0\0\10\3409\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\200\264\22\0\0\0\0\0" ... {128, 156, reply, 0, 300, 304, 2313, 0} " S\26\0\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\24\1\0\0\377\377\377\377\0\0\0\0\10\3409\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\200\264\22\0\0\0\0\0" )  ) == 0x0
 01826   304   NtClose  (276, ... ) == 0x0
 01827   304   NtClose  (280, ... ) == 0x0
 01828   304   NtUnmapViewOfSection  (-1, 0x12e0000, ... ) == 0x0
 01829   304   NtUnmapViewOfSection  (-1, 0x12b480, ... ) == STATUS_NOT_MAPPED_VIEW
 01830   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01831   304   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01833   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01834   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1221748, ... ) }, 1221748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01835   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01836   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01837   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01838   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1222340, ... ) }, 1222340, ... ) == 0x0
 01839   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 280, {status=0x0, info=1}, ) }, 3, 33, ... 280, {status=0x0, info=1}, ) == 0x0
 01840   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01841   304   NtUserFindExistingCursorIcon  (1226292, 1226308, 1226876, ... ) == 0x10011
 01842   304   NtUserRegisterClassExWOW  (1226744, 1226824, 1226808, 1226840, 0, 384, 0, ... ) == 0x81270000
 01843   304   NtUserGetClassInfo  (1905590272, 1226908, 1226860, 1226936, 0, ... ) == 0xc05f
 01844   304   NtGdiCreateHalftonePalette  (0, ... ) == 0x2080347
 01845   304   NtGdiDoPalette  (34079559, 0, 256, 1226000, 2, 0, ... ) == 0x100
 01846   304   NtGdiDeleteObjectApp  (34079559, ... ) == 0x1
 01847   304   NtGdiCreateCompatibleDC  (0, ... ) == 0x3010347
 01848   304   NtGdiCreatePaletteInternal  (1225996, 256, ... ) == 0x3080346
 01849   304   NtGdiDeleteObjectApp  (50398023, ... ) == 0x1
 01850   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 01851   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01852   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 276, ) }, ... 276, ) == 0x0
 01853   304   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 01854   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01855   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01856   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01857   304   NtClose  (284, ... ) == 0x0
 01858   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01859   304   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01860   304   NtClose  (278, ... ) == 0x0
 01861   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01862   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01863   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01864   304   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01865   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01866   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01867   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01868   304   NtClose  (284, ... ) == 0x0
 01869   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01870   304   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01871   304   NtClose  (278, ... ) == 0x0
 01872   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01873   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01874   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01875   304   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01876   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01877   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01878   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01879   304   NtClose  (284, ... ) == 0x0
 01880   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01881   304   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01882   304   NtClose  (278, ... ) == 0x0
 01883   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01884   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01885   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01886   304   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01887   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01888   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01889   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01890   304   NtClose  (284, ... ) == 0x0
 01891   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01892   304   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01893   304   NtClose  (278, ... ) == 0x0
 01894   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01895   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01896   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 276, ) }, ... 276, ) == 0x0
 01897   304   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01898   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01899   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01900   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01901   304   NtClose  (284, ... ) == 0x0
 01902   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01903   304   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01904   304   NtClose  (278, ... ) == 0x0
 01905   304   NtAllocateVirtualMemory  (-1, 1458176, 0, 4096, 4096, 4, ... 1458176, 4096, ) == 0x0
 01906   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01907   304   NtAllocateVirtualMemory  (-1, 1462272, 0, 12288, 4096, 4, ... 1462272, 12288, ) == 0x0
 01908   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 01909   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01910   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01911   304   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 01912   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01913   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01914   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01915   304   NtClose  (284, ... ) == 0x0
 01916   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01917   304   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01918   304   NtClose  (278, ... ) == 0x0
 01919   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01920   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01921   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01922   304   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 01923   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01924   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01925   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01926   304   NtClose  (284, ... ) == 0x0
 01927   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01928   304   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01929   304   NtClose  (278, ... ) == 0x0
 01930   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01931   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01932   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01933   304   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 01934   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01935   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01936   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01937   304   NtClose  (284, ... ) == 0x0
 01938   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01939   304   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01940   304   NtClose  (278, ... ) == 0x0
 01941   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01942   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01943   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 276, ) }, ... 276, ) == 0x0
 01944   304   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 01945   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01946   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01947   304   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01948   304   NtClose  (284, ... ) == 0x0
 01949   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01950   304   NtQueryValueKey  (278,  (278, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01951   304   NtClose  (278, ... ) == 0x0
 01952   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 276, ) }, ... 276, ) == 0x0
 01953   304   NtEnumerateValueKey  (276, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (276, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (276, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 01954   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01955   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01956   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 284, ) }, ... 284, ) == 0x0
 01957   304   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01958   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01959   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01960   304   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01961   304   NtClose  (288, ... ) == 0x0
 01962   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01963   304   NtQueryValueKey  (286, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (286, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 01964   304   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01965   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01966   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01967   304   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01968   304   NtClose  (288, ... ) == 0x0
 01969   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01970   304   NtQueryValueKey  (286,  (286, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01971   304   NtClose  (286, ... ) == 0x0
 01972   304   NtEnumerateValueKey  (276, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01973   304   NtClose  (276, ... ) == 0x0
 01974   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01975   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01976   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rczxtgv.bat"}, 1231452, ... ) }, 1231452, ... ) == 0x0
 01977   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01978   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01979   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01980   304   NtQueryValueKey  (276,  (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (276, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 01981   304   NtClose  (276, ... ) == 0x0
 01982   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01983   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01984   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rczxtgv.bat"}, 1232480, ... ) }, 1232480, ... ) == 0x0
 01985   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01986   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01987   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01988   304   NtQueryValueKey  (276,  (276, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01989   304   NtQueryValueKey  (276,  (276, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (276, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01990   304   NtClose  (276, ... ) == 0x0
 01991   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233304,  (0x80100080, {24, 0, 0x40, 0, 1233304, "\??\u:\work\rczxtgv.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 276, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 276, {status=0x0, info=1}, ) == 0x0
 01992   304   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 284, ) }, ... 284, ) == 0x0
 01993   304   NtQuerySymbolicLinkObject  (284, ...  (284, ... "\Device\WinDfs\U:00000000000090de", 66, ) , 66, ) == 0x0
 01994   304   NtClose  (284, ... ) == 0x0
 01995   304   NtQueryInformationFile  (276, 1231748, 528, Name, ... {status=0x0, info=74}, ) == 0x0
 01996   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01997   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01998   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\rczxtgv.bat"}, 1230428, ... ) }, 1230428, ... ) == 0x0
 01999   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 284, {status=0x0, info=1}, ) }, 3, 16417, ... 284, {status=0x0, info=1}, ) == 0x0
 02000   304   NtQueryDirectoryFile  (284, 0, 0, 0, 1229788, 616, BothDirectory, 1,  (284, 0, 0, 0, 1229788, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02001   304   NtClose  (284, ... ) == 0x0
 02002   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 284, {status=0x0, info=1}, ) }, 3, 16417, ... 284, {status=0x0, info=1}, ) == 0x0
 02003   304   NtQueryDirectoryFile  (284, 0, 0, 0, 1229788, 616, BothDirectory, 1,  (284, 0, 0, 0, 1229788, 616, BothDirectory, 1, "rczxtgv.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02004   304   NtClose  (284, ... ) == 0x0
 02005   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02006   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02007   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02008   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 1231160, ... ) }, 1231160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02009   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "WINTRUST.dll"}, 1231160, ... ) }, 1231160, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02010   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 1231160, ... ) }, 1231160, ... ) == 0x0
 02011   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02012   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 288, ) == 0x0
 02013   304   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02014   304   NtClose  (284, ... ) == 0x0
 02015   304   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 02016   304   NtClose  (288, ... ) == 0x0
 02017   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 288, ) }, ... 288, ) == 0x0
 02018   304   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 02019   304   NtClose  (288, ... ) == 0x0
 02020   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02021   304   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 19791872, 262144, ) == 0x0
 02022   304   NtAllocateVirtualMemory  (-1, 19791872, 0, 4096, 4096, 4, ... 19791872, 4096, ) == 0x0
 02023   304   NtAllocateVirtualMemory  (-1, 19795968, 0, 8192, 4096, 4, ... 19795968, 8192, ) == 0x0
 02024   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02025   304   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20054016, 1048576, ) == 0x0
 02026   304   NtAllocateVirtualMemory  (-1, 20054016, 0, 1048576, 4096, 4, ... 20054016, 1048576, ) == 0x0
 02027   304   NtCreateMutant  (0x1f0001, 0x0, 0, ... 288, ) == 0x0
 02028   304   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 284, ) == 0x0
 02029   304   NtCreateMutant  (0x1f0001, 0x0, 0, ... 292, ) == 0x0
 02030   304   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 296, ) == 0x0
 02031   304   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 300, ) == 0x0
 02032   304   NtSetEvent  (300, ... 0x0, ) == 0x0
 02033   304   NtSetInformationFile  (276, 1233188, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02034   304   NtReadFile  (276, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (276, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "@e", ) , ) == 0x0
 02035   304   NtWaitForSingleObject  (288, 0, 0x0, ... ) == 0x0
 02036   304   NtClearEvent  (284, ... ) == 0x0
 02037   304   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 02038   304   NtWaitForSingleObject  (288, 0, 0x0, ... ) == 0x0
 02039   304   NtSetEvent  (284, ... 0x0, ) == 0x0
 02040   304   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 02041   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 02042   304   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02043   304   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0
 02044   304   NtClose  (304, ... ) == 0x0
 02045   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 02046   304   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02047   304   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02048   304   NtClose  (304, ... ) == 0x0
 02049   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 02050   304   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02051   304   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0
 02052   304   NtClose  (304, ... ) == 0x0
 02053   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 02054   304   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02055   304   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0
 02056   304   NtClose  (304, ... ) == 0x0
 02057   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 02058   304   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02059   304   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0
 02060   304   NtClose  (304, ... ) == 0x0
 02061   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 02062   304   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02063   304   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0
 02064   304   NtClose  (304, ... ) == 0x0
 02065   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02066   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 304, ) }, ... 304, ) == 0x0
 02067   304   NtQueryValueKey  (304,  (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02068   304   NtQueryValueKey  (304,  (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0
 02069   304   NtClose  (304, ... ) == 0x0
 02070   304   NtWaitForMultipleObjects  (2, (288, 284, ), 0, 0, 0x0, ... ) == 0x0
 02071   304   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 02072   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02073   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 02074   304   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02075   304   NtClose  (304, ... ) == 0x0
 02076   304   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 304, ) }, ... 304, ) == 0x0
 02077   304   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   304   NtClose  (304, ... ) == 0x0
 02079   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 304, ) }, ... 304, ) == 0x0
 02080   304   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02081   304   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02082   304   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02083   304   NtQueryValueKey  (304,  (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02084   304   NtClose  (304, ... ) == 0x0
 02085   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 304, ) }, ... 304, ) == 0x0
 02086   304   NtQueryValueKey  (304,  (304, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02087   304   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02088   304   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02089   304   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02090   304   NtQueryValueKey  (304,  (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02091   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1230476, ... ) }, 1230476, ... ) == 0x0
 02092   304   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 308, ) }, ... 308, ) == 0x0
 02093   304   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02094   304   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02095   304   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02096   304   NtQueryValueKey  (308,  (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02097   304   NtClose  (308, ... ) == 0x0
 02098   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02099   304   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02100   304   NtOpenProcessToken  (-1, 0x8, ... 308, ) == 0x0
 02101   304   NtQueryInformationToken  (308, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 02102   304   NtClose  (308, ... ) == 0x0
 02103   304   NtClose  (304, ... ) == 0x0
 02104   304   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02105   304   NtOpenProcessToken  (-1, 0x8, ... 304, ) == 0x0
 02106   304   NtQueryInformationToken  (304, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02107   304   NtClose  (304, ... ) == 0x0
 02108   304   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 304, ) }, ... 304, ) == 0x0
 02109   304   NtCreateKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 308, 2, ) }, 0, 0x0, 0, ... 308, 2, ) == 0x0
 02110   304   NtClose  (304, ... ) == 0x0
 02111   304   NtQueryValueKey  (308,  (308, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0
 02112   304   NtClose  (308, ... ) == 0x0
 02113   304   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02114   304   NtOpenProcessToken  (-1, 0x8, ... 308, ) == 0x0
 02115   304   NtQueryInformationToken  (308, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02116   304   NtClose  (308, ... ) == 0x0
 02117   304   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 02118   304   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 304, ) }, ... 304, ) == 0x0
 02119   304   NtClose  (308, ... ) == 0x0
 02120   304   NtQueryValueKey  (304,  (304, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0
 02121   304   NtClose  (304, ... ) == 0x0
 02122   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02123   304   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02124   304   NtOpenProcessToken  (-1, 0x8, ... 304, ) == 0x0
 02125   304   NtQueryInformationToken  (304, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02126   304   NtClose  (304, ... ) == 0x0
 02127   304   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 304, ) }, ... 304, ) == 0x0
 02128   304   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02129   304   NtClose  (304, ... ) == 0x0
 02130   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02131   304   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 276, ... 304, ) == 0x0
 02132   304   NtMapViewOfSection  (304, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1420000), {0, 0}, 4096, ) == 0x0
 02133   304   NtClose  (304, ... ) == 0x0
 02134   304   NtQueryInformationFile  (276, 1232692, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02135   304   NtUnmapViewOfSection  (-1, 0x1420000, ... ) == 0x0
 02136   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 304, ) }, ... 304, ) == 0x0
 02137   304   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 0"}, ... 308, ) }, ... 308, ) == 0x0
 02138   304   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 312, ) }, ... 312, ) == 0x0
 02139   304   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02140   304   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 316, ) }, ... 316, ) == 0x0
 02141   304   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02142   304   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02143   304   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02144   304   NtClose  (316, ... ) == 0x0
 02145   304   NtEnumerateKey  (312, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02146   304   NtClose  (312, ... ) == 0x0
 02147   304   NtClose  (308, ... ) == 0x0
 02148   304   NtClose  (304, ... ) == 0x0
 02149   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 304, ) }, ... 304, ) == 0x0
 02150   304   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 0"}, ... 308, ) }, ... 308, ) == 0x0
 02151   304   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 312, ) }, ... 312, ) == 0x0
 02152   304   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02153   304   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 316, ) }, ... 316, ) == 0x0
 02154   304   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02155   304   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02156   304   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02157   304   NtClose  (316, ... ) == 0x0
 02158   304   NtEnumerateKey  (312, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (312, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02159   304   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 316, ) }, ... 316, ) == 0x0
 02160   304   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02161   304   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02162   304   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02163   304   NtClose  (316, ... ) == 0x0
 02164   304   NtEnumerateKey  (312, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (312, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02165   304   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 316, ) }, ... 316, ) == 0x0
 02166   304   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02167   304   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02168   304   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02169   304   NtClose  (316, ... ) == 0x0
 02170   304   NtEnumerateKey  (312, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (312, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02171   304   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 316, ) }, ... 316, ) == 0x0
 02172   304   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02173   304   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02174   304   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02175   304   NtClose  (316, ... ) == 0x0
 02176   304   NtEnumerateKey  (312, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02177   304   NtClose  (312, ... ) == 0x0
 02178   304   NtClose  (308, ... ) == 0x0
 02179   304   NtClose  (304, ... ) == 0x0
 02180   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 304, ) }, ... 304, ) == 0x0
 02181   304   NtEnumerateKey  (304, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (304, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02182   304   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 0"}, ... 308, ) }, ... 308, ) == 0x0
 02183   304   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 312, ) }, ... 312, ) == 0x0
 02184   304   NtEnumerateKey  (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (312, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02185   304   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 316, ) }, ... 316, ) == 0x0
 02186   304   NtQueryKey  (316, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02187   304   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02188   304   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02189   304   NtClose  (316, ... ) == 0x0
 02190   304   NtEnumerateKey  (312, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02191   304   NtClose  (312, ... ) == 0x0
 02192   304   NtClose  (308, ... ) == 0x0
 02193   304   NtEnumerateKey  (304, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (304, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02194   304   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "EncodingType 1"}, ... 308, ) }, ... 308, ) == 0x0
 02195   304   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02196   304   NtClose  (308, ... ) == 0x0
 02197   304   NtEnumerateKey  (304, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02198   304   NtClose  (304, ... ) == 0x0
 02199   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1230220, ... ) }, 1230220, ... ) == 0x0
 02200   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 02201   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 304, ... 308, ) == 0x0
 02202   304   NtClose  (304, ... ) == 0x0
 02203   304   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1420000), 0x0, 16384, ) == 0x0
 02204   304   NtClose  (308, ... ) == 0x0
 02205   304   NtUnmapViewOfSection  (-1, 0x1420000, ... ) == 0x0
 02206   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1230536, ... ) }, 1230536, ... ) == 0x0
 02207   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02208   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 308, ... 304, ) == 0x0
 02209   304   NtQuerySection  (304, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02210   304   NtClose  (308, ... ) == 0x0
 02211   304   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x70eb0000), 0x0, 28672, ) == 0x0
 02212   304   NtClose  (304, ... ) == 0x0
 02213   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPT32.dll"}, 1229796, ... ) }, 1229796, ... ) == 0x0
 02214   304   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 304, ) == 0x0
 02215   304   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21233664, 1048576, ) == 0x0
 02216   304   NtAllocateVirtualMemory  (-1, 22274048, 0, 8192, 4096, 4, ... 22274048, 8192, ) == 0x0
 02217   304   NtProtectVirtualMemory  (-1, (0x153e000), 4096, 260, ... (0x153e000), 4096, 4, ) == 0x0
 02218   304   NtCreateThread  (0x1f03ff, 0x0, -1, 1231744, 1232460, 1, ... 308, {300, 1500}, ) == 0x0
 02219   304   NtQueryInformationThread  (308, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=300,Tid=1500,}, 0x0, ) == 0x0
 02220   304   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\04\1\0\0,\1\0\0\334\5\0\0" ... {28, 56, reply, 0, 300, 304, 2314, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\04\1\0\0,\1\0\0\334\5\0\0" )  ... {28, 56, reply, 0, 300, 304, 2314, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\04\1\0\0,\1\0\0\334\5\0\0" ... {28, 56, reply, 0, 300, 304, 2314, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\04\1\0\0,\1\0\0\334\5\0\0" )  ) == 0x0
 02221   304   NtResumeThread  (308, ... 1, ) == 0x0
 02222   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 312, ) }, ... 312, ) == 0x0
 02223   304   NtEnumerateKey  (312, 0, Basic, 288, ...
