Summary:


NtAddAtom(>)  1 
NtEnumerateKey(>)  2 
NtResumeThread(>)  4 
NtCreateEvent(>)  23 

NtClearEvent(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtWriteVirtualMemory(>)  4 
NtQueryDirectoryFile(>)  24 

NtCreateProcessEx(>)  1 
NtGdiDeleteObjectApp(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenProcessTokenEx(>)  28 

NtDuplicateToken(>)  1 
NtGdiHfontCreate(>)  2 
NtOpenThreadToken(>)  5 
NtOpenThreadTokenEx(>)  28 

NtGdiCreateBitmap(>)  1 
NtLockFile(>)  2 
NtUserBuildHwndList(>)  5 
NtCreateFile(>)  30 

NtGdiInit(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtQueryInformationFile(>)  33 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenEvent(>)  2 
NtDuplicateObject(>)  6 
NtQueryInformationToken(>)  36 

NtGdiSelectBitmap(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtFsControlFile(>)  6 
NtSetInformationFile(>)  36 

NtOpenKeyedEvent(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetEventBoostPriority(>)  6 
NtOpenSection(>)  37 

NtOpenMutant(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtTestAlert(>)  6 
NtQueryDefaultLocale(>)  39 

NtOpenProcess(>)  1 
NtReadVirtualMemory(>)  2 
NtOpenProcessToken(>)  7 
NtProtectVirtualMemory(>)  40 

NtQueryFullAttributesFile(>)  1 
NtUnlockFile(>)  2 
NtRegisterThreadTerminatePort(>)  7 
NtCreateSection(>)  41 

NtQueryInformationJobObject(>)  1 
NtUserCloseDesktop(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtUserUnregisterClass(>)  46 

NtQueryObject(>)  1 
NtUserGetObjectInformation(>)  2 
NtQueryVirtualMemory(>)  8 
NtUserFindExistingCursorIcon(>)  48 

NtQuerySystemTime(>)  1 
NtUserWaitForInputIdle(>)  2 
NtWaitForSingleObject(>)  10 
NtUnmapViewOfSection(>)  54 

NtReleaseMutant(>)  1 
NtYieldExecution(>)  2 
NtEnumerateValueKey(>)  11 
NtDelayExecution(>)  58 

NtSecureConnectPort(>)  1 
NtCreateSemaphore(>)  3 
NtQueryVolumeInformationFile(>)  11 
NtUserRegisterClassExWOW(>)  64 

NtSetEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetInformationProcess(>)  11 
NtOpenFile(>)  68 

NtUserBuildNameList(>)  1 
NtNotifyChangeKey(>)  3 
NtSetValueKey(>)  11 
NtReadFile(>)  74 

NtUserCreateWindowEx(>)  1 
NtQueryInformationThread(>)  3 
NtUserSystemParametersInfo(>)  11 
NtQueryAttributesFile(>)  76 

NtUserGetAtomName(>)  1 
NtSetInformationObject(>)  3 
NtWriteFile(>)  11 
NtUserGetClassInfo(>)  82 

NtUserGetDC(>)  1 
NtTerminateProcess(>)  3 
NtCreateKey(>)  13 
NtAllocateVirtualMemory(>)  84 

NtUserGetGUIThreadInfo(>)  1 
NtTerminateThread(>)  3 
NtFreeVirtualMemory(>)  13 
NtMapViewOfSection(>)  87 

NtUserGetThreadDesktop(>)  1 
NtUserCallNoParam(>)  3 
NtSetInformationThread(>)  13 
NtQuerySystemInformation(>)  89 

NtUserKillTimer(>)  1 
NtUserCallOneParam(>)  3 
NtFlushInstructionCache(>)  16 
NtUserQueryWindow(>)  136 

NtUserSetTimer(>)  1 
NtUserGetWindowDC(>)  3 
NtQueryDebugFilterState(>)  16 
NtOpenKey(>)  156 

NtUserSetWindowsHookEx(>)  1 
NtUserOpenDesktop(>)  3 
NtDeviceIoControlFile(>)  17 
NtQueryValueKey(>)  197 

NtUserUnhookWindowsHookEx(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtQuerySection(>)  20 
NtClose(>)  299 