 02224  1500   NtTestAlert  (... ) == 0x0
 02225  1500   NtContinue  (22281520, 1, ...
 02226  1500   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02227  1500   NtWaitForMultipleObjects  (1, (304, ), 1, 0, {-150000000, -1}, ...
 02223   304   NtEnumerateKey  ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02228   304   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "EncodingType 0"}, ... 316, ) }, ... 316, ) == 0x0
 02229   304   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 320, ) }, ... 320, ) == 0x0
 02230   304   NtEnumerateKey  (320, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (320, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02231   304   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 324, ) }, ... 324, ) == 0x0
 02232   304   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02233   304   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02234   304   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02235   304   NtClose  (324, ... ) == 0x0
 02236   304   NtEnumerateKey  (320, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (320, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02237   304   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 324, ) }, ... 324, ) == 0x0
 02238   304   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02239   304   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02240   304   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02241   304   NtClose  (324, ... ) == 0x0
 02242   304   NtEnumerateKey  (320, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (320, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02243   304   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 324, ) }, ... 324, ) == 0x0
 02244   304   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02245   304   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02246   304   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02247   304   NtClose  (324, ... ) == 0x0
 02248   304   NtEnumerateKey  (320, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (320, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02249   304   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 324, ) }, ... 324, ) == 0x0
 02250   304   NtQueryKey  (324, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02251   304   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02252   304   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02253   304   NtClose  (324, ... ) == 0x0
 02254   304   NtEnumerateKey  (320, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02255   304   NtClose  (320, ... ) == 0x0
 02256   304   NtClose  (316, ... ) == 0x0
 02257   304   NtEnumerateKey  (312, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (312, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02258   304   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "EncodingType 1"}, ... 316, ) }, ... 316, ) == 0x0
 02259   304   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02260   304   NtClose  (316, ... ) == 0x0
 02261   304   NtEnumerateKey  (312, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02262   304   NtClose  (312, ... ) == 0x0
 02263   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSISIP.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02264   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSISIP.DLL"}, 1230528, ... ) }, 1230528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02265   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "MSISIP.DLL"}, 1230528, ... ) }, 1230528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02266   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 1230528, ... ) }, 1230528, ... ) == 0x0
 02267   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02268   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 02269   304   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02270   304   NtClose  (312, ... ) == 0x0
 02271   304   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x605f0000), 0x0, 53248, ) == 0x0
 02272   304   NtClose  (316, ... ) == 0x0
 02273   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02274   304   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 21102592, 65536, ) == 0x0
 02275   304   NtAllocateVirtualMemory  (-1, 21102592, 0, 4096, 4096, 4, ... 21102592, 4096, ) == 0x0
 02276   304   NtAllocateVirtualMemory  (-1, 21106688, 0, 8192, 4096, 4, ... 21106688, 8192, ) == 0x0
 02277   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1230116, ... ) }, 1230116, ... ) == 0x0
 02278   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02279   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02280   304   NtClose  (316, ... ) == 0x0
 02281   304   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1540000), 0x0, 262144, ) == 0x0
 02282   304   NtClose  (312, ... ) == 0x0
 02283   304   NtUnmapViewOfSection  (-1, 0x1540000, ... ) == 0x0
 02284   304   NtAllocateLocallyUniqueId  (... {103367, 0}, ) == 0x0
 02285   304   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02286   304   NtOpenProcessToken  (-1, 0x20008, ... 312, ) == 0x0
 02287   304   NtQueryInformationToken  (312, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 02288   304   NtClose  (312, ... ) == 0x0
 02289   304   NtCreateSection  (0xf0007, {24, 64, 0x80, 1231436, 0,  (0xf0007, {24, 64, 0x80, 1231436, 0, "DfSharedHeap193C7"}, {4194304, 0}, 4, 67108864, 0, ... 312, ) }, {4194304, 0}, 4, 67108864, 0, ... 312, ) == 0x0
 02290   304   NtMapViewOfSection  (312, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1540000), {0, 0}, 4194304, ) == 0x0
 02291   304   NtAllocateVirtualMemory  (-1, 22282240, 0, 16376, 4096, 4, ... 22282240, 16384, ) == 0x0
 02292   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228952,  (0x80100080, {24, 0, 0x40, 0, 1228952, "\??\UNC\missouri\binaries\work\rczxtgv.bat"}, 0x0, 128, 3, 1, 2144, 0, 0, ... 316, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 2144, 0, 0, ... 316, {status=0x0, info=1}, ) == 0x0
 02293   304   NtReadFile  (316, 0, 0, 1231656, 512, {0, 0}, 0, ... {status=0x0, info=123},  (316, 0, 0, 1231656, 512, {0, 0}, 0, ... {status=0x0, info=123}, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del rczxtgv.bat\15\12", ) , ) == 0x0
 02294   304   NtClose  (316, ... ) == 0x0
 02295   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1230220, ... ) }, 1230220, ... ) == 0x0
 02296   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02297   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 320, ) == 0x0
 02298   304   NtClose  (316, ... ) == 0x0
 02299   304   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1940000), 0x0, 69632, ) == 0x0
 02300   304   NtClose  (320, ... ) == 0x0
 02301   304   NtUnmapViewOfSection  (-1, 0x1940000, ... ) == 0x0
 02302   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1230536, ... ) }, 1230536, ... ) == 0x0
 02303   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02304   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 316, ) == 0x0
 02305   304   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02306   304   NtClose  (320, ... ) == 0x0
 02307   304   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74ea0000), 0x0, 65536, ) == 0x0
 02308   304   NtClose  (316, ... ) == 0x0
 02309   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 316, ) }, ... 316, ) == 0x0
 02310   304   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02311   304   NtClose  (316, ... ) == 0x0
 02312   304   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02313   304   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02314   304   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02315   304   NtProtectVirtualMemory  (-1, (0x74eaa000), 672, 4, ... (0x74eaa000), 4096, 2, ) == 0x0
 02316   304   NtProtectVirtualMemory  (-1, (0x74eaa000), 4096, 2, ... (0x74eaa000), 4096, 4, ) == 0x0
 02317   304   NtFlushInstructionCache  (-1, 1961533440, 672, ... ) == 0x0
 02318   304   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02319   304   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02320   304   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02321   304   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02322   304   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02323   304   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02324   304   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02325   304   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02326   304   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02327   304   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02328   304   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02329   304   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02330   304   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02331   304   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02332   304   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02333   304   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02334   304   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02335   304   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02336   304   NtClose  (316, ... ) == 0x0
 02337   304   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02338   304   NtReleaseMutant  (16, ...
 02339   304   NtContinue  (-133463928, 0, ...
 02338   304   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02340   304   NtQueryDefaultLocale  (1, 1229216, ... ) == 0x0
 02341   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227208, ... ) }, 1227208, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02342   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227524, ... ) }, 1227524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02343   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02344   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02345   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02346   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02347   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02348   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02349   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02350   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02351   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02352   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1227208, ... ) }, 1227208, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02353   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1227524, ... ) }, 1227524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02354   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02355   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02356   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "wshEN.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02357   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02358   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02359   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02360   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02361   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02362   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02363   304   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02364   304   NtReleaseMutant  (16, ...
 02365   304   NtContinue  (-133463928, 0, ...