NtAccessCheck(>)  2 
NtConnectPort(>)  4 
NtContinue(>)  21 

NtCallbackReturn(>)  2 
NtCreateMutant(>)  4 
NtQueryInformationProcess(>)  21 

NtCreateIoCompletion(>)  2 

Trace:
 00001   284   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   284   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   284   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   284   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   284   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   284   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   284   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   284   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   284   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   284   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   284   NtClose  (12, ... ) == 0x0
 00014   284   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   284   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   284   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   284   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   284   NtClose  (16, ... ) == 0x0
 00021   284   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   284   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   284   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   284   NtClose  (16, ... ) == 0x0
 00026   284   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   284   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   284   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   284   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   284   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 280, 284, 1471, 0} "`\245\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 280, 284, 1471, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 280, 284, 1471, 0} "`\245\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   284   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   284   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   284   NtClose  (16, ... ) == 0x0
 00036   284   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   284   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   284   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   284   NtClose  (28, ... ) == 0x0
 00041   284   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   284   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   284   NtClose  (28, ... ) == 0x0
 00045   284   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   284   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   284   NtClose  (28, ... ) == 0x0
 00049   284   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   284   NtClose  (28, ... ) == 0x0
 00052   284   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   284   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   284   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   284   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 280, 284, 1484, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 280, 284, 1484, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 280, 284, 1484, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   284   NtProtectVirtualMemory  (-1, (0x423000), 69632, 4, ... (0x423000), 69632, 128, ) == 0x0
 00057   284   NtProtectVirtualMemory  (-1, (0x423000), 69632, 128, ... (0x423000), 69632, 4, ) == 0x0
 00058   284   NtFlushInstructionCache  (-1, 4337664, 69632, ... ) == 0x0
 00059   284   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   284   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   284   NtClose  (28, ... ) == 0x0
 00062   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   284   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   284   NtClose  (28, ... ) == 0x0
 00065   284   NtTestAlert  (... ) == 0x0
 00066   284   NtContinue  (1244464, 1, ...
 00067   284   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x424000,}, 4, ... ) == 0x0
 00068   284   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   284   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   284   NtClose  (28, ... ) == 0x0
 00071   284   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00072   284   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00073   284   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00074   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "LZ32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73dc0000), 0x0, 12288, ) == 0x0
 00076   284   NtClose  (28, ... ) == 0x0
 00077   284   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244956,  (0x40100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 2, 1, 5, 96, 0, 0, ... }, 0x0, 2, 1, 5, 96, 0, 0, ...
 00078   284   NtClose  (-2147482028, ... ) == 0x0
 00077   284   NtCreateFile  ... 28, {status=0x0, info=2}, ) == 0x0
 00079   284   NtWriteFile  (28, 0, 0, 0,  (28, 0, 0, 0, "SZDD\210\360'3A\0\0\220\0\0\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217", 17878, 0x0, 0, ... {status=0x0, info=17878}, ) , 17878, 0x0, 0, ... {status=0x0, info=17878}, ) == 0x0
 00080   284   NtClose  (28, ... ) == 0x0
 00081   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 1243636, ... ) }, 1243636, ... ) == 0x0
 00082   284   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244368,  (0x80100080, {24, 0, 0x40, 0, 1244368, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 0, 3, 1, 96, 0, 0, ... 28, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 28, {status=0x0, info=1}, ) == 0x0
 00083   284   NtQueryVolumeInformationFile  (28, 1244528, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00084   284   NtQueryInformationFile  (28, 1244420, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00085   284   NtQueryInformationFile  (28, 1244628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00086   284   NtSetInformationFile  (28, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00087   284   NtSetInformationFile  (28, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00088   284   NtReadFile  (28, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (28, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00089   284   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 3276800, 524288, ) == 0x0
 00090   284   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00091   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243640, ... ) }, 1243640, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092   284   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244372,  (0xc0100080, {24, 0, 0x40, 0, 1244372, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00093   284   NtClose  (-2147482028, ... ) == 0x0
 00092   284   NtCreateFile  ... 32, {status=0x0, info=2}, ) == 0x0
 00094   284   NtQueryVolumeInformationFile  (32, 1244532, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00095   284   NtQueryInformationFile  (32, 1244424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00096   284   NtAllocateVirtualMemory  (-1, 1327104, 0, 8192, 4096, 4, ... 1327104, 8192, ) == 0x0
 00097   284   NtAllocateVirtualMemory  (-1, 1335296, 0, 36864, 4096, 4, ... 1335296, 36864, ) == 0x0
 00098   284   NtAllocateVirtualMemory  (-1, 1372160, 0, 36864, 4096, 4, ... 1372160, 36864, ) == 0x0
 00099   284   NtQueryInformationFile  (28, 1244892, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00100   284   NtSetInformationFile  (28, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00101   284   NtSetInformationFile  (28, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00102   284   NtReadFile  (28, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (28, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00103   284   NtSetInformationFile  (28, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00104   284   NtSetInformationFile  (32, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00105   284   NtReadFile  (28, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864},  (28, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864}, "\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217m\237m\257m\277m\0\317m\337m\357m", ) , ) == 0x0
 00106   284   NtWriteFile  (32, 0, 0, 0,  (32, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0ei\350\341!\10\206\262!\10\206\262!\10\206\262\242\24\210\262$\10\206\262C\27\225\262(\10\206\262!\10\207\262h\10\206\262\311\27\220\262 \10\206\262\311\27\202\262 \10\206\262Rich!\10\206\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0R\344\315D\0\0\0\0\0\0\0\0\340\0\16!\13\1\6\0\0P\0\0\0\260\0\0\0\0\0\00D\0\0\0\20\0\0\0`\0\0\0\0\0\20\0\20\0\0\0\20\0\0\4\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\0\20\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\220Q\0\0F\0\0\0\30K\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\04\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\326A\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 00107   284   NtWriteFile  (32, 0, 0, 0,  (32, 0, 0, 0, "\0\20\0\0D\1\0\0<1@1L1P1\1`1l1p1|1\2001\2141\2201\2341\2401\2541\2601Z2\3262\3532\33\263>3E3Y3a3\2123\2243\2733\3013\3243\3343\3473\3543\3623\3773\104\234\304\36454=4\1774\2204\376475a5n5\2055\2145\2355\3245\3465\3535\226\3456\3636\3716\3776\77(7-7\2477\3127\3277\3557\18\148\268D8Y8_8f8s8\2018\3148\3318\3428\3578\3668\3758\119\179$999N9d9j9\2029\2159\2239\2359\2519\3249\3369\3609\3729\27:$:/:;:V:[:\225:\317:\344:\10;\25;6;O;n;\255;\272;\341;\15\16>\25>@>M>U>c>i>p>\202>\217>\227>\245>\253>\262>\37?&?+?1?L?e?\236?\250?\257?\267?\302?\325?\334?\366?\0\0\0 \0\0,\2\0\0&0+0\2640\3150\3320\3520\3570\3670!101l1\2011\3151\3541\3611\3671\132\222\272\352*2H2_2k2y2\2142\2362\2532\3372\3702\173\313/343:3@3F3N3T3Z3b3k3s3\1773\2133\2213\2273\2623\2723\3253\3353\3743\204\324(4.444F4P4Z4h4m4\2044\2114\2174\2244\2324\2404\2604\3134\3264\3344\3564\3644\65\145"5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) 5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00108   284   NtQueryInformationFile  (28, 1244896, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00109   284   NtSetInformationFile  (32, 1244896, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00110   284   NtFreeVirtualMemory  (-1, (0x144000), 81920, 16384, ... (0x144000), 81920, ) == 0x0
 00111   284   NtClose  (32, ... ) == 0x0
 00112   284   NtClose  (28, ... ) == 0x0
 00113   284   NtUnmapViewOfSection  (-1, 0x73dc0000, ... ) == 0x0
 00114   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1242748, ... ) }, 1242748, ... ) == 0x0
 00115   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00116   284   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00117   284   NtClose  (28, ... ) == 0x0
 00118   284   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3a0000), 0x0, 36864, ) == 0x0
 00119   284   NtClose  (32, ... ) == 0x0
 00120   284   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 00121   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243064, ... ) }, 1243064, ... ) == 0x0
 00122   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00123   284   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00124   284   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00125   284   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00126   284   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00127   284   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   284   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00129   284   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00130   284   NtClose  (40, ... ) == 0x0
 00131   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00132   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00133   284   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00134   284   NtClose  (40, ... ) == 0x0
 00135   284   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00136   284   NtClose  (36, ... ) == 0x0
 00137   284   NtClose  (32, ... ) == 0x0
 00138   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 69632, ) == 0x0
 00139   284   NtClose  (28, ... ) == 0x0
 00140   284   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 128, ) == 0x0
 00141   284   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 128, ... (0x10001000), 4096, 4, ) == 0x0
 00142   284   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00143   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00144   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00145   284   NtClose  (28, ... ) == 0x0
 00146   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00147   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00148   284   NtClose  (28, ... ) == 0x0
 00149   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00150   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00151   284   NtClose  (28, ... ) == 0x0
 00152   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00153   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00154   284   NtClose  (28, ... ) == 0x0
 00155   284   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00156   284   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00157   284   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00158   284   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00159   284   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00160   284   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00161   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00162   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242280, ... ) }, 1242280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00163   284   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242280, ... ) }, 1242280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242280, ... ) }, 1242280, ... ) == 0x0
 00165   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00166   284   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00167   284   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00168   284   NtClose  (28, ... ) == 0x0
 00169   284   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00170   284   NtClose  (32, ... ) == 0x0
 00171   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00172   284   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00173   284   NtClose  (32, ... ) == 0x0
 00174   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241476, ... ) }, 1241476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   284   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241476, ... ) }, 1241476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00177   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241476, ... ) }, 1241476, ... ) == 0x0
 00178   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00179   284   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00180   284   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00181   284   NtClose  (32, ... ) == 0x0
 00182   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00183   284   NtClose  (28, ... ) == 0x0
 00184   284   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00185   284   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00186   284   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00187   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00188   284   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00189   284   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00190   284   NtClose  (28, ... ) == 0x0
 00191   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00192   284   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   284   NtClose  (28, ... ) == 0x0
 00194   284   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00195   284   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00196   284   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00198   284   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 280, 284, 1506, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 280, 284, 1506, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 280, 284, 1506, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00199   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00200   284   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x510000), 0x0, 1060864, ) == 0x0
 00201   284   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00202   284   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00203   284   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00204   284   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00205   284   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00206   284   NtClose  (-2147482020, ... ) == 0x0
 00207   284   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3801088, 4096, ) == 0x0
 00208   284   NtFreeVirtualMemory  (-1, (0x3a0000), 4096, 32768, ... (0x3a0000), 4096, ) == 0x0
 00209   284   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00210   284   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00211   284   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00212   284   NtClose  (-2147482020, ... ) == 0x0
 00213   284   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00214   284   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00215   284   NtClose  (-2147482020, ... ) == 0x0
 00216   284   NtQueryDefaultLocale  (0, -104224244, ... ) == 0x0
 00217   284   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00218   284   NtUserCallNoParam  (24, ... ) == 0x0
 00219   284   NtGdiCreateCompatibleDC  (0, ...
 00220   284   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3801088, 4096, ) == 0x0
 00219   284   NtGdiCreateCompatibleDC  ... ) == 0xb010403
 00221   284   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00222   284   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00223   284   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xc050405
 00224   284   NtGdiCreateSolidBrush  (0, 0, ...
 00225   284   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3866624, 4096, ) == 0x0
 00224   284   NtGdiCreateSolidBrush  ... ) == 0x43100383
 00226   284   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00227   284   NtGdiCreateCompatibleDC  (0, ... ) == 0xe0103ff
 00228   284   NtGdiSelectBitmap  (234947583, 201655301, ... ) == 0x185000f