 02364   304   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02366   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227208, ... ) }, 1227208, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02367   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227524, ... ) }, 1227524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02368   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02369   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02370   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02371   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02372   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02373   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02374   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02375   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02376   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1227516, ... ) }, 1227516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02377   304   NtClose  (276, ... ) == 0x0
 02378   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 02379   304   NtQueryValueKey  (276,  (276, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02380   304   NtClose  (276, ... ) == 0x0
 02381   304   NtOpenThreadToken  (-2, 0x2000a, 1, ... ) == STATUS_NO_TOKEN
 02382   304   NtOpenProcessToken  (-1, 0x2000a, ... 276, ) == 0x0
 02383   304   NtQueryInformationToken  (276, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02384   304   NtQueryInformationToken  (276, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02385   304   NtClose  (276, ... ) == 0x0
 02386   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02387   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02388   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02389   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02390   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 276, ) }, ... 276, ) == 0x0
 02391   304   NtQueryValueKey  (276,  (276, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02392   304   NtClose  (276, ... ) == 0x0
 02393   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02394   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02395   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02396   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 276, ) }, ... 276, ) == 0x0
 02397   304   NtQueryValueKey  (276,  (276, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02398   304   NtClose  (276, ... ) == 0x0
 02399   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 02400   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02401   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 276, ) }, ... 276, ) == 0x0
 02402   304   NtQueryKey  (278, Name, 392, ... {Name= (278, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02403   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02404   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 316, ) == 0x0
 02405   304   NtQueryInformationToken  (316, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02406   304   NtClose  (316, ... ) == 0x0
 02407   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02408   304   NtQueryValueKey  (278, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (278, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02409   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1229824, ... ) }, 1229824, ... ) == 0x0
 02410   304   NtClose  (278, ... ) == 0x0
 02411   304   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02412   304   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 276, {status=0x0, info=1}, ) }, 3, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 02413   304   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 316, ) }, ... 316, ) == 0x0
 02414   304   NtQuerySymbolicLinkObject  (316, ...  (316, ... "\Device\WinDfs\U:00000000000090de", 66, ) , 66, ) == 0x0
 02415   304   NtClose  (316, ... ) == 0x0
 02416   304   NtQueryVolumeInformationFile  (276, 1233176, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02417   304   NtClose  (276, ... ) == 0x0
 02418   304   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 02419   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 276, ) }, ... 276, ) == 0x0
 02420   304   NtOpenKey  (0x20019, {24, 276, 0x40, 0, 0,  (0x20019, {24, 276, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 316, ) }, ... 316, ) == 0x0
 02421   304   NtQueryValueKey  (316,  (316, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02422   304   NtQueryValueKey  (316,  (316, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02423   304   NtClose  (316, ... ) == 0x0
 02424   304   NtOpenKey  (0x20019, {24, 276, 0x40, 0, 0,  (0x20019, {24, 276, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 316, ) }, ... 316, ) == 0x0
 02425   304   NtQueryValueKey  (316,  (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02426   304   NtQueryValueKey  (316,  (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02427   304   NtQueryValueKey  (316,  (316, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428   304   NtQueryValueKey  (316,  (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02429   304   NtQueryValueKey  (316,  (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02430   304   NtClose  (316, ... ) == 0x0
 02431   304   NtOpenKey  (0x20019, {24, 276, 0x40, 0, 0,  (0x20019, {24, 276, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 316, ) }, ... 316, ) == 0x0
 02432   304   NtQueryValueKey  (316,  (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02433   304   NtQueryValueKey  (316,  (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02434   304   NtQueryValueKey  (316,  (316, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02435   304   NtQueryValueKey  (316,  (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02436   304   NtQueryValueKey  (316,  (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02437   304   NtClose  (316, ... ) == 0x0
 02438   304   NtOpenKey  (0x20019, {24, 276, 0x40, 0, 0,  (0x20019, {24, 276, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 316, ) }, ... 316, ) == 0x0
 02439   304   NtQueryValueKey  (316,  (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02440   304   NtQueryValueKey  (316,  (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02441   304   NtQueryValueKey  (316,  (316, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02442   304   NtQueryValueKey  (316,  (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02443   304   NtQueryValueKey  (316,  (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02444   304   NtClose  (316, ... ) == 0x0
 02445   304   NtOpenKey  (0x20019, {24, 276, 0x40, 0, 0,  (0x20019, {24, 276, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 316, ) }, ... 316, ) == 0x0
 02446   304   NtQueryValueKey  (316,  (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02447   304   NtQueryValueKey  (316,  (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02448   304   NtQueryValueKey  (316,  (316, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02449   304   NtQueryValueKey  (316,  (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02450   304   NtQueryValueKey  (316,  (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02451   304   NtClose  (316, ... ) == 0x0
 02452   304   NtClose  (276, ... ) == 0x0
 02453   304   NtQueryDefaultLocale  (1, 1232728, ... ) == 0x0
 02454   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1230740, ... ) }, 1230740, ... ) == 0x0
 02455   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 02456   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 276, ... 316, ) == 0x0
 02457   304   NtClose  (276, ... ) == 0x0
 02458   304   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1940000), 0x0, 12288, ) == 0x0
 02459   304   NtClose  (316, ... ) == 0x0
 02460   304   NtUnmapViewOfSection  (-1, 0x1940000, ... ) == 0x0
 02461   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231056, ... ) }, 1231056, ... ) == 0x0
 02462   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02463   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 276, ) == 0x0
 02464   304   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02465   304   NtClose  (316, ... ) == 0x0
 02466   304   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 02467   304   NtClose  (276, ... ) == 0x0
 02468   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 276, ) }, ... 276, ) == 0x0
 02469   304   NtQueryValueKey  (276,  (276, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (276, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02470   304   NtClose  (276, ... ) == 0x0
 02471   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1230740, ... ) }, 1230740, ... ) == 0x0
 02472   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 02473   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 276, ... 316, ) == 0x0
 02474   304   NtClose  (276, ... ) == 0x0
 02475   304   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1940000), 0x0, 40960, ) == 0x0
 02476   304   NtClose  (316, ... ) == 0x0
 02477   304   NtUnmapViewOfSection  (-1, 0x1940000, ... ) == 0x0
 02478   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231056, ... ) }, 1231056, ... ) == 0x0
 02479   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02480   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 276, ) == 0x0
 02481   304   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02482   304   NtClose  (316, ... ) == 0x0
 02483   304   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 02484   304   NtClose  (276, ... ) == 0x0
 02485   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02486   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1230244, ... ) }, 1230244, ... ) == 0x0
 02487   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 02488   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 276, ... 316, ) == 0x0
 02489   304   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02490   304   NtClose  (276, ... ) == 0x0
 02491   304   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 02492   304   NtClose  (316, ... ) == 0x0
 02493   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02494   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1230244, ... ) }, 1230244, ... ) == 0x0
 02495   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02496   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 276, ) == 0x0
 02497   304   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02498   304   NtClose  (316, ... ) == 0x0
 02499   304   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 02500   304   NtClose  (276, ... ) == 0x0
 02501   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02502   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1229440, ... ) }, 1229440, ... ) == 0x0
 02503   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 02504   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 276, ... 316, ) == 0x0
 02505   304   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02506   304   NtClose  (276, ... ) == 0x0
 02507   304   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 02508   304   NtClose  (316, ... ) == 0x0
 02509   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02510   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1229440, ... ) }, 1229440, ... ) == 0x0
 02511   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02512   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 276, ) == 0x0
 02513   304   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02514   304   NtClose  (316, ... ) == 0x0
 02515   304   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 02516   304   NtClose  (276, ... ) == 0x0
 02517   304   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 276, ) }, ... 276, ) == 0x0
 02518   304   NtQueryValueKey  (276,  (276, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02519   304   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 316, ) == 0x0
 02520   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1230740, ... ) }, 1230740, ... ) == 0x0
 02521   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02522   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 324, ) == 0x0
 02523   304   NtClose  (320, ... ) == 0x0
 02524   304   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1940000), 0x0, 24576, ) == 0x0
 02525   304   NtClose  (324, ... ) == 0x0
 02526   304   NtUnmapViewOfSection  (-1, 0x1940000, ... ) == 0x0
 02527   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231056, ... ) }, 1231056, ... ) == 0x0
 02528   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02529   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 320, ) == 0x0
 02530   304   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02531   304   NtClose  (324, ... ) == 0x0
 02532   304   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 02533   304   NtClose  (320, ... ) == 0x0
 02534   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02535   304   NtQueryValueKey  (320,  (320, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02536   304   NtClose  (320, ... ) == 0x0
 02537   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1230732, ... ) }, 1230732, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02538   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\hgfs1.dll"}, 1230732, ... ) }, 1230732, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02539   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1230732, ... ) }, 1230732, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02540   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1230732, ... ) }, 1230732, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02541   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1230732, ... ) }, 1230732, ... ) == 0x0
 02542   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02543   304   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 324, ) == 0x0
 02544   304   NtClose  (320, ... ) == 0x0
 02545   304   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1940000), 0x0, 122880, ) == 0x0
 02546   304   NtClose  (324, ... ) == 0x0
 02547   304   NtUnmapViewOfSection  (-1, 0x1940000, ... ) == 0x0
 02548   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231048, ... ) }, 1231048, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02549   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231048, ... ) }, 1231048, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02550   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231048, ... ) }, 1231048, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02551   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231048, ... ) }, 1231048, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02552   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231048, ... ) }, 1231048, ... ) == 0x0
 02553   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02554   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 320, ) == 0x0
 02555   304   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02556   304   NtClose  (324, ... ) == 0x0
 02557   304   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 131072, ) == 0x0
 02558   304   NtClose  (320, ... ) == 0x0
 02559   304   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02560   304   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02561   304   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02562   304   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02563   304   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02564   304   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02565   304   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02566   304   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02567   304   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02568   304   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02569   304   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02570   304   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02571   304   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02572   304   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 26476544, 65536, ) == 0x0
 02573   304   NtAllocateVirtualMemory  (-1, 26476544, 0, 4096, 4096, 4, ... 26476544, 4096, ) == 0x0
 02574   304   NtAllocateVirtualMemory  (-1, 26480640, 0, 8192, 4096, 4, ... 26480640, 8192, ) == 0x0
 02575   304   NtAllocateVirtualMemory  (-1, 26488832, 0, 4096, 4096, 4, ... 26488832, 4096, ) == 0x0
 02576   304   NtQueryPerformanceCounter  (... {240951007, 0}, {3579545, 0}, ) == 0x0
 02577   304   NtRaiseException  (1230540, 1229800, 1, ...
 02578   304   NtContinue  (1228596, 0, ...
 02579   304   NtOpenMutant  (0x120001, {24, 64, 0x2, 0, 0,  (0x120001, {24, 64, 0x2, 0, 0, "DBWinMutex"}, ... 320, ) }, ... 320, ) == 0x0
 02580   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02581   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02582   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02583   304   NtRaiseException  (1220516, 1219776, 1, ...
 02584   304   NtContinue  (1218572, 0, ...
 02585   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02586   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02587   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02588   304   NtRaiseException  (1222276, 1221536, 1, ...
 02589   304   NtContinue  (1220332, 0, ...
 02590   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02591   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02592   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02593   304   NtRaiseException  (1222280, 1221540, 1, ...
 02594   304   NtContinue  (1220336, 0, ...
 02595   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02596   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02597   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02598   304   NtRaiseException  (1222276, 1221536, 1, ...
 02599   304   NtContinue  (1220332, 0, ...
 02600   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02601   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02602   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02603   304   NtRaiseException  (1222280, 1221540, 1, ...
 02604   304   NtContinue  (1220336, 0, ...
 02605   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02606   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02607   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02608   304   NtRaiseException  (1222276, 1221536, 1, ...
 02609   304   NtContinue  (1220332, 0, ...
 02610   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02611   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02612   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02613   304   NtRaiseException  (1222280, 1221540, 1, ...
 02614   304   NtContinue  (1220336, 0, ...
 02615   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02616   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02617   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02618   304   NtRaiseException  (1222276, 1221536, 1, ...
 02619   304   NtContinue  (1220332, 0, ...
 02620   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02621   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02622   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02623   304   NtRaiseException  (1222280, 1221540, 1, ...
 02624   304   NtContinue  (1220336, 0, ...
 02625   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02626   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02627   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02628   304   NtRaiseException  (1222276, 1221536, 1, ...
 02629   304   NtContinue  (1220332, 0, ...
 02630   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02631   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02632   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02633   304   NtRaiseException  (1222280, 1221540, 1, ...
 02634   304   NtContinue  (1220336, 0, ...
 02635   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02636   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02637   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02638   304   NtRaiseException  (1222276, 1221536, 1, ...
 02639   304   NtContinue  (1220332, 0, ...
 02640   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02641   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02642   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02643   304   NtRaiseException  (1222280, 1221540, 1, ...
 02644   304   NtContinue  (1220336, 0, ...
 02645   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02646   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02647   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02648   304   NtRaiseException  (1222276, 1221536, 1, ...
 02649   304   NtContinue  (1220332, 0, ...
 02650   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02651   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02652   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02653   304   NtRaiseException  (1222280, 1221540, 1, ...
 02654   304   NtContinue  (1220336, 0, ...
 02655   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02656   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02657   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02658   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1230708, ... ) }, 1230708, ... ) == 0x0
 02659   304   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {300, 0}, ... 324, ) == 0x0
 02660   304   NtQueryInformationProcess  (324, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02661   304   NtClose  (324, ... ) == 0x0
 02662   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1230708, ... ) }, 1230708, ... ) == 0x0
 02663   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02664   304   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 324, ) == 0x0
 02665   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02666   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02667   304   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1229756,  (0xc0100080, {24, 0, 0x40, 0, 1229756, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02668   304   NtSetInformationFile  (328, 1229812, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02669   304   NtSetInformationFile  (328, 1229804, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02670   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02671   304   NtWriteFile  (328, 129, 0, 0,  (328, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02672   304   NtReadFile  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20o$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02673   304   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20o$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20o$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02674   304   NtClose  (324, ... ) == 0x0
 02675   304   NtClose  (328, ... ) == 0x0
 02676   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02677   304   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 02678   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02679   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02680   304   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1229756,  (0xc0100080, {24, 0, 0x40, 0, 1229756, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 02681   304   NtSetInformationFile  (324, 1229812, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02682   304   NtSetInformationFile  (324, 1229804, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02683   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02684   304   NtWriteFile  (324, 129, 0, 0,  (324, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02685   304   NtReadFile  (324, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (324, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02686   304   NtFsControlFile  (324, 129, 0x0, 0x0, 0x11c017,  (324, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (324, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02687   304   NtClose  (328, ... ) == 0x0
 02688   304   NtClose  (324, ... ) == 0x0
 02689   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 02690   304   NtQueryKey  (324, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 02691   304   NtQuerySecurityObject  (324, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02692   304   NtQuerySecurityObject  (324, 15, 0, ... ) == STATUS_ACCESS_DENIED
 02693   304   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 26542080, 524288, ) == 0x0
 02694   304   NtAllocateVirtualMemory  (-1, 26542080, 0, 4096, 4096, 4, ... 26542080, 4096, ) == 0x0
 02695   304   NtQueryValueKey  (324,  (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02696   304   NtClose  (324, ... ) == 0x0
 02697   304   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 02698   304   NtFsControlFile  (324, 0, 0x0, 0x0, 0x600bc,  (324, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (324, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02699   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02700   304   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 02701   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02702   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02703   304   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231196,  (0xc0100080, {24, 0, 0x40, 0, 1231196, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02704   304   NtSetInformationFile  (332, 1231252, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02705   304   NtSetInformationFile  (332, 1231244, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02706   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02707   304   NtWriteFile  (332, 129, 0, 0,  (332, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02708   304   NtReadFile  (332, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02709   304   NtFsControlFile  (332, 129, 0x0, 0x0, 0x11c017,  (332, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\304\317\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (332, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\304\317\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02710   304   NtClose  (328, ... ) == 0x0
 02711   304   NtClose  (332, ... ) == 0x0
 02712   304   NtWaitForSingleObject  (316, 0, {-70000000, -1}, ... ) == 0x0
 02713   304   NtReleaseSemaphore  (316, 1, ... 0x0, ) == 0x0
 02714   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1230708, ... ) }, 1230708, ... ) == 0x0
 02715   304   NtOpenEvent  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 332, ) }, ... 332, ) == 0x0
 02716   304   NtWaitForSingleObject  (332, 0, {-1800000000, -1}, ... ) == 0x0
 02717   304   NtClose  (332, ... ) == 0x0
 02718   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02719   304   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02720   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02721   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02722   304   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231232,  (0xc0100080, {24, 0, 0x40, 0, 1231232, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02723   304   NtSetInformationFile  (328, 1231288, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02724   304   NtSetInformationFile  (328, 1231280, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02725   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02726   304   NtWriteFile  (328, 129, 0, 0,  (328, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02727   304   NtReadFile  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\357"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 02728   304   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\357"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\357"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 02729   304   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0`\36\244\373\336?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0`\36\244\373\336?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0`\36\244\373\336?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0`\36\244\373\336?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02730   304   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0a\36\244\373\336?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0a\36\244\373\336?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0a\36\244\373\336?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0a\36\244\373\336?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02731   304   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0`\36\244\373\336?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0`\36\244\373\336?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02732   304   NtFsControlFile  (328, 129, 0x0, 0x0, 0x11c017,  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0a\36\244\373\336?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (328, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0a\36\244\373\336?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02733   304   NtClose  (332, ... ) == 0x0
 02734   304   NtClose  (328, ... ) == 0x0
 02735   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1230700, ... ) }, 1230700, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02736   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "system32\hgfs1.dll"}, 1230700, ... ) }, 1230700, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02737   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1230700, ... ) }, 1230700, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02738   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1230700, ... ) }, 1230700, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02739   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1230700, ... ) }, 1230700, ... ) == 0x0
 02740   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 328, ) }, ... 328, ) == 0x0
 02741   304   NtQueryValueKey  (328,  (328, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 02742   304   NtClose  (328, ... ) == 0x0
 02743   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 328, ) }, ... 328, ) == 0x0
 02744   304   NtQueryValueKey  (328,  (328, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 02745   304   NtClose  (328, ... ) == 0x0
 02746   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 328, ) }, ... 328, ) == 0x0
 02747   304   NtQueryValueKey  (328,  (328, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02748   304   NtClose  (328, ... ) == 0x0
 02749   304   NtRaiseException  (1221200, 1220460, 1, ...