 00229   284   NtUserGetThreadDesktop  (284, 0, ... ) == 0x2c
 00230   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00231   284   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00232   284   NtClose  (52, ... ) == 0x0
 00233   284   NtUserFindExistingCursorIcon  (1240860, 1240876, 1241444, ... ) == 0x10011
 00234   284   NtUserRegisterClassExWOW  (1241380, 1241460, 1241444, 1241476, 673, 128, 0, ... ) == 0x810ec017
 00235   284   NtUserFindExistingCursorIcon  (1240860, 1240876, 1241444, ... ) == 0x10011
 00236   284   NtUserRegisterClassExWOW  (1241380, 1241460, 1241444, 1241476, 674, 128, 0, ... ) == 0x810ec01c
 00237   284   NtUserFindExistingCursorIcon  (1240860, 1240876, 1241444, ... ) == 0x10011
 00238   284   NtUserRegisterClassExWOW  (1241380, 1241460, 1241444, 1241476, 675, 128, 0, ... ) == 0x810ec01e
 00239   284   NtUserFindExistingCursorIcon  (1240860, 1240876, 1241444, ... ) == 0x10011
 00240   284   NtUserRegisterClassExWOW  (1241380, 1241460, 1241444, 1241476, 676, 128, 0, ... ) == 0x810e8002
 00241   284   NtUserFindExistingCursorIcon  (1240860, 1240876, 1241444, ... ) == 0x10013
 00242   284   NtUserRegisterClassExWOW  (1241380, 1241460, 1241444, 1241476, 677, 128, 0, ... ) == 0x810ec018
 00243   284   NtUserFindExistingCursorIcon  (1240860, 1240876, 1241444, ... ) == 0x10011
 00244   284   NtUserRegisterClassExWOW  (1241380, 1241460, 1241444, 1241476, 678, 128, 0, ... ) == 0x810ec01a
 00245   284   NtUserFindExistingCursorIcon  (1240860, 1240876, 1241444, ... ) == 0x10011
 00246   284   NtUserRegisterClassExWOW  (1241380, 1241460, 1241444, 1241476, 679, 128, 0, ... ) == 0x810ec01d
 00247   284   NtUserFindExistingCursorIcon  (1240860, 1240876, 1241444, ... ) == 0x10011
 00248   284   NtUserRegisterClassExWOW  (1241380, 1241460, 1241444, 1241476, 681, 128, 0, ... ) == 0x810ec026
 00249   284   NtUserFindExistingCursorIcon  (1240860, 1240876, 1241444, ... ) == 0x10011
 00250   284   NtUserRegisterClassExWOW  (1241380, 1241460, 1241444, 1241476, 680, 128, 0, ... ) == 0x810ec019
 00251   284   NtUserRegisterClassExWOW  (1241332, 1241412, 1241396, 1241428, 0, 128, 0, ...
 00252   284   NtAllocateVirtualMemory  (-1, 6516736, 0, 4096, 4096, 32, ... 6516736, 4096, ) == 0x0
 00251   284   NtUserRegisterClassExWOW  ... ) == 0x810ec020
 00253   284   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00254   284   NtUserRegisterClassExWOW  (1241332, 1241408, 1241424, 1241396, 0, 130, 0, ... ) == 0x810ec022
 00255   284   NtUserRegisterClassExWOW  (1241332, 1241412, 1241396, 1241428, 0, 128, 0, ... ) == 0x810ec023
 00256   284   NtUserRegisterClassExWOW  (1241332, 1241408, 1241424, 1241396, 0, 130, 0, ... ) == 0x810ec024
 00257   284   NtUserRegisterClassExWOW  (1241332, 1241412, 1241396, 1241428, 0, 128, 0, ... ) == 0x810ec025
 00258   284   NtCallbackReturn  (0, 0, 0, ...
 00259   284   NtGdiInit  (... ) == 0x1
 00260   284   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00261   284   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00262   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00263   284   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3932160, 65536, ) == 0x0
 00264   284   NtAllocateVirtualMemory  (-1, 3932160, 0, 4096, 4096, 4, ... 3932160, 4096, ) == 0x0
 00265   284   NtAllocateVirtualMemory  (-1, 3936256, 0, 8192, 4096, 4, ... 3936256, 8192, ) == 0x0
 00266   284   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00267   284   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3d0000), 0x0, 12288, ) == 0x0
 00268   284   NtClose  (52, ... ) == 0x0
 00269   284   NtAllocateVirtualMemory  (-1, 3944448, 0, 4096, 4096, 4, ... 3944448, 4096, ) == 0x0
 00270   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00271   284   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00272   284   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00273   284   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00274   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1240980, ... ) }, 1240980, ... ) == 0x0
 00275   284   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00276   284   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "_kuku_joker_v3.09_"}, 0, ... 56, ) }, 0, ... 56, ) == 0x0
 00277   284   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x0
 00278   284   NtUserSetWindowsHookEx  (268435456, 1242684, 0, 3, 268446576, 2, ... ) == 0x30091
 00279   284   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9568256, 1048576, ) == 0x0
 00280   284   NtAllocateVirtualMemory  (-1, 10608640, 0, 8192, 4096, 4, ... 10608640, 8192, ) == 0x0
 00281   284   NtProtectVirtualMemory  (-1, (0xa1e000), 4096, 260, ... (0xa1e000), 4096, 4, ) == 0x0
 00282   284   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 60, {280, 536}, ) == 0x0
 00283   284   NtQueryInformationThread  (60, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=280,Tid=536,}, 0x0, ) == 0x0
 00284   284   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 50463490, 50463490, 50463490, 50463490}  (24, {28, 56, new_msg, 0, 50463490, 50463490, 50463490, 50463490} "\0\0\0\0\1\0\1\0E\0R\03\02\0<\0\0\0\30\1\0\0\30\2\0\0" ... {28, 56, reply, 0, 280, 284, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0<\0\0\0\30\1\0\0\30\2\0\0" )  ... {28, 56, reply, 0, 280, 284, 1507, 0}  (24, {28, 56, new_msg, 0, 50463490, 50463490, 50463490, 50463490} "\0\0\0\0\1\0\1\0E\0R\03\02\0<\0\0\0\30\1\0\0\30\2\0\0" ... {28, 56, reply, 0, 280, 284, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0<\0\0\0\30\1\0\0\30\2\0\0" )  ) == 0x0
 00285   284   NtResumeThread  (60, ... 1, ) == 0x0
 00286   536   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 64, ) == 0x0
 00287   536   NtWaitForSingleObject  (64, 0, 0x0, ...
 00288   284   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10616832, 1048576, ) == 0x0
 00289   284   NtAllocateVirtualMemory  (-1, 11657216, 0, 8192, 4096, 4, ... 11657216, 8192, ) == 0x0
 00290   284   NtProtectVirtualMemory  (-1, (0xb1e000), 4096, 260, ... (0xb1e000), 4096, 4, ) == 0x0
 00291   284   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 68, {280, 540}, ) == 0x0
 00292   284   NtQueryInformationThread  (68, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=280,Tid=540,}, 0x0, ) == 0x0
 00293   284   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 280, 284, 1507, 0}  (24, {28, 56, new_msg, 0, 280, 284, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0D\0\0\0\30\1\0\0\34\2\0\0" ... {28, 56, reply, 0, 280, 284, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0D\0\0\0\30\1\0\0\34\2\0\0" )  ... {28, 56, reply, 0, 280, 284, 1508, 0}  (24, {28, 56, new_msg, 0, 280, 284, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0D\0\0\0\30\1\0\0\34\2\0\0" ... {28, 56, reply, 0, 280, 284, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0D\0\0\0\30\1\0\0\34\2\0\0" )  ) == 0x0
 00294   284   NtResumeThread  (68, ... 1, ) == 0x0
 00295   284   NtUserSetTimer  (0, 0, 4096, 268451664, ... ) == 0x7ff9
 00296   284   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00297   540   NtWaitForSingleObject  (64, 0, 0x0, ...
 00296   284   NtAllocateVirtualMemory  ... 11665408, 1048576, ) == 0x0
 00298   284   NtAllocateVirtualMemory  (-1, 12705792, 0, 8192, 4096, 4, ... 12705792, 8192, ) == 0x0
 00299   284   NtProtectVirtualMemory  (-1, (0xc1e000), 4096, 260, ... (0xc1e000), 4096, 4, ) == 0x0
 00300   284   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 72, {280, 544}, ) == 0x0
 00301   284   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=280,Tid=544,}, 0x0, ) == 0x0
 00302   284   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 280, 284, 1508, 0}  (24, {28, 56, new_msg, 0, 280, 284, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0\30\1\0\0 \2\0\0" ... {28, 56, reply, 0, 280, 284, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0\30\1\0\0 \2\0\0" )  ... {28, 56, reply, 0, 280, 284, 1509, 0}  (24, {28, 56, new_msg, 0, 280, 284, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0\30\1\0\0 \2\0\0" ... {28, 56, reply, 0, 280, 284, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0\30\1\0\0 \2\0\0" )  ) == 0x0
 00303   284   NtResumeThread  (72, ... 1, ) == 0x0
 00304   284   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "m_Tem_v3.06"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   284   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "m_Tem_v3.06"}, {20480, 0}, 4, 134217728, 0, ... 76, ) }, {20480, 0}, 4, 134217728, 0, ... 76, ) == 0x0
 00306   544   NtWaitForSingleObject  (64, 0, 0x0, ...
 00307   284   NtSetEventBoostPriority  (64, ...
 00287   536   NtWaitForSingleObject  ... ) == 0x0
 00308   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00309   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00310   536   NtSetEventBoostPriority  (64, ...
 00297   540   NtWaitForSingleObject  ... ) == 0x0
 00311   540   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00312   540   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00313   540   NtSetEventBoostPriority  (64, ...
 00306   544   NtWaitForSingleObject  ... ) == 0x0
 00314   544   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00315   544   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00316   544   NtTestAlert  (... ) == 0x0
 00317   544   NtContinue  (12713264, 1, ...
 00318   544   NtRegisterThreadTerminatePort  (24, ...
 00313   540   NtSetEventBoostPriority  ... ) == 0x0
 00310   536   NtSetEventBoostPriority  ... ) == 0x0
 00307   284   NtSetEventBoostPriority  ... ) == 0x0
 00319   540   NtTestAlert  (...
 00320   536   NtTestAlert  (...
 00321   284   NtMapViewOfSection  (76, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ...
 00319   540   NtTestAlert  ... ) == 0x0
 00320   536   NtTestAlert  ... ) == 0x0
 00321   284   NtMapViewOfSection  ... (0x3e0000), {0, 0}, 20480, ) == 0x0
 00318   544   NtRegisterThreadTerminatePort  ... ) == 0x0
 00322   540   NtContinue  (11664688, 1, ...
 00323   284   NtUnmapViewOfSection  (-1, 0x3e0000, ...
 00324   544   NtDelayExecution  (0, {-20480000, -1}, ...
 00325   540   NtRegisterThreadTerminatePort  (24, ...
 00323   284   NtUnmapViewOfSection  ... ) == 0x0
 00325   540   NtRegisterThreadTerminatePort  ... ) == 0x0
 00326   536   NtContinue  (10616112, 1, ...
 00327   540   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... }, ...
 00328   536   NtRegisterThreadTerminatePort  (24, ...
 00327   540   NtOpenKey  ... 80, ) == 0x0
 00328   536   NtRegisterThreadTerminatePort  ... ) == 0x0
 00329   540   NtQueryValueKey  (80,  (80, "WinSock_Registry_Version", Partial, 144, ... , Partial, 144, ...
 00330   536   NtDelayExecution  (0, {-40960000, -1}, ...
 00331   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243652, ... }, 1243652, ...
 00329   540   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00332   540   NtQueryValueKey  (80,  (80, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00333   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00334   540   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Protocol_Catalog9"}, ... 88, ) }, ... 88, ) == 0x0
 00335   540   NtQueryValueKey  (88,  (88, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00336   540   NtNotifyChangeKey  (88, 84, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00337   540   NtQueryValueKey  (88,  (88, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00338   540   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00339   540   NtQueryValueKey  (88,  (88, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00340   540   NtQueryValueKey  (88,  (88, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00341   540   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Catalog_Entries"}, ... 92, ) }, ... 92, ) == 0x0
 00342   540   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000001"}, ... 96, ) }, ... 96, ) == 0x0
 00343   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00344   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00345   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Z\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0Z\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0[\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0[\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Z\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0Z\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0[\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0[\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Z\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0Z\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0[\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0[\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00346   540   NtClose  (96, ... ) == 0x0
 00347   540   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000002"}, ... 96, ) }, ... 96, ) == 0x0
 00348   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00349   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00350   540   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00351   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0`\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0`\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0a\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0a\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0b\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0b\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0c\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0`\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0`\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0a\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0a\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0b\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0b\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0c\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0b\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0c\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0`\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0`\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0a\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0a\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0b\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0b\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0c\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00352   540   NtClose  (96, ... ) == 0x0
 00353   540   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000003"}, ... 96, ) }, ... 96, ) == 0x0
 00354   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00355   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00356   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0e\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0e\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0f\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0f\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0g\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0g\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0h\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0e\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0e\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0f\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0f\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0g\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0g\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0h\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0g\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0h\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0e\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0e\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0f\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0f\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0g\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0g\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0h\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00357   540   NtClose  (96, ... ) == 0x0
 00358   540   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000004"}, ... 96, ) }, ... 96, ) == 0x0
 00359   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00360   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00361   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0j\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0j\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0k\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0k\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0l\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0l\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0m\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0j\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0j\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0k\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0k\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0l\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0l\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0m\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0l\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0m\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0j\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0j\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0k\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0k\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0l\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0l\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0m\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00362   540   NtClose  (96, ... ) == 0x0
 00363   540   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000005"}, ... 96, ) }, ... 96, ) == 0x0