 02750   304   NtContinue  (1219256, 0, ...
 02751   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02752   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02753   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02754   304   NtRaiseException  (1221196, 1220456, 1, ...
 02755   304   NtContinue  (1219252, 0, ...
 02756   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02757   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02758   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02759   304   NtCreateMutant  (0x1f0001, {24, 64, 0x80, 1231864, 0,  (0x1f0001, {24, 64, 0x80, 1231864, 0, "HGFSMUTEX"}, 1, ... 328, ) }, 1, ... 328, ) == 0x0
 02760   304   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shfolder.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02761   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\shfolder.dll"}, 1228884, ... ) }, 1228884, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02762   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "shfolder.dll"}, 1228884, ... ) }, 1228884, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02763   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 1228884, ... ) }, 1228884, ... ) == 0x0
 02764   304   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 5, 96, ... 332, {status=0x0, info=1}, ) }, 5, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 02765   304   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 332, ... 336, ) == 0x0
 02766   304   NtQuerySection  (336, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02767   304   NtClose  (332, ... ) == 0x0
 02768   304   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76780000), 0x0, 32768, ) == 0x0
 02769   304   NtClose  (336, ... ) == 0x0
 02770   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02771   304   NtCreateSemaphore  (0x1f0003, {24, 64, 0x80, 1326432, 0,  (0x1f0003, {24, 64, 0x80, 1326432, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 336, ) }, 0, 2147483647, ... 336, ) == STATUS_OBJECT_NAME_EXISTS
 02772   304   NtReleaseSemaphore  (336, 1, ... 0, ) == 0x0
 02773   304   NtWaitForSingleObject  (336, 0, {0, 0}, ... ) == 0x0
 02774   304   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02775   304   NtQueryValueKey  (332,  (332, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) }, 104, ) == 0x0
 02776   304   NtClose  (332, ... ) == 0x0
 02777   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data"}, 1229416, ... ) }, 1229416, ... ) == 0x0
 02778   304   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02779   304   NtSetValueKey  (332,  (332, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 0, 1,  (332, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 134, ... ) == 0x0
 02780   304   NtClose  (332, ... ) == 0x0
 02781   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 02782   304   NtQueryDirectoryFile  (332, 0, 0, 0, 1229556, 616, BothDirectory, 1,  (332, 0, 0, 0, 1229556, 616, BothDirectory, 1, "VMware", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 02783   304   NtUnmapViewOfSection  (-1, 0x76780000, ... ) == 0x0
 02784   304   NtRaiseException  (1220836, 1220096, 1, ...
 02785   304   NtContinue  (1218892, 0, ...
 02786   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02787   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02788   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02789   304   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1231864, 1231440,  (0xc0100080, {24, 0, 0x40, 1231864, 1231440, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\VMware\hgfs.dat"}, 0x0, 128, 0, 3, 96, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 02790   304   NtRaiseException  (1220836, 1220096, 1, ...
 02791   304   NtContinue  (1218892, 0, ...
 02792   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02793   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02794   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02795   304   NtCreateSection  (0xf0007, {24, 64, 0x80, 1231864, 0,  (0xf0007, {24, 64, 0x80, 1231864, 0, "HGFSMEMORY"}, {27876, 0}, 4, 134217728, 340, ... 344, ) }, {27876, 0}, 4, 134217728, 340, ... 344, ) == 0x0
 02796   304   NtMapViewOfSection  (344, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x19d0000), {0, 0}, 28672, ) == 0x0
 02797   304   NtReleaseMutant  (328, ... 0x0, ) == 0x0
 02798   304   NtRaiseException  (1222252, 1221512, 1, ...
 02799   304   NtContinue  (1220308, 0, ...
 02800   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02801   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02802   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02803   304   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1232908, 1232496,  (0xc0100080, {24, 0, 0x40, 1232908, 1232496, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 348, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 348, {status=0x0, info=0}, ) == 0x0
 02804   304   NtDeviceIoControlFile  (348, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (348, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 02805   304   NtClose  (348, ... ) == 0x0
 02806   304   NtRaiseException  (1222232, 1221492, 1, ...
 02807   304   NtContinue  (1220288, 0, ...
 02808   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02809   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02810   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02811   304   NtRaiseException  (1222252, 1221512, 1, ...
 02812   304   NtContinue  (1220308, 0, ...
 02813   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02814   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02815   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02816   304   NtAllocateVirtualMemory  (-1, 1474560, 0, 20480, 4096, 4, ... 1474560, 20480, ) == 0x0
 02817   304   NtAllocateVirtualMemory  (-1, 1495040, 0, 20480, 4096, 4, ... 1495040, 20480, ) == 0x0
 02818   304   NtWaitForSingleObject  (316, 0, {-70000000, -1}, ... ) == 0x0
 02819   304   NtReleaseSemaphore  (316, 1, ... 0x0, ) == 0x0
 02820   304   NtOpenEvent  (0x100000, {24, 64, 0x0, 0, 0,  (0x100000, {24, 64, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 02821   304   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 02822   304   NtClose  (348, ... ) == 0x0
 02823   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02824   304   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02825   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02826   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02827   304   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231172,  (0xc0100080, {24, 0, 0x40, 0, 1231172, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 02828   304   NtSetInformationFile  (352, 1231228, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02829   304   NtSetInformationFile  (352, 1231220, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02830   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02831   304   NtWriteFile  (352, 129, 0, 0,  (352, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02832   304   NtReadFile  (352, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (352, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\360"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 02833   304   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\360"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\360"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 02834   304   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0b\36\244\373\336?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0b\36\244\373\336?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0b\36\244\373\336?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0b\36\244\373\336?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02835   304   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0c\36\244\373\336?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0c\36\244\373\336?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0c\36\244\373\336?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0c\36\244\373\336?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02836   304   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0b\36\244\373\336?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0b\36\244\373\336?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02837   304   NtFsControlFile  (352, 129, 0x0, 0x0, 0x11c017,  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0c\36\244\373\336?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (352, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0c\36\244\373\336?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02838   304   NtClose  (348, ... ) == 0x0
 02839   304   NtClose  (352, ... ) == 0x0
 02840   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02841   304   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 02842   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02843   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02844   304   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231264,  (0xc0100080, {24, 0, 0x40, 0, 1231264, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 02845   304   NtSetInformationFile  (348, 1231320, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02846   304   NtSetInformationFile  (348, 1231312, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02847   304   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02848   304   NtWriteFile  (348, 129, 0, 0,  (348, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02849   304   NtReadFile  (348, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (348, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\320)\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02850   304   NtFsControlFile  (348, 129, 0x0, 0x0, 0x11c017,  (348, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\320)\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (348, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\320)\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02851   304   NtClose  (352, ... ) == 0x0
 02852   304   NtClose  (348, ... ) == 0x0
 02853   304   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 02854   304   NtSetValueKey  (348,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 02855   304   NtClose  (348, ... ) == 0x0
 02856   304   NtOpenKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 348, ) }, ... 348, ) == 0x0
 02857   304   NtQueryValueKey  (348,  (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02858   304   NtClose  (348, ... ) == 0x0
 02859   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02860   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02861   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02862   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02863   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02864   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02865   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02866   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02867   304   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 02868   304   NtSetValueKey  (348,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (348, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 02869   304   NtClose  (348, ... ) == 0x0
 02870   304   NtOpenKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 348, ) }, ... 348, ) == 0x0
 02871   304   NtQueryValueKey  (348,  (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02872   304   NtClose  (348, ... ) == 0x0
 02873   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02874   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02875   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02876   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02877   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02878   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02879   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02880   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02881   304   NtWaitForSingleObject  (316, 0, {-70000000, -1}, ... ) == 0x0
 02882   304   NtReleaseSemaphore  (316, 1, ... 0x0, ) == 0x0
 02883   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02884   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02885   304   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02886   304   NtClose  (348, ... ) == 0x0
 02887   304   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 02888   304   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Network"}, ... 352, ) }, ... 352, ) == 0x0
 02889   304   NtClose  (348, ... ) == 0x0
 02890   304   NtQueryKey  (352, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (352, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 02891   304   NtQuerySecurityObject  (352, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02892   304   NtQuerySecurityObject  (352, 15, 0, ... ) == STATUS_ACCESS_DENIED
 02893   304   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 02894   304   NtEnumerateKey  (352, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (352, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 02895   304   NtOpenKey  (0x2001f, {24, 352, 0x40, 0, 0,  (0x2001f, {24, 352, 0x40, 0, 0, "f"}, ... 348, ) }, ... 348, ) == 0x0
 02896   304   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02897   304   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02898   304   NtQueryValueKey  (348,  (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02899   304   NtQueryValueKey  (348,  (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 02900   304   NtQueryValueKey  (348,  (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02901   304   NtQueryValueKey  (348,  (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 02902   304   NtQueryValueKey  (348,  (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02903   304   NtClose  (348, ... ) == 0x0
 02904   304   NtEnumerateKey  (352, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (352, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 02905   304   NtOpenKey  (0x2001f, {24, 352, 0x40, 0, 0,  (0x2001f, {24, 352, 0x40, 0, 0, "u"}, ... 348, ) }, ... 348, ) == 0x0
 02906   304   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02907   304   NtQueryValueKey  (348,  (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 02908   304   NtQueryValueKey  (348,  (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02909   304   NtQueryValueKey  (348,  (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 02910   304   NtQueryValueKey  (348,  (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02911   304   NtQueryValueKey  (348,  (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 02912   304   NtQueryValueKey  (348,  (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02913   304   NtClose  (348, ... ) == 0x0
 02914   304   NtClose  (352, ... ) == 0x0
 02915   304   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02916   304   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02917   304   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02918   304   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02919   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02920   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02921   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 352, ) }, ... 352, ) == 0x0
 02922   304   NtQueryKey  (354, Name, 392, ... {Name= (354, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 02923   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02924   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02925   304   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02926   304   NtClose  (348, ... ) == 0x0
 02927   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02928   304   NtEnumerateKey  (354, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (354, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 02929   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02930   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02931   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 348, ) }, ... 348, ) == 0x0
 02932   304   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 02933   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02934   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02935   304   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02936   304   NtClose  (356, ... ) == 0x0
 02937   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02938   304   NtQueryValueKey  (350,  (350, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (350, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 02939   304   NtClose  (350, ... ) == 0x0
 02940   304   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02941   304   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 348, {status=0x0, info=1}, ) }, 3, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02942   304   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 356, ) }, ... 356, ) == 0x0
 02943   304   NtQuerySymbolicLinkObject  (356, ...  (356, ... "\Device\WinDfs\U:00000000000090de", 66, ) , 66, ) == 0x0
 02944   304   NtClose  (356, ... ) == 0x0
 02945   304   NtQueryVolumeInformationFile  (348, 1232584, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02946   304   NtClose  (348, ... ) == 0x0
 02947   304   NtEnumerateKey  (354, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02948   304   NtClose  (354, ... ) == 0x0
 02949   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 352, {status=0x0, info=1}, ) }, 3, 16417, ... 352, {status=0x0, info=1}, ) == 0x0
 02950   304   NtQueryDirectoryFile  (352, 0, 0, 0, 1231368, 616, BothDirectory, 1,  (352, 0, 0, 0, 1231368, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 02951   304   NtClose  (352, ... ) == 0x0
 02952   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02953   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02954   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 352, ) }, ... 352, ) == 0x0
 02955   304   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02956   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02957   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02958   304   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02959   304   NtClose  (348, ... ) == 0x0
 02960   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02961   304   NtOpenKey  (0x1, {24, 354, 0x40, 0, 0,  (0x1, {24, 354, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02962   304   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 02963   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02964   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02965   304   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02966   304   NtClose  (348, ... ) == 0x0
 02967   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02968   304   NtOpenKey  (0x2000000, {24, 354, 0x40, 0, 0, ""}, ... 348, ) == 0x0
 02969   304   NtClose  (354, ... ) == 0x0
 02970   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02971   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02972   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02973   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02974   304   NtQueryValueKey  (352,  (352, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02975   304   NtClose  (352, ... ) == 0x0
 02976   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02977   304   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0, ""}, ... 352, ) == 0x0
 02978   304   NtQueryValueKey  (352,  (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 02979   304   NtQueryValueKey  (352,  (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (352, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 02980   304   NtClose  (352, ... ) == 0x0
 02981   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02982   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02983   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02984   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02985   304   NtQueryValueKey  (352,  (352, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02986   304   NtClose  (352, ... ) == 0x0
 02987   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02988   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02989   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02990   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02991   304   NtQueryValueKey  (352,  (352, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02992   304   NtClose  (352, ... ) == 0x0
 02993   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02994   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02995   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02996   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 02997   304   NtQueryValueKey  (352,  (352, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02998   304   NtClose  (352, ... ) == 0x0
 02999   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03000   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03001   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03002   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 03003   304   NtQueryValueKey  (352,  (352, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03004   304   NtClose  (352, ... ) == 0x0
 03005   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03006   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03007   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03008   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03009   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03010   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 03011   304   NtQueryValueKey  (352,  (352, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03012   304   NtClose  (352, ... ) == 0x0
 03013   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03014   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03015   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03016   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 03017   304   NtQueryValueKey  (352,  (352, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03018   304   NtClose  (352, ... ) == 0x0
 03019   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03020   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03021   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03022   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 352, ) }, ... 352, ) == 0x0
 03023   304   NtQueryValueKey  (352,  (352, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03024   304   NtClose  (352, ... ) == 0x0
 03025   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03026   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03027   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03028   304   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0,  (0x2000000, {24, 148, 0x40, 0, 0, "Advanced"}, ... 352, ) }, ... 352, ) == 0x0
 03029   304   NtQueryValueKey  (352,  (352, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 03030   304   NtQueryValueKey  (352,  (352, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03031   304   NtQueryValueKey  (352,  (352, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03032   304   NtQueryValueKey  (352,  (352, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03033   304   NtQueryValueKey  (352,  (352, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03034   304   NtQueryValueKey  (352,  (352, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03035   304   NtQueryValueKey  (352,  (352, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03036   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03037   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03038   304   NtQueryValueKey  (352,  (352, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03039   304   NtQueryValueKey  (352,  (352, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03040   304   NtQueryValueKey  (352,  (352, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03041   304   NtQueryValueKey  (352,  (352, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03042   304   NtQueryValueKey  (352,  (352, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03043   304   NtClose  (352, ... ) == 0x0
 03044   304   NtCreateSemaphore  (0x1f0003, {24, 64, 0x80, 1326432, 0,  (0x1f0003, {24, 64, 0x80, 1326432, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 352, ) }, 0, 2147483647, ... 352, ) == STATUS_OBJECT_NAME_EXISTS
 03045   304   NtReleaseSemaphore  (352, 1, ... 0, ) == 0x0
 03046   304   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x0
 03047   304   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03048   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03049   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03050   304   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03051   304   NtClose  (356, ... ) == 0x0
 03052   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03053   304   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03054   304   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03055   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03056   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03057   304   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03058   304   NtClose  (356, ... ) == 0x0
 03059   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03060   304   NtQueryValueKey  (350,  (350, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03061   304   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03062   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03063   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03064   304   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03065   304   NtClose  (356, ... ) == 0x0
 03066   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03067   304   NtQueryValueKey  (350,  (350, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03068   304   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03069   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03070   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03071   304   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03072   304   NtClose  (356, ... ) == 0x0
 03073   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03074   304   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03075   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03076   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03077   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 356, ) }, ... 356, ) == 0x0
 03078   304   NtQueryKey  (358, Name, 384, ... {Name= (358, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 03079   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03080   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03081   304   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03082   304   NtClose  (360, ... ) == 0x0
 03083   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03084   304   NtOpenKey  (0x1, {24, 358, 0x40, 0, 0,  (0x1, {24, 358, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03085   304   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03086   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03087   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03088   304   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03089   304   NtClose  (360, ... ) == 0x0
 03090   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03091   304   NtQueryValueKey  (350,  (350, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03092   304   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03093   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03094   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03095   304   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03096   304   NtClose  (360, ... ) == 0x0
 03097   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03098   304   NtQueryValueKey  (350,  (350, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (350, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03099   304   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03100   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03101   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03102   304   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03103   304   NtClose  (360, ... ) == 0x0
 03104   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03105   304   NtQueryValueKey  (350,  (350, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03106   304   NtClose  (350, ... ) == 0x0
 03107   304   NtClose  (358, ... ) == 0x0
 03108   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\work\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 03109   304   NtQueryDirectoryFile  (356, 0, 0, 0, 1231292, 616, BothDirectory, 1,  (356, 0, 0, 0, 1231292, 616, BothDirectory, 1, "rczxtgv.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03110   304   NtClose  (356, ... ) == 0x0
 03111   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03112   304   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0,  (0x2000000, {24, 148, 0x40, 0, 0, "FileExts"}, ... 356, ) }, ... 356, ) == 0x0
 03113   304   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03114   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03115   304   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03116   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03117   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03118   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 348, ) }, ... 348, ) == 0x0
 03119   304   NtQueryKey  (350, Name, 392, ... {Name= (350, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03120   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03121   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03122   304   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03123   304   NtClose  (360, ... ) == 0x0
 03124   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03125   304   NtQueryValueKey  (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (350, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03126   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03127   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03128   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 360, ) }, ... 360, ) == 0x0
 03129   304   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03130   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03131   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03132   304   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03133   304   NtClose  (364, ... ) == 0x0
 03134   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03135   304   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03136   304   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03137   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03138   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03139   304   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03140   304   NtClose  (364, ... ) == 0x0
 03141   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03142   304   NtOpenKey  (0x2000000, {24, 362, 0x40, 0, 0, ""}, ... 364, ) == 0x0
 03143   304   NtClose  (362, ... ) == 0x0
 03144   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03145   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03146   304   NtReleaseSemaphore  (352, 1, ... 0, ) == 0x0
 03147   304   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x0
 03148   304   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03149   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03150   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03151   304   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03152   304   NtClose  (360, ... ) == 0x0
 03153   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03154   304   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03155   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03156   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03157   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03158   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03159   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03160   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 360, ) }, ... 360, ) == 0x0
 03161   304   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03162   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03163   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03164   304   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03165   304   NtClose  (368, ... ) == 0x0
 03166   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03167   304   NtQueryValueKey  (362,  (362, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03168   304   NtClose  (362, ... ) == 0x0
 03169   304   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03170   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03171   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03172   304   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03173   304   NtClose  (360, ... ) == 0x0
 03174   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03175   304   NtQueryValueKey  (366,  (366, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03176   304   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03177   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03178   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03179   304   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03180   304   NtClose  (360, ... ) == 0x0
 03181   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03182   304   NtQueryValueKey  (366,  (366, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03183   304   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03184   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03185   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03186   304   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03187   304   NtClose  (360, ... ) == 0x0
 03188   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03189   304   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03190   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03191   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03192   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 360, ) }, ... 360, ) == 0x0
 03193   304   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03194   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03195   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03196   304   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03197   304   NtClose  (368, ... ) == 0x0
 03198   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03199   304   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03200   304   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03201   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03202   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03203   304   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03204   304   NtClose  (368, ... ) == 0x0
 03205   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03206   304   NtQueryValueKey  (366,  (366, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03207   304   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03208   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03209   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03210   304   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03211   304   NtClose  (368, ... ) == 0x0
 03212   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03213   304   NtQueryValueKey  (366,  (366, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03214   304   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03215   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03216   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03217   304   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03218   304   NtClose  (368, ... ) == 0x0
 03219   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03220   304   NtQueryValueKey  (366,  (366, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03221   304   NtClose  (350, ... ) == 0x0
 03222   304   NtClose  (366, ... ) == 0x0
 03223   304   NtClose  (362, ... ) == 0x0
 03224   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03225   304   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03226   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03227   304   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03228   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03229   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03230   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 360, ) }, ... 360, ) == 0x0
 03231   304   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03232   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03233   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03234   304   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03235   304   NtClose  (364, ... ) == 0x0
 03236   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03237   304   NtQueryValueKey  (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03238   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03239   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03240   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 364, ) }, ... 364, ) == 0x0
 03241   304   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03242   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03243   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03244   304   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03245   304   NtClose  (348, ... ) == 0x0
 03246   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03247   304   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03248   304   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03249   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03250   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03251   304   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03252   304   NtClose  (348, ... ) == 0x0
 03253   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03254   304   NtOpenKey  (0x2000000, {24, 366, 0x40, 0, 0, ""}, ... 348, ) == 0x0
 03255   304   NtClose  (366, ... ) == 0x0
 03256   304   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03257   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03258   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03259   304   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03260   304   NtClose  (364, ... ) == 0x0
 03261   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03262   304   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03263   304   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 03264   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03265   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03266   304   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03267   304   NtClose  (364, ... ) == 0x0
 03268   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03269   304   NtOpenKey  (0x1, {24, 362, 0x40, 0, 0,  (0x1, {24, 362, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03270   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03271   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03272   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03273   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03274   304   NtOpenKey  (0x1, {24, 162, 0x40, 0, 0,  (0x1, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03275   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 364, ) }, ... 364, ) == 0x0
 03276   304   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03277   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03278   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03279   304   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03280   304   NtClose  (368, ... ) == 0x0
 03281   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03282   304   NtQueryValueKey  (366,  (366, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03283   304   NtClose  (366, ... ) == 0x0
 03284   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03285   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03286   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 364, ) }, ... 364, ) == 0x0
 03287   304   NtQueryKey  (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03288   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03289   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03290   304   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03291   304   NtClose  (368, ... ) == 0x0
 03292   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03293   304   NtOpenKey  (0x1, {24, 366, 0x40, 0, 0,  (0x1, {24, 366, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03294   304   NtClose  (362, ... ) == 0x0
 03295   304   NtClose  (350, ... ) == 0x0
 03296   304   NtClose  (366, ... ) == 0x0
 03297   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03298   304   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03299   304   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03300   304   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03301   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03302   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03303   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 364, ) }, ... 364, ) == 0x0
 03304   304   NtQueryKey  (366, Name, 392, ... {Name= (366, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03305   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03306   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03307   304   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03308   304   NtClose  (348, ... ) == 0x0
 03309   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03310   304   NtQueryValueKey  (366, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (366, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03311   304   NtQueryKey  (162, Name, 384, ... {Name= (162, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03312   304   NtOpenKey  (0x2000000, {24, 162, 0x40, 0, 0,  (0x2000000, {24, 162, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03313   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 348, ) }, ... 348, ) == 0x0
 03314   304   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03315   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03316   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03317   304   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03318   304   NtClose  (360, ... ) == 0x0
 03319   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03320   304   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03321   304   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03322   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03323   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03324   304   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03325   304   NtClose  (360, ... ) == 0x0
 03326   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03327   304   NtOpenKey  (0x2000000, {24, 350, 0x40, 0, 0, ""}, ... 360, ) == 0x0
 03328   304   NtClose  (350, ... ) == 0x0
 03329   304   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03330   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03331   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03332   304   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03333   304   NtClose  (348, ... ) == 0x0
 03334   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03335   304   NtOpenKey  (0x2000000, {24, 362, 0x40, 0, 0,  (0x2000000, {24, 362, 0x40, 0, 0, "shell\open"}, ... 348, ) }, ... 348, ) == 0x0
 03336   304   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03337   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03338   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03339   304   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03340   304   NtClose  (368, ... ) == 0x0
 03341   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03342   304   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03343   304   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03344   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03345   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03346   304   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03347   304   NtClose  (372, ... ) == 0x0
 03348   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03349   304   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03350   304   NtClose  (370, ... ) == 0x0
 03351   304   NtOpenKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03352   304   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03353   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03354   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03355   304   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03356   304   NtClose  (368, ... ) == 0x0
 03357   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03358   304   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03359   304   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03360   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03361   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03362   304   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03363   304   NtClose  (372, ... ) == 0x0
 03364   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03365   304   NtQueryValueKey  (370,  (370, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03366   304   NtClose  (370, ... ) == 0x0
 03367   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\rczxtgv.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03368   304   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03369   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03370   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03371   304   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03372   304   NtClose  (368, ... ) == 0x0
 03373   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03374   304   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03375   304   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03376   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03377   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03378   304   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03379   304   NtClose  (372, ... ) == 0x0
 03380   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03381   304   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03382   304   NtClose  (370, ... ) == 0x0
 03383   304   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03384   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03385   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03386   304   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03387   304   NtClose  (368, ... ) == 0x0
 03388   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03389   304   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03390   304   NtUserGetForegroundWindow  (... ) == 0x20060
 03391   304   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03392   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03393   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 03394   304   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03395   304   NtClose  (368, ... ) == 0x0
 03396   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03397   304   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "command"}, ... 368, ) }, ... 368, ) == 0x0
 03398   304   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03399   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03400   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03401   304   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03402   304   NtClose  (372, ... ) == 0x0
 03403   304   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03404   304   NtQueryValueKey  (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03405   304   NtClose  (370, ... ) == 0x0
 03406   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03407   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03408   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03409   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03410   304   NtQueryValueKey  (368,  (368, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03411   304   NtClose  (368, ... ) == 0x0
 03412   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03413   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03414   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03415   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03416   304   NtQueryValueKey  (368,  (368, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03417   304   NtClose  (368, ... ) == 0x0
 03418   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\rczxtgv.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03419   304   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03420   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\rczxtgv.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03421   304   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 03422   304   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 03423   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03424   304   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 368, ) }, ... 368, ) == 0x0