 00364   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00365   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00366   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0o\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0o\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0p\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0q\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0o\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0o\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0p\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0q\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0o\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0o\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0p\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0q\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00367   540   NtClose  (96, ... ) == 0x0
 00368   540   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000006"}, ... 96, ) }, ... 96, ) == 0x0
 00369   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00370   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00371   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0t\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0t\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0u\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0v\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0t\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0t\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0u\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0v\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0t\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0t\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0u\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0v\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00372   540   NtClose  (96, ... ) == 0x0
 00373   540   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000007"}, ... 96, ) }, ... 96, ) == 0x0
 00374   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00375   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00376   540   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00377   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0z\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0z\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0{\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0|\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0|\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0}\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0z\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0z\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0{\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0|\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0|\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0}\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0|\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0}\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0z\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0z\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0{\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0|\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0|\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0}\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00378   540   NtClose  (96, ... ) == 0x0
 00379   540   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000008"}, ... 96, ) }, ... 96, ) == 0x0
 00380   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00381   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00382   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\177\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\177\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\200\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\201\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\201\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\202\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\177\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\177\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\200\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\201\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\201\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\202\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\201\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\202\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\177\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\177\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\200\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\201\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\201\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\202\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00383   540   NtClose  (96, ... ) == 0x0
 00384   540   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000009"}, ... 96, ) }, ... 96, ) == 0x0
 00385   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00386   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00387   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\204\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\204\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\205\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\205\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\206\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\204\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\204\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\205\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\205\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\206\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\204\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\204\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\205\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\205\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\206\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00388   540   NtClose  (96, ... ) == 0x0
 00389   540   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000010"}, ... 96, ) }, ... 96, ) == 0x0
 00390   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00391   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00392   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\211\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\211\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\212\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\213\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\211\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\211\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\212\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\213\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\211\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\211\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350B\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\212\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\213\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\1\0\0\30\1\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00393   540   NtClose  (96, ... ) == 0x0
 00394   540   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000011"}, ... 96, ) }, ... 96, ) == 0x0
 00395   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00396   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00397   540   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00398   540   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\217\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\217\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\220\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\1\0\0\30\1\0\0\34\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\221\1\0\0\30\1\0\0\34\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\222\1\0\0\30\1\0\0\34\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\222\1\0\0\30\1\0\0\34\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\223\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0\240\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0p4\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\217\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\217\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\220\1\0\0\30\1\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\1\0\0\30\1\0\0\34\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\221\1\0\0\30\1\0\0\34\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\222\1\0\0\30\1\0\0\34\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\222\1\0\0\30\1\0\0\34\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\223\1\0\0\30\1\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0\240\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0p4\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 00399   540   NtClose  (96, ... ) == 0x0
 00400   540   NtClose  (92, ... ) == 0x0
 00401   540   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 00402   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00403   540   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 96, ) }, ... 96, ) == 0x0