 03425   304   NtQueryValueKey  (368,  (368, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03426   304   NtClose  (368, ... ) == 0x0
 03427   304   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\rczxtgv.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03428   304   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03429   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rczxtgv.bat"}, 1227780, ... ) }, 1227780, ... ) == 0x0
 03430   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rczxtgv.bat"}, 1228472, ... ) }, 1228472, ... ) == 0x0
 03431   304   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\rczxtgv.bat"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 03432   304   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 368, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 03433   304   NtQueryVolumeInformationFile  (368, 1227780, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03434   304   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03435   304   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03436   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 372, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 372, {status=0x0, info=1}, ) == 0x0
 03437   304   NtQueryInformationFile  (372, 1226368, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03438   304   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 372, ... 376, ) == 0x0
 03439   304   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x19f0000), 0x0, 1028096, ) == 0x0
 03440   304   NtQueryInformationFile  (372, 1226464, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03441   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03442   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03443   304   NtQueryDirectoryFile  (380, 0, 0, 0, 1224028, 616, BothDirectory, 1,  (380, 0, 0, 0, 1224028, 616, BothDirectory, 1, "rczxtgv.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03444   304   NtClose  (380, ... ) == 0x0
 03445   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03446   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03447   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rczxtgv.bat"}, 1223416, ... ) }, 1223416, ... ) == 0x0
 03448   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03449   304   NtQueryDirectoryFile  (380, 0, 0, 0, 1222776, 616, BothDirectory, 1,  (380, 0, 0, 0, 1222776, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 03450   304   NtClose  (380, ... ) == 0x0
 03451   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03452   304   NtQueryDirectoryFile  (380, 0, 0, 0, 1222776, 616, BothDirectory, 1,  (380, 0, 0, 0, 1222776, 616, BothDirectory, 1, "rczxtgv.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 03453   304   NtClose  (380, ... ) == 0x0
 03454   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03455   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03456   304   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03457   304   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 380, {status=0x0, info=1}, ) }, 3, 96, ... 380, {status=0x0, info=1}, ) == 0x0
 03458   304   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 384, ) }, ... 384, ) == 0x0
 03459   304   NtQuerySymbolicLinkObject  (384, ...  (384, ... "\Device\WinDfs\U:00000000000090de", 66, ) , 66, ) == 0x0
 03460   304   NtClose  (384, ... ) == 0x0
 03461   304   NtQueryVolumeInformationFile  (380, 1224168, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03462   304   NtClose  (380, ... ) == 0x0
 03463   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03464   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 380, ) == 0x0
 03465   304   NtQueryInformationToken  (380, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03466   304   NtClose  (380, ... ) == 0x0
 03467   304   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03468   304   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\rczxtgv.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03469   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03470   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03471   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rczxtgv.bat"}, 1225696, ... ) }, 1225696, ... ) == 0x0
 03472   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03473   304   NtQueryDirectoryFile  (380, 0, 0, 0, 1225056, 616, BothDirectory, 1,  (380, 0, 0, 0, 1225056, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 03474   304   NtClose  (380, ... ) == 0x0
 03475   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03476   304   NtQueryDirectoryFile  (380, 0, 0, 0, 1225056, 616, BothDirectory, 1,  (380, 0, 0, 0, 1225056, 616, BothDirectory, 1, "rczxtgv.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 03477   304   NtClose  (380, ... ) == 0x0
 03478   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03479   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03480   304   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03481   304   NtQueryVolumeInformationFile  (368, 1226340, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03482   304   NtQueryInformationFile  (368, 1226320, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03483   304   NtQueryInformationFile  (368, 1226360, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03484   304   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03485   304   NtUnmapViewOfSection  (-1, 0x19f0000, ... ) == 0x0
 03486   304   NtClose  (376, ... ) == 0x0
 03487   304   NtClose  (372, ... ) == 0x0
 03488   304   NtClose  (368, ... ) == 0x0
 03489   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1227756, ... ) }, 1227756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03490   304   NtQueryAttributesFile  ({24, 108, 0x40, 0, 0,  ({24, 108, 0x40, 0, 0, "cmd.exe"}, 1227756, ... ) }, 1227756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03491   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1227756, ... ) }, 1227756, ... ) == 0x0
 03492   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1228472, ... ) }, 1228472, ... ) == 0x0
 03493   304   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 03494   304   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 368, ... 372, ) == 0x0
 03495   304   NtQuerySection  (372, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03496   304   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03497   304   NtCreateProcessEx  (1230408, 2035711, 0, -1, 0, 372, 0, 0, 0, ... ) == 0x0
 03498   304   NtSetInformationProcess  (376, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03499   304   NtQueryInformationProcess  (376, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1624,ParentPid=300,}, 0x0, ) == 0x0
 03500   304   NtReadVirtualMemory  (376, 0x7ffdf008, 4, ...  (376, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 03501   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03502   304   NtReadVirtualMemory  (376, 0x4ad00000, 4096, ...  (376, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03503   304   NtReadVirtualMemory  (376, 0x4ad3b000, 256, ...  (376, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 03504   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03505   304   NtQueryInformationProcess  (376, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1624,ParentPid=300,}, 0x0, ) == 0x0
 03506   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1228472, ... ) }, 1228472, ... ) == 0x0
 03507   304   NtAllocateVirtualMemory  (-1, 0, 0, 1644, 4096, 4, ... 27197440, 4096, ) == 0x0
 03508   304   NtAllocateVirtualMemory  (376, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03509   304   NtWriteVirtualMemory  (376, 0x10000,  (376, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03510   304   NtAllocateVirtualMemory  (376, 0, 0, 1644, 4096, 4, ... 131072, 4096, ) == 0x0
 03511   304   NtWriteVirtualMemory  (376, 0x20000,  (376, 0x20000, "\0\20\0\0l\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0>\0@\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\20\6\0\0\36\0 \0H\6\0\0\0\0\2\0h\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1644, ... 0x0, ) , 1644, ... 0x0, ) == 0x0
 03512   304   NtWriteVirtualMemory  (376, 0x7ffdf010,  (376, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03513   304   NtWriteVirtualMemory  (376, 0x7ffdf1e8,  (376, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03514   304   NtFreeVirtualMemory  (-1, (0x19f0000), 0, 32768, ... (0x19f0000), 4096, ) == 0x0
 03515   304   NtAllocateVirtualMemory  (376, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03516   304   NtAllocateVirtualMemory  (376, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 03517   304   NtCreateThread  (0x1f03ff, 0x0, 376, 1228672, 1229392, 1, ... 380, {1624, 1652}, ) == 0x0
 03518   304   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1230504, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1230504, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0x\1\0\0|\1\0\0X\6\0\0t\6\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\04\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 300, 304, 2317, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0x\1\0\0|\1\0\0X\6\0\0t\6\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\04\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 300, 304, 2317, 0}  (24, {168, 196, new_msg, 0, 0, 1230504, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0x\1\0\0|\1\0\0X\6\0\0t\6\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\04\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 300, 304, 2317, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0x\1\0\0|\1\0\0X\6\0\0t\6\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\04\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03519   304   NtResumeThread  (380, ... 1, ) == 0x0
 03520   304   NtClose  (368, ... ) == 0x0
 03521   304   NtClose  (372, ... ) == 0x0
 03522   304   NtClose  (350, ... ) == 0x0
 03523   304   NtClose  (366, ... ) == 0x0
 03524   304   NtClose  (362, ... ) == 0x0
 03525   304   NtClose  (376, ... ) == 0x0
 03526   304   NtClose  (380, ... ) == 0x0
 03527   304   NtGdiDeleteObjectApp  (50856774, ... ) == 0x1
 03528   304   NtUserGetClassInfo  (1989935104, 1232712, 1232664, 1232740, 0, ... ) == 0x0
 03529   304   NtUserGetClassInfo  (1989935104, 1232712, 1232664, 1232740, 0, ... ) == 0x0
 03530   304   NtUserGetClassInfo  (1989935104, 1232712, 1232664, 1232740, 0, ... ) == 0x0
 03531   304   NtUserGetClassInfo  (1989935104, 1232712, 1232664, 1232740, 0, ... ) == 0x0
 03532   304   NtUserGetClassInfo  (1989935104, 1232712, 1232664, 1232740, 0, ... ) == 0x0
 03533   304   NtUserGetClassInfo  (1989935104, 1232712, 1232664, 1232740, 0, ... ) == 0x0
 03534   304   NtUserGetClassInfo  (1989935104, 1232712, 1232664, 1232740, 0, ... ) == 0x0
 03535   304   NtUserGetClassInfo  (1989935104, 1232712, 1232664, 1232740, 0, ... ) == 0x0
 03536   304   NtUnmapViewOfSection  (-1, 0x1430000, ... ) == 0x0
 03537   304   NtClose  (280, ... ) == 0x0
 03538   304   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 03539   304   NtUserDestroyWindow  (65766, ...
 03540   304   NtUserRemoveProp  (65766, 43288, ... ) == 0xffffffff
 03541   304   NtUserRemoveProp  (65766, 43282, ... ) == 0x0
 03542   304   NtUserRemoveProp  (65766, 43287, ... ) == 0x0
 03539   304   NtUserDestroyWindow  ... ) == 0x1
 03543   304   NtUserUnregisterClass  (1233852, 1998258176, 1233840, ... ) == 0x1
 03544   304   NtFreeVirtualMemory  (-1, (0x154000), 12288, 16384, ... (0x154000), 12288, ) == 0x0
 03545   304   NtClose  (184, ... ) == 0x0
 03546   304   NtClose  (176, ... ) == 0x0
 03547   304   NtClose  (180, ... ) == 0x0
 03548   304   NtClose  (156, ... ) == 0x0
 03549   304   NtClose  (172, ... ) == 0x0
 03550   304   NtClose  (204, ... ) == 0x0
 03551   304   NtClose  (208, ... ) == 0x0
 03552   304   NtClose  (200, ... ) == 0x0
 03553   304   NtClose  (192, ... ) == 0x0
 03554   304   NtClose  (196, ... ) == 0x0
 03555   304   NtClose  (220, ... ) == 0x0
 03556   304   NtClose  (224, ... ) == 0x0
 03557   304   NtClose  (212, ... ) == 0x0
 03558   304   NtClose  (216, ... ) == 0x0
 03559   304   NtClose  (244, ... ) == 0x0
 03560   304   NtClose  (236, ... ) == 0x0
 03561   304   NtClose  (240, ... ) == 0x0
 03562   304   NtClose  (228, ... ) == 0x0
 03563   304   NtClose  (232, ... ) == 0x0
 03564   304   NtClose  (248, ... ) == 0x0
 03565   304   NtClose  (252, ... ) == 0x0
 03566   304   NtClose  (264, ... ) == 0x0
 03567   304   NtClose  (268, ... ) == 0x0
 03568   304   NtClose  (256, ... ) == 0x0
 03569   304   NtClose  (260, ... ) == 0x0
 03570   304   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03571   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winIogon.exe"}, 1234728, ... ) }, 1234728, ... ) == 0x0
 03572   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winIogon.exe"}, 1235420, ... ) }, 1235420, ... ) == 0x0
 03573   304   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winIogon.exe"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 03574   304   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 260, ... 256, ) == 0x0
 03575   304   NtQueryVolumeInformationFile  (260, 1234728, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03576   304   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03577   304   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03578   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) == 0x0
 03579   304   NtQueryInformationFile  (268, 1233316, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03580   304   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 268, ... 264, ) == 0x0
 03581   304   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x19f0000), 0x0, 1028096, ) == 0x0
 03582   304   NtQueryInformationFile  (268, 1233412, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03583   304   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03584   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03585   304   NtQueryDirectoryFile  (252, 0, 0, 0, 1230976, 616, BothDirectory, 1,  (252, 0, 0, 0, 1230976, 616, BothDirectory, 1, "winIogon.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 03586   304   NtClose  (252, ... ) == 0x0
 03587   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03588   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03589   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winIogon.exe"}, 1230364, ... ) }, 1230364, ... ) == 0x0
 03590   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03591   304   NtQueryDirectoryFile  (252, 0, 0, 0, 1229724, 616, BothDirectory, 1,  (252, 0, 0, 0, 1229724, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03592   304   NtClose  (252, ... ) == 0x0
 03593   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03594   304   NtQueryDirectoryFile  (252, 0, 0, 0, 1229724, 616, BothDirectory, 1,  (252, 0, 0, 0, 1229724, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03595   304   NtClose  (252, ... ) == 0x0
 03596   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03597   304   NtQueryDirectoryFile  (252, 0, 0, 0, 1229724, 616, BothDirectory, 1,  (252, 0, 0, 0, 1229724, 616, BothDirectory, 1, "winIogon.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 03598   304   NtClose  (252, ... ) == 0x0
 03599   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03600   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03601   304   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03602   304   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03603   304   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 252, ) == 0x0
 03604   304   NtQueryInformationToken  (252, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03605   304   NtClose  (252, ... ) == 0x0
 03606   304   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03607   304   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\winIogon.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03608   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03609   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03610   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winIogon.exe"}, 1232644, ... ) }, 1232644, ... ) == 0x0
 03611   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03612   304   NtQueryDirectoryFile  (252, 0, 0, 0, 1232004, 616, BothDirectory, 1,  (252, 0, 0, 0, 1232004, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03613   304   NtClose  (252, ... ) == 0x0
 03614   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03615   304   NtQueryDirectoryFile  (252, 0, 0, 0, 1232004, 616, BothDirectory, 1,  (252, 0, 0, 0, 1232004, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03616   304   NtClose  (252, ... ) == 0x0
 03617   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 252, {status=0x0, info=1}, ) }, 3, 16417, ... 252, {status=0x0, info=1}, ) == 0x0
 03618   304   NtQueryDirectoryFile  (252, 0, 0, 0, 1232004, 616, BothDirectory, 1,  (252, 0, 0, 0, 1232004, 616, BothDirectory, 1, "winIogon.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 03619   304   NtClose  (252, ... ) == 0x0
 03620   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03621   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03622   304   NtWaitForSingleObject  (164, 0, {-1000000, -1}, ... ) == 0x0
 03623   304   NtQueryVolumeInformationFile  (260, 1233288, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03624   304   NtQueryInformationFile  (260, 1233268, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03625   304   NtQueryInformationFile  (260, 1233308, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03626   304   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 03627   304   NtUnmapViewOfSection  (-1, 0x19f0000, ... ) == 0x0
 03628   304   NtClose  (264, ... ) == 0x0
 03629   304   NtClose  (268, ... ) == 0x0
 03630   304   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03631   304   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winIogon.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03632   304   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 03633   304   NtOpenProcessToken  (-1, 0xa, ... 268, ) == 0x0
 03634   304   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 264, ) }, ... 264, ) == 0x0
 03635   304   NtQueryValueKey  (264,  (264, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03636   304   NtQueryValueKey  (264,  (264, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (264, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 03637   304   NtClose  (264, ... ) == 0x0
 03638   304   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 264, ) }, ... 264, ) == 0x0
 03639   304   NtQuerySymbolicLinkObject  (264, ...  (264, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 03640   304   NtClose  (264, ... ) == 0x0
 03641   304   NtQueryInformationFile  (260, 1233080, 528, Name, ... {status=0x0, info=64}, ) == 0x0
 03642   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03643   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03644   304   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winIogon.exe"}, 1231760, ... ) }, 1231760, ... ) == 0x0
 03645   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 264, {status=0x0, info=1}, ) }, 3, 16417, ... 264, {status=0x0, info=1}, ) == 0x0
 03646   304   NtQueryDirectoryFile  (264, 0, 0, 0, 1231120, 616, BothDirectory, 1,  (264, 0, 0, 0, 1231120, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03647   304   NtClose  (264, ... ) == 0x0
 03648   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 264, {status=0x0, info=1}, ) }, 3, 16417, ... 264, {status=0x0, info=1}, ) == 0x0
 03649   304   NtQueryDirectoryFile  (264, 0, 0, 0, 1231120, 616, BothDirectory, 1,  (264, 0, 0, 0, 1231120, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03650   304   NtClose  (264, ... ) == 0x0
 03651   304   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 264, {status=0x0, info=1}, ) }, 3, 16417, ... 264, {status=0x0, info=1}, ) == 0x0
 03652   304   NtQueryDirectoryFile  (264, 0, 0, 0, 1231120, 616, BothDirectory, 1,  (264, 0, 0, 0, 1231120, 616, BothDirectory, 1, "winIogon.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 03653   304   NtClose  (264, ... ) == 0x0
 03654   304   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03655   304   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03656   304   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 264, ) }, ... 264, ) == 0x0
 03657   304   NtQueryValueKey  (264,  (264, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03658   304   NtClose  (264, ... ) == 0x0
 03659   304   NtQueryInformationToken  (268, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03660   304   NtQueryInformationToken  (268, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03661   304   NtClose  (268, ... ) == 0x0
 03662   304   NtCreateProcessEx  (1237356, 2035711, 0, -1, 4, 256, 0, 0, 0, ... ) == 0x0
 03663   304   NtSetInformationProcess  (268, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 03664   304   NtQueryInformationProcess  (268, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1656,ParentPid=300,}, 0x0, ) == 0x0
 03665   304   NtReadVirtualMemory  (268, 0x7ffdf008, 4, ...  (268, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 03666   304   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winIogon.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03667   304   NtReadVirtualMemory  (268, 0x400000, 4096, ...  (268, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]c\221?P\0\0\0\0PE\0\0L\1\7\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\0\260R\0\0\20\0\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`S\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\0M\3208\0\0\0\0\0\0\0\0\0\240R\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.idata\0\0\0`\1\0\0\20\0\0\243\253\0\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03668   304   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03669   304   NtQueryInformationProcess  (268, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1656,ParentPid=300,}, 0x0, ) == 0x0
 03670   304   NtAllocateVirtualMemory  (-1, 0, 0, 1672, 4096, 4, ... 21168128, 4096, ) == 0x0
 03671   304   NtAllocateVirtualMemory  (268, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03672   304   NtWriteVirtualMemory  (268, 0x10000,  (268, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03673   304   NtAllocateVirtualMemory  (268, 0, 0, 1672, 4096, 4, ... 131072, 4096, ) == 0x0
 03674   304   NtWriteVirtualMemory  (268, 0x20000,  (268, 0x20000, "\0\20\0\0\210\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\10\2\220\2\0\0o\0\0\0\374\0\376\0\230\4\0\0@\0B\0\230\5\0\0@\0B\0\334\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0B\0 \6\0\0\36\0 \0d\6\0\0\0\0\2\0\204\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1672, ... 0x0, ) , 1672, ... 0x0, ) == 0x0
 03675   304   NtWriteVirtualMemory  (268, 0x7ffdf010,  (268, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03676   304   NtWriteVirtualMemory  (268, 0x7ffdf1e8,  (268, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03677   304   NtFreeVirtualMemory  (-1, (0x1430000), 0, 32768, ... (0x1430000), 4096, ) == 0x0
 03678   304   NtAllocateVirtualMemory  (268, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03679   304   NtAllocateVirtualMemory  (268, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 03680   304   NtProtectVirtualMemory  (268, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 03681   304   NtCreateThread  (0x1f03ff, 0x0, 268, 1235620, 1236340, 1, ... 264, {1656, 1660}, ) == 0x0
 03682   304   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1487096, 1237440}  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1487096, 1237440} "\0\0\0\0\0\0\1\0\2$\370w U\367w\17\1\0\0\10\1\0\0x\6\0\0|\6\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 300, 304, 2367, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\14\1\0\0\10\1\0\0x\6\0\0|\6\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 300, 304, 2367, 0}  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1487096, 1237440} "\0\0\0\0\0\0\1\0\2$\370w U\367w\17\1\0\0\10\1\0\0x\6\0\0|\6\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 300, 304, 2367, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\14\1\0\0\10\1\0\0x\6\0\0|\6\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03683   304   NtResumeThread  (264, ... 1, ) == 0x0
 03684   304   NtClose  (260, ... ) == 0x0
 03685   304   NtClose  (256, ... ) == 0x0
 03686   304   NtTerminateProcess  (0, 0, ...