 00404   540   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00405   540   NtNotifyChangeKey  (96, 92, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00406   540   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00407   540   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   540   NtQueryValueKey  (96,  (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00409   540   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Catalog_Entries"}, ... 100, ) }, ... 100, ) == 0x0
 00410   540   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000001"}, ... 104, ) }, ... 104, ) == 0x0
 00411   540   NtQueryValueKey  (104,  (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00412   540   NtQueryValueKey  (104,  (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00413   540   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00414   540   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00415   540   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00416   540   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00417   540   NtQueryValueKey  (104,  (104, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (104, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00418   540   NtQueryValueKey  (104,  (104, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00419   540   NtQueryValueKey  (104,  (104, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00420   540   NtQueryValueKey  (104,  (104, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00421   540   NtQueryValueKey  (104,  (104, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00422   540   NtQueryValueKey  (104,  (104, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00423   540   NtClose  (104, ... ) == 0x0
 00424   540   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000002"}, ... 104, ) }, ... 104, ) == 0x0
 00425   540   NtQueryValueKey  (104,  (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00426   540   NtQueryValueKey  (104,  (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00427   540   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00428   540   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00429   540   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00430   540   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00431   540   NtQueryValueKey  (104,  (104, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (104, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00432   540   NtQueryValueKey  (104,  (104, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00433   540   NtQueryValueKey  (104,  (104, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00434   540   NtQueryValueKey  (104,  (104, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00435   540   NtQueryValueKey  (104,  (104, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00436   540   NtQueryValueKey  (104,  (104, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00437   540   NtClose  (104, ... ) == 0x0
 00438   540   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000003"}, ... 104, ) }, ... 104, ) == 0x0
 00439   540   NtQueryValueKey  (104,  (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00440   540   NtQueryValueKey  (104,  (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00441   540   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00442   540   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00443   540   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00444   540   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00445   540   NtQueryValueKey  (104,  (104, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (104, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00446   540   NtQueryValueKey  (104,  (104, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00447   540   NtQueryValueKey  (104,  (104, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00448   540   NtQueryValueKey  (104,  (104, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00449   540   NtQueryValueKey  (104,  (104, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00450   540   NtQueryValueKey  (104,  (104, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00451   540   NtClose  (104, ... ) == 0x0
 00452   540   NtClose  (100, ... ) == 0x0
 00453   540   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 00454   540   NtClose  (80, ... ) == 0x0
 00455   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00456   540   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00457   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 80, ) }, ... 80, ) == 0x0
 00458   540   NtQueryValueKey  (80,  (80, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00459   540   NtClose  (80, ... ) == 0x0
 00460   540   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00461   540   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00462   540   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 7, 96, ... 100, {status=0x0, info=1}, ) }, 7, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00463   540   NtLockFile  (100, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 00464   540   NtQueryInformationFile  (100, 1344048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00331   284   NtQueryAttributesFile  ... ) == 0x0
 00465   284   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1327744, 1327736, 0, 1243992}  (24, {20, 48, new_msg, 0, 1327744, 1327736, 0, 1243992} "\0\0\0\0\2\0\1\0h\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 280, 284, 1510, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 280, 284, 1510, 0}  (24, {20, 48, new_msg, 0, 1327744, 1327736, 0, 1243992} "\0\0\0\0\2\0\1\0h\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 280, 284, 1510, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00466   284   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243660,  (0x80100080, {24, 0, 0x40, 0, 1243660, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00467   284   NtQueryDirectoryFile  (-2147482024, 0, 0, 0, -519823360, 4096, Names, 1,  (-2147482024, 0, 0, 0, -519823360, 4096, Names, 1, "~1.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00468   284   NtClose  (-2147482024, ...
 00469   540   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 12713984, 1052672, ) == 0x0
 00470   540   NtAllocateVirtualMemory  (-1, 12713984, 0, 235, 4096, 4, ... 12713984, 4096, ) == 0x0
 00471   540   NtReadFile  (100, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (100, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 00472   540   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 00473   540   NtUnlockFile  (100, {0, 0}, {-1, -1}, 540, ... ) == STATUS_RANGE_NOT_LOCKED
 00474   540   NtClose  (100, ... ) == 0x0
 00468   284   NtClose  ... ) == 0x0
 00466   284   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00475   284   NtClose  (100, ... ) == 0x0
 00476   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   284   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243640,  (0xc0100080, {24, 0, 0x40, 0, 1243640, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00478   284   NtClose  (-2147482024, ... ) == 0x0
 00479   284   NtQueryDirectoryFile  (-2147482024, 0, 0, 0, -519823360, 4096, Names, 1,  (-2147482024, 0, 0, 0, -519823360, 4096, Names, 1, "~1.tmp.exe", 1, ... , 1, ...
 00480   540   NtOpenProcessToken  (-1, 0x8, ... 100, ) == 0x0
 00481   540   NtQueryInformationToken  (100, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00482   540   NtClose  (100, ... ) == 0x0
 00483   540   NtCreateFile  (0xc0100000, {24, 0, 0x40, 0, 0,  (0xc0100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 0x0, 128, 7, 3, 96, 0, 0, ... 100, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 96, 0, 0, ... 100, {status=0x0, info=1}, ) == 0x0
 00484   540   NtLockFile  (100, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 1, ... {status=0x0, info=-2142329745}, ) == 0x0
 00485   540   NtQueryInformationFile  (100, 1344048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00479   284   NtQueryDirectoryFile  ... ) == STATUS_NO_SUCH_FILE
 00486   284   NtClose  (-2147482024, ... ) == 0x0
 00477   284   NtCreateFile  ... 104, {status=0x0, info=2}, ) == 0x0
 00487   284   NtQueryVolumeInformationFile  (104, 1243800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00488   284   NtQueryInformationFile  (104, 1243692, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00489   284   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 43520, 0x0, 0, ... , 43520, 0x0, 0, ...
 00490   540   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 12713984, 1052672, ) == 0x0
 00491   540   NtAllocateVirtualMemory  (-1, 12713984, 0, 235, 4096, 4, ... 12713984, 4096, ) == 0x0
 00492   540   NtReadFile  (100, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (100, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 00493   540   NtWriteFile  (100, 0, 0, 0,  (100, 0, 0, 0, "[MCIDRV_VER]\15\12DEVICE=30796ohwb19523\15\12", 37, {231, 0}, 2012046884, ... {status=0x0, info=37}, ) , 37, {231, 0}, 2012046884, ... {status=0x0, info=37}, ) == 0x0
 00494   540   NtSetInformationFile  (100, 11664552, 8, EndOfFile, ...
 00489   284   NtWriteFile  ... {status=0x0, info=43520}, ) == 0x0
 00495   284   NtClose  (104, ... ) == 0x0