 02227  1500   NtWaitForMultipleObjects  ... ) == 0xc0
 03686   304   NtTerminateProcess  ... ) == 0x0
 03687   304   NtRaiseException  (1237104, 1236364, 1, ...
 03688   304   NtContinue  (1235160, 0, ...
 03689   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03690   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03691   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03692   304   NtRaiseException  (1227080, 1226340, 1, ...
 03693   304   NtContinue  (1225136, 0, ...
 03694   304   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03695   304   NtOpenSection  (0x2, {24, 64, 0x0, 0, 0,  (0x2, {24, 64, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03696   304   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03697   304   NtUnmapViewOfSection  (-1, 0x19d0000, ... ) == 0x0
 03698   304   NtClose  (344, ... ) == 0x0
 03699   304   NtClose  (340, ... ) == 0x0
 03700   304   NtClose  (328, ... ) == 0x0
 03701   304   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 03702   304   NtFreeVirtualMemory  (-1, (0x1940000), 0, 32768, ... (0x1940000), 65536, ) == 0x0
 03703   304   NtClose  (316, ... ) == 0x0
 03704   304   NtClose  (324, ... ) == 0x0
 03705   304   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 03706   304   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 03707   304   NtQueryValueKey  (324,  (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03708   304   NtClose  (324, ... ) == 0x0
 03709   304   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 03710   304   NtFreeVirtualMemory  (-1, (0x1420000), 0, 32768, ... (0x1420000), 65536, ) == 0x0
 03711   304   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 03712   304   NtFreeVirtualMemory  (-1, (0x12e0000), 0, 32768, ... (0x12e0000), 262144, ) == 0x0
 03713   304   NtUnmapViewOfSection  (-1, 0x12c0000, ... ) == 0x0
 03714   304   NtClose  (272, ... ) == 0x0
 03715   304   NtFreeVirtualMemory  (-1, (0x12d0000), 4096, 16384, ... (0x12d0000), 4096, ) == 0x0
 03716   304   NtFreeVirtualMemory  (-1, (0x12d0000), 0, 32768, ... (0x12d0000), 65536, ) == 0x0
 03717   304   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 03718   304   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 03719   304   NtUnmapViewOfSection  (-1, 0x1250000, ... ) == 0x0
 03720   304   NtClose  (104, ... ) == 0x0
 03721   304   NtGdiDeleteObjectApp  (286262072, ... ) == 0x1
 03722   304   NtUserGetProcessWindowStation  (... ) == 0x28
 03723   304   NtUserBuildNameList  (40, 256, 1339232, 1237744, ... ) == 0x0
 03724   304   NtUserGetProcessWindowStation  (... ) == 0x28
 03725   304   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x68
 03726   304   NtUserBuildHwndList  (104, 0, 0, 0, 64, ... (0x10066, 0x100de, 0x100ac, 0x100aa, 0x100a8, 0x60030, 0x2005c, 0x10080, 0x10076, 0x1006a, 0x3004c, 0x10068, 0x3003e, 0x1009a, 0x1008e, 0x1007e, 0x10026, 0x100e8, 0x100da, 0x100d4, 0x100c2, 0x100c0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b2, 0x100b0, 0x20060, 0x100e4, 0x200e2, 0x100d2, 0x500b4, 0x200c6, 0x100ae, 0x20062, 0x1006e, 0x50050, 0x40054, 0x5004e, 0x10084, 0x10078, 0x1, ), 43, ) == 0x0
 03727   304   NtUserQueryWindow  (65638, 0, ... ) == 0x7d0
 03728   304   NtUserQueryWindow  (65638, 1, ... ) == 0x7dc
 03729   304   NtUserQueryWindow  (65758, 0, ... ) == 0x7d0
 03730   304   NtUserQueryWindow  (65758, 1, ... ) == 0x7dc
 03731   304   NtUserQueryWindow  (65708, 0, ... ) == 0xa4
 03732   304   NtUserQueryWindow  (65708, 1, ... ) == 0xcc
 03733   304   NtUserQueryWindow  (65706, 0, ... ) == 0xa4
 03734   304   NtUserQueryWindow  (65706, 1, ... ) == 0xcc
 03735   304   NtUserQueryWindow  (65704, 0, ... ) == 0xa4
 03736   304   NtUserQueryWindow  (65704, 1, ... ) == 0xcc
 03737   304   NtUserQueryWindow  (393264, 0, ... ) == 0xa4
 03738   304   NtUserQueryWindow  (393264, 1, ... ) == 0xcc
 03739   304   NtUserQueryWindow  (131164, 0, ... ) == 0x7d0
 03740   304   NtUserQueryWindow  (131164, 1, ... ) == 0x7dc
 03741   304   NtUserQueryWindow  (65664, 0, ... ) == 0x7d0
 03742   304   NtUserQueryWindow  (65664, 1, ... ) == 0x7dc
 03743   304   NtUserBuildHwndList  (0, 65664, 1, 0, 64, ... (0x10082, 0x10088, 0x1008a, 0x1008c, 0x10090, 0x10092, 0x10094, 0x10096, 0x10098, 0x1009c, 0x1009e, 0x100a0, 0x1, ), 13, ) == 0x0
 03744   304   NtUserQueryWindow  (65666, 0, ... ) == 0x7d0
 03745   304   NtUserQueryWindow  (65666, 1, ... ) == 0x7dc
 03746   304   NtUserQueryWindow  (65672, 0, ... ) == 0x7d0
 03747   304   NtUserQueryWindow  (65672, 1, ... ) == 0x7dc
 03748   304   NtUserQueryWindow  (65674, 0, ... ) == 0x7d0
 03749   304   NtUserQueryWindow  (65674, 1, ... ) == 0x7dc
 03750   304   NtUserQueryWindow  (65676, 0, ... ) == 0x7d0
 03751   304   NtUserQueryWindow  (65676, 1, ... ) == 0x7dc
 03752   304   NtUserQueryWindow  (65680, 0, ... ) == 0x7d0
 03753   304   NtUserQueryWindow  (65680, 1, ... ) == 0x7dc
 03754   304   NtUserQueryWindow  (65682, 0, ... ) == 0x7d0
 03755   304   NtUserQueryWindow  (65682, 1, ... ) == 0x7dc
 03756   304   NtUserQueryWindow  (65684, 0, ... ) == 0x7d0
 03757   304   NtUserQueryWindow  (65684, 1, ... ) == 0x7dc
 03758   304   NtUserQueryWindow  (65686, 0, ... ) == 0x7d0
 03759   304   NtUserQueryWindow  (65686, 1, ... ) == 0x7dc
 03760   304   NtUserQueryWindow  (65688, 0, ... ) == 0x7d0
 03761   304   NtUserQueryWindow  (65688, 1, ... ) == 0x7dc
 03762   304   NtUserQueryWindow  (65692, 0, ... ) == 0x7d0
 03763   304   NtUserQueryWindow  (65692, 1, ... ) == 0x7dc
 03764   304   NtUserQueryWindow  (65694, 0, ... ) == 0x7d0
 03765   304   NtUserQueryWindow  (65694, 1, ... ) == 0x7dc
 03766   304   NtUserQueryWindow  (65696, 0, ... ) == 0x7d0
 03767   304   NtUserQueryWindow  (65696, 1, ... ) == 0x7dc
 03768   304   NtUserQueryWindow  (65654, 0, ... ) == 0x7d0
 03769   304   NtUserQueryWindow  (65654, 1, ... ) == 0x7dc
 03770   304   NtUserQueryWindow  (65642, 0, ... ) == 0x7d0
 03771   304   NtUserQueryWindow  (65642, 1, ... ) == 0x7dc
 03772   304   NtUserQueryWindow  (196684, 0, ... ) == 0x7d0
 03773   304   NtUserQueryWindow  (196684, 1, ... ) == 0x7dc
 03774   304   NtUserQueryWindow  (65640, 0, ... ) == 0x7d0
 03775   304   NtUserQueryWindow  (65640, 1, ... ) == 0x7dc
 03776   304   NtUserQueryWindow  (196670, 0, ... ) == 0x7d0
 03777   304   NtUserQueryWindow  (196670, 1, ... ) == 0x7dc
 03778   304   NtUserBuildHwndList  (0, 196670, 1, 0, 64, ... (0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x3004a, 0x1006c, 0x10070, 0x10074, 0x1, ), 10, ) == 0x0
 03779   304   NtUserQueryWindow  (196674, 0, ... ) == 0x7d0
 03780   304   NtUserQueryWindow  (196674, 1, ... ) == 0x7dc
 03781   304   NtUserQueryWindow  (196672, 0, ... ) == 0x7d0
 03782   304   NtUserQueryWindow  (196672, 1, ... ) == 0x7dc
 03783   304   NtUserQueryWindow  (196676, 0, ... ) == 0x7d0
 03784   304   NtUserQueryWindow  (196676, 1, ... ) == 0x7dc
 03785   304   NtUserQueryWindow  (196678, 0, ... ) == 0x7d0
 03786   304   NtUserQueryWindow  (196678, 1, ... ) == 0x7dc
 03787   304   NtUserQueryWindow  (196680, 0, ... ) == 0x7d0
 03788   304   NtUserQueryWindow  (196680, 1, ... ) == 0x7dc
 03789   304   NtUserQueryWindow  (196682, 0, ... ) == 0x7d0
 03790   304   NtUserQueryWindow  (196682, 1, ... ) == 0x7dc
 03791   304   NtUserQueryWindow  (65644, 0, ... ) == 0x7d0
 03792   304   NtUserQueryWindow  (65644, 1, ... ) == 0x7dc
 03793   304   NtUserQueryWindow  (65648, 0, ... ) == 0x7d0
 03794   304   NtUserQueryWindow  (65648, 1, ... ) == 0x7dc
 03795   304   NtUserQueryWindow  (65652, 0, ... ) == 0x7d0
 03796   304   NtUserQueryWindow  (65652, 1, ... ) == 0x7dc
 03797   304   NtUserQueryWindow  (65690, 0, ... ) == 0x7d0
 03798   304   NtUserQueryWindow  (65690, 1, ... ) == 0x7dc
 03799   304   NtUserQueryWindow  (65678, 0, ... ) == 0x7d0
 03800   304   NtUserQueryWindow  (65678, 1, ... ) == 0x7dc
 03801   304   NtUserQueryWindow  (65662, 0, ... ) == 0x7d0
 03802   304   NtUserQueryWindow  (65662, 1, ... ) == 0x7d4
 03803   304   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 03804   304   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 03805   304   NtUserQueryWindow  (65768, 0, ... ) == 0x658
 03806   304   NtUserQueryWindow  (65768, 1, ... ) == 0x674
 03807   304   NtUserQueryWindow  (65754, 0, ... ) == 0x4b0
 03808   304   NtUserQueryWindow  (65754, 1, ... ) == 0x4bc
 03809   304   NtUserQueryWindow  (65748, 0, ... ) == 0x4b0
 03810   304   NtUserQueryWindow  (65748, 1, ... ) == 0x4bc
 03811   304   NtUserQueryWindow  (65730, 0, ... ) == 0xd0
 03812   304   NtUserQueryWindow  (65730, 1, ... ) == 0xd8
 03813   304   NtUserQueryWindow  (65728, 0, ... ) == 0xd0
 03814   304   NtUserQueryWindow  (65728, 1, ... ) == 0xd8
 03815   304   NtUserQueryWindow  (65726, 0, ... ) == 0xd0
 03816   304   NtUserQueryWindow  (65726, 1, ... ) == 0xd8
 03817   304   NtUserQueryWindow  (65724, 0, ... ) == 0xd0
 03818   304   NtUserQueryWindow  (65724, 1, ... ) == 0xd8
 03819   304   NtUserQueryWindow  (65722, 0, ... ) == 0xd0
 03820   304   NtUserQueryWindow  (65722, 1, ... ) == 0xd8
 03821   304   NtUserQueryWindow  (65720, 0, ... ) == 0xd0
 03822   304   NtUserQueryWindow  (65720, 1, ... ) == 0xd8
 03823   304   NtUserQueryWindow  (65714, 0, ... ) == 0xd0
 03824   304   NtUserQueryWindow  (65714, 1, ... ) == 0xd8
 03825   304   NtUserQueryWindow  (65712, 0, ... ) == 0xd0
 03826   304   NtUserQueryWindow  (65712, 1, ... ) == 0xd8
 03827   304   NtUserQueryWindow  (131168, 0, ... ) == 0xe0
 03828   304   NtUserQueryWindow  (131168, 1, ... ) == 0xd4
 03829   304   NtUserQueryWindow  (65764, 0, ... ) == 0x7d0
 03830   304   NtUserQueryWindow  (65764, 1, ... ) == 0x154
 03831   304   NtUserQueryWindow  (131298, 0, ... ) == 0x7d0
 03832   304   NtUserQueryWindow  (131298, 1, ... ) == 0x5b0
 03833   304   NtUserQueryWindow  (65746, 0, ... ) == 0x7d0
 03834   304   NtUserQueryWindow  (65746, 1, ... ) == 0x4b4
 03835   304   NtUserQueryWindow  (327860, 0, ... ) == 0x7d0
 03836   304   NtUserQueryWindow  (327860, 1, ... ) == 0x4b4
 03837   304   NtUserBuildHwndList  (0, 327860, 1, 0, 64, ... (0x100ca, 0x100cc, 0x100ce, 0x100d0, 0x1, ), 5, ) == 0x0
 03838   304   NtUserQueryWindow  (65738, 0, ... ) == 0x7d0
 03839   304   NtUserQueryWindow  (65738, 1, ... ) == 0x4b4
 03840   304   NtUserQueryWindow  (65740, 0, ... ) == 0x7d0
 03841   304   NtUserQueryWindow  (65740, 1, ... ) == 0x4b4
 03842   304   NtUserQueryWindow  (65742, 0, ... ) == 0x7d0
 03843   304   NtUserQueryWindow  (65742, 1, ... ) == 0x4b4
 03844   304   NtUserQueryWindow  (65744, 0, ... ) == 0x7d0
 03845   304   NtUserQueryWindow  (65744, 1, ... ) == 0x4b4
 03846   304   NtUserQueryWindow  (131270, 0, ... ) == 0x7d0
 03847   304   NtUserQueryWindow  (131270, 1, ... ) == 0x7dc
 03848   304   NtUserQueryWindow  (65710, 0, ... ) == 0xa4
 03849   304   NtUserQueryWindow  (65710, 1, ... ) == 0xcc
 03850   304   NtUserQueryWindow  (131170, 0, ... ) == 0xc8
 03851   304   NtUserQueryWindow  (131170, 1, ... ) == 0xb4
 03852   304   NtUserQueryWindow  (65646, 0, ... ) == 0x7d0
 03853   304   NtUserQueryWindow  (65646, 1, ... ) == 0x8c
 03854   304   NtUserQueryWindow  (327760, 0, ... ) == 0x7d0
 03855   304   NtUserQueryWindow  (327760, 1, ... ) == 0x7d4
 03856   304   NtUserQueryWindow  (262228, 0, ... ) == 0x7d0
 03857   304   NtUserQueryWindow  (262228, 1, ... ) == 0x7d4
 03858   304   NtUserQueryWindow  (327758, 0, ... ) == 0x7d0
 03859   304   NtUserQueryWindow  (327758, 1, ... ) == 0x7d4
 03860   304   NtUserQueryWindow  (65668, 0, ... ) == 0x7d0
 03861   304   NtUserQueryWindow  (65668, 1, ... ) == 0x7d4
 03862   304   NtUserQueryWindow  (65656, 0, ... ) == 0x7d0
 03863   304   NtUserQueryWindow  (65656, 1, ... ) == 0x7d4
 03864   304   NtUserBuildHwndList  (0, 65656, 1, 0, 64, ... (0x1007a, 0x1007c, 0x1, ), 3, ) == 0x0
 03865   304   NtUserQueryWindow  (65658, 0, ... ) == 0x7d0
 03866   304   NtUserQueryWindow  (65658, 1, ... ) == 0x7d4
 03867   304   NtUserQueryWindow  (65660, 0, ... ) == 0x7d0
 03868   304   NtUserQueryWindow  (65660, 1, ... ) == 0x7d4
 03869   304   NtUserCloseDesktop  (104, ...
 03870   304   NtClose  (104, ... ) == 0x0
 03869   304   NtUserCloseDesktop  ... ) == 0x1
 03871   304   NtUserGetProcessWindowStation  (... ) == 0x28
 03872   304   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03873   304   NtUserGetProcessWindowStation  (... ) == 0x28
 03874   304   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03875   304   NtGdiDeleteObjectApp  (151651089, ... ) == 0x1
 03876   304   NtGdiDeleteObjectApp  (151651140, ... ) == 0x1
 03877   304   NtClose  (12, ... ) == 0x0
 03878   304   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 03879   304   NtFreeVirtualMemory  (-1, (0x14e000), 16384, 16384, ... (0x14e000), 16384, ) == 0x0
 03880   304   NtClose  (96, ... ) == 0x0
 03881   304   NtUnmapViewOfSection  (-1, 0x11f0000, ... ) == 0x0
 03882   304   NtClose  (100, ... ) == 0x0
 03883   304   NtClose  (92, ... ) == 0x0
 03884   304   NtFreeVirtualMemory  (-1, (0x1210000), 0, 32768, ... (0x1210000), 262144, ) == 0x0
 03885   304   NtUserUnregisterClass  (1237704, 1991376896, 1237692, ... ) == 0x0
 03886   304   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 03887   304   NtUnmapViewOfSection  (-1, 0x1540000, ... ) == 0x0
 03888   304   NtClose  (312, ... ) == 0x0
 03889   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc03b
 03890   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03891   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc03d
 03892   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03893   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc03f
 03894   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03895   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc041
 03896   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03897   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc043
 03898   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03899   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc045
 03900   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03901   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc047
 03902   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03903   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc049
 03904   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03905   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc04b
 03906   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03907   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc04d
 03908   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03909   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc04f
 03910   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03911   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc051
 03912   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03913   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc053
 03914   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03915   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc057
 03916   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03917   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc059
 03918   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03919   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc05b
 03920   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03921   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc05d
 03922   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03923   304   NtUserGetClassInfo  (1999896576, 1237792, 1237744, 1237820, 0, ... ) == 0xc05f
 03924   304   NtUserUnregisterClass  (1237796, 1999896576, 1237784, ... ) == 0x1
 03925   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc03b
 03926   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03927   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc03d
 03928   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03929   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc03f
 03930   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03931   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc041
 03932   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03933   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc043
 03934   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03935   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc045
 03936   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03937   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc047
 03938   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03939   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc049
 03940   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03941   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc04b
 03942   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03943   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc04d
 03944   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03945   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc04f
 03946   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03947   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc051
 03948   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03949   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc053
 03950   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03951   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc057
 03952   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03953   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc059
 03954   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03955   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc05b
 03956   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03957   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc05d
 03958   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03959   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc05f
 03960   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03961   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc017
 03962   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03963   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc019
 03964   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03965   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc018
 03966   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03967   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc01a
 03968   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03969   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc01c
 03970   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03971   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc01e
 03972   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03973   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc01b
 03974   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03975   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc068
 03976   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03977   304   NtUserGetClassInfo  (1905590272, 1237792, 1237744, 1237820, 0, ... ) == 0xc06a
 03978   304   NtUserUnregisterClass  (1237796, 1905590272, 1237784, ... ) == 0x1
 03979   304   NtUnmapViewOfSection  (-1, 0x1200000, ... ) == 0x0
 03980   304   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 03981   304   NtClose  (336, ... ) == 0x0
 03982   304   NtClose  (152, ... ) == 0x0
 03983   304   NtClose  (352, ... ) == 0x0
 03984   304   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 03985   304   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 03986   304   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 03987   304   NtClose  (148, ... ) == 0x0
 03988   304   NtClose  (356, ... ) == 0x0
 03989   304   NtClose  (112, ... ) == 0x0
 03990   304   NtFreeVirtualMemory  (-1, (0xd60000), 4096, 32768, ... (0xd60000), 4096, ) == 0x0
 03991   304   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 1310720, 1237928}  (24, {20, 48, new_msg, 0, 0, 0, 1310720, 1237928} "\0\0\0\0\3\0\1\0\2$\370w\370T\367w\0\0\0\0" ... {20, 48, reply, 0, 300, 304, 2375, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370T\367w\0\0\0\0" )  ... {20, 48, reply, 0, 300, 304, 2375, 0}  (24, {20, 48, new_msg, 0, 0, 0, 1310720, 1237928} "\0\0\0\0\3\0\1\0\2$\370w\370T\367w\0\0\0\0" ... {20, 48, reply, 0, 300, 304, 2375, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370T\367w\0\0\0\0" )  ) == 0x0
 03992   304   NtTerminateProcess  (-1, 0, ...
 03993   304   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtGdiHfontCreate(>)	2	NtCreateSemaphore(>)	7	NtQuerySection(>)	30
NtAllocateLocallyUniqueId(>)	1	NtOpenDirectoryObject(>)	2	NtOpenSymbolicLinkObject(>)	7	NtEnumerateKey(>)	32
NtCallbackReturn(>)	1	NtQueryInstallUILanguage(>)	2	NtQuerySymbolicLinkObject(>)	7	NtCreateEvent(>)	33
NtClearEvent(>)	1	NtRegisterThreadTerminatePort(>)	2	NtReadVirtualMemory(>)	7	NtCreateFile(>)	33
NtConnectPort(>)	1	NtSetEvent(>)	2	NtUserCallNoParam(>)	7	NtOpenThreadToken(>)	34
NtDelayExecution(>)	1	NtTestAlert(>)	2	NtQueryVirtualMemory(>)	8	NtQueryInformationFile(>)	34
NtDuplicateToken(>)	1	NtUserCloseDesktop(>)	2	NtQueryDefaultUILanguage(>)	10	NtReleaseMutant(>)	38
NtGdiCreateBitmap(>)	1	NtUserCreateWindowEx(>)	2	NtUserGetWindowDC(>)	10	NtUnmapViewOfSection(>)	40
NtGdiCreateHalftonePalette(>)	1	NtUserDestroyWindow(>)	2	NtUserCallOneParam(>)	11	NtProtectVirtualMemory(>)	41
NtGdiCreatePaletteInternal(>)	1	NtUserGetObjectInformation(>)	2	NtUserSystemParametersInfo(>)	11	NtQueryDefaultLocale(>)	42
NtGdiCreatePatternBrushInternal(>)	1	NtUserMessageCall(>)	2	NtWriteFile(>)	11	NtQueryInformationProcess(>)	47
NtGdiDoPalette(>)	1	NtUserWaitForInputIdle(>)	2	NtSetValueKey(>)	12	NtUserUnregisterClass(>)	47
NtGdiInit(>)	1	NtCreateProcessEx(>)	3	NtWriteVirtualMemory(>)	12	NtUserFindExistingCursorIcon(>)	49
NtGdiQueryFontAssocInfo(>)	1	NtDuplicateObject(>)	3	NtNotifyChangeKey(>)	15	NtCreateSection(>)	60
NtGdiSelectBitmap(>)	1	NtOpenMutant(>)	3	NtOpenProcessToken(>)	15	NtUserRegisterClassExWOW(>)	65
NtOpenKeyedEvent(>)	1	NtOpenProcess(>)	3	NtRequestWaitReplyPort(>)	16	NtWaitForSingleObject(>)	66
NtQueryFullAttributesFile(>)	1	NtQueryInformationJobObject(>)	3	NtCreateKey(>)	17	NtOpenSection(>)	73
NtQueryInformationThread(>)	1	NtTerminateProcess(>)	3	NtDeviceIoControlFile(>)	17	NtReadFile(>)	77
NtQueryObject(>)	1	NtUserOpenDesktop(>)	3	NtFreeVirtualMemory(>)	17	NtMapViewOfSection(>)	82
NtQueryPerformanceCounter(>)	1	NtUserRemoveProp(>)	3	NtFsControlFile(>)	17	NtAllocateVirtualMemory(>)	85
NtQuerySystemTime(>)	1	NtWaitForMultipleObjects(>)	3	NtQueryVolumeInformationFile(>)	17	NtQuerySystemInformation(>)	89
NtSecureConnectPort(>)	1	NtCreateMutant(>)	4	NtFlushInstructionCache(>)	19	NtUserGetClassInfo(>)	91
NtUserBuildNameList(>)	1	NtCreateThread(>)	4	NtUserRegisterWindowMessage(>)	19	NtOpenFile(>)	99
NtUserGetAtomName(>)	1	NtGdiCreateCompatibleDC(>)	4	NtEnumerateValueKey(>)	23	NtOpenProcessTokenEx(>)	111
NtUserGetDC(>)	1	NtOpenEvent(>)	4	NtQueryDebugFilterState(>)	25	NtOpenThreadTokenEx(>)	111
NtUserGetForegroundWindow(>)	1	NtQuerySecurityObject(>)	4	NtRaiseException(>)	25	NtQueryInformationToken(>)	129
NtUserGetGUIThreadInfo(>)	1	NtResumeThread(>)	4	NtSetInformationProcess(>)	25	NtQueryKey(>)	129
NtUserGetThreadDesktop(>)	1	NtGdiGetStockObject(>)	5	NtSetInformationFile(>)	27	NtUserQueryWindow(>)	138
NtUserSetProp(>)	1	NtSetInformationObject(>)	5	NtSetInformationThread(>)	27	NtQueryAttributesFile(>)	154
NtAccessCheck(>)	2	NtUserBuildHwndList(>)	5	NtReleaseSemaphore(>)	28	NtQueryValueKey(>)	226
NtCreateIoCompletion(>)	2	NtUserGetProcessWindowStation(>)	5	NtQueryDirectoryFile(>)	29	NtOpenKey(>)	480
NtGdiCreateSolidBrush(>)	2	NtGdiDeleteObjectApp(>)	6	NtContinue(>)	30	NtClose(>)	597