 00496   284   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00497   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1240364, ... ) }, 1240364, ... ) == 0x0
 00498   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1241056, ... ) }, 1241056, ... ) == 0x0
 00499   284   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00500   284   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 104, ...
 00494   540   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 00501   540   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 00502   540   NtUnlockFile  (100, {0, 0}, {-1, -1}, 540, ... ) == STATUS_RANGE_NOT_LOCKED
 00503   540   NtClose  (100, ... ) == 0x0
 00504   540   NtDelayExecution  (0, {-122880000, -1}, ...
 00500   284   NtCreateSection  ... 100, ) == 0x0
 00505   284   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00506   284   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 108, ) }, ... 108, ) == 0x0
 00507   284   NtQueryValueKey  (108,  (108, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00508   284   NtClose  (108, ... ) == 0x0
 00509   284   NtQueryVolumeInformationFile  (104, 1240364, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00510   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238348, ... ) }, 1238348, ... ) == 0x0
 00511   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00512   284   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 112, ) == 0x0
 00513   284   NtClose  (108, ... ) == 0x0
 00514   284   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 106496, ) == 0x0
 00515   284   NtClose  (112, ... ) == 0x0
 00516   284   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 00517   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238664, ... ) }, 1238664, ... ) == 0x0
 00518   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00519   284   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 108, ) == 0x0
 00520   284   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00521   284   NtClose  (112, ... ) == 0x0
 00522   284   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00523   284   NtClose  (108, ... ) == 0x0
 00524   284   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 00525   284   NtQueryInformationFile  (108, 1238952, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00526   284   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 108, ... 112, ) == 0x0
 00527   284   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc20000), 0x0, 1028096, ) == 0x0
 00528   284   NtQueryInformationFile  (108, 1239048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00529   284   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   284   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00531   284   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00532   284   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00533   284   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 116, {status=0x0, info=1}, ) }, 3, 16417, ... 116, {status=0x0, info=1}, ) == 0x0
 00534   284   NtQueryDirectoryFile  (116, 0, 0, 0, 1236612, 616, BothDirectory, 1,  (116, 0, 0, 0, 1236612, 616, BothDirectory, 1, "~1.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00535   284   NtClose  (116, ... ) == 0x0
 00536   284   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00537   284   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00538   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1236000, ... ) }, 1236000, ... ) == 0x0
 00539   284   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 116, {status=0x0, info=1}, ) }, 3, 16417, ... 116, {status=0x0, info=1}, ) == 0x0
 00540   284   NtQueryDirectoryFile  (116, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (116, 0, 0, 0, 1235360, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00541   284   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00542   284   NtClose  (116, ... ) == 0x0
 00543   284   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 116, {status=0x0, info=1}, ) }, 3, 16417, ... 116, {status=0x0, info=1}, ) == 0x0
 00544   284   NtQueryDirectoryFile  (116, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (116, 0, 0, 0, 1235360, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00545   284   NtClose  (116, ... ) == 0x0
 00546   284   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 116, {status=0x0, info=1}, ) }, 3, 16417, ... 116, {status=0x0, info=1}, ) == 0x0
 00547   284   NtQueryDirectoryFile  (116, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (116, 0, 0, 0, 1235360, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00548   284   NtClose  (116, ... ) == 0x0
 00549   284   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 116, {status=0x0, info=1}, ) }, 3, 16417, ... 116, {status=0x0, info=1}, ) == 0x0
 00550   284   NtQueryDirectoryFile  (116, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (116, 0, 0, 0, 1235360, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00551   284   NtClose  (116, ... ) == 0x0
 00552   284   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00553   284   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00554   284   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00555   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00556   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 00557   284   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00558   284   NtClose  (116, ... ) == 0x0
 00559   284   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00560   284   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00561   284   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 00562   284   NtClose  (112, ... ) == 0x0
 00563   284   NtClose  (108, ... ) == 0x0
 00564   284   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00565   284   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00566   284   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00567   284   NtOpenProcessToken  (-1, 0xa, ... 108, ) == 0x0
 00568   284   NtQueryInformationToken  (108, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00569   284   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00570   284   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 112, ) }, ... 112, ) == 0x0
 00571   284   NtQueryValueKey  (112,  (112, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (112, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00572   284   NtQueryValueKey  (112,  (112, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (112, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00573   284   NtClose  (112, ... ) == 0x0
 00574   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 112, ) }, ... 112, ) == 0x0
 00575   284   NtQueryValueKey  (112,  (112, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00576   284   NtQueryValueKey  (112,  (112, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (112, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00577   284   NtClose  (112, ... ) == 0x0
 00578   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   284   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 112, ) }, ... 112, ) == 0x0
 00580   284   NtQueryValueKey  (112,  (112, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00581   284   NtClose  (112, ... ) == 0x0
 00582   284   NtQueryDefaultUILanguage  (2013024600, ...
 00583   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00584   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00585   284   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00586   284   NtClose  (-2147482020, ... ) == 0x0
 00587   284   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00588   284   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00589   284   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00590   284   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00591   284   NtClose  (-2147482036, ... ) == 0x0
 00592   284   NtClose  (-2147482020, ... ) == 0x0
 00582   284   NtQueryDefaultUILanguage  ... ) == 0x0
 00593   284   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00594   284   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00595   284   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00596   284   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00597   284   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00598   284   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00599   284   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00600   284   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00601   284   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00602   284   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00603   284   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00604   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 112, ) }, ... 112, ) == 0x0
 00605   284   NtEnumerateKey  (112, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (112, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00606   284   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 116, ) }, ... 116, ) == 0x0
 00607   284   NtQueryValueKey  (116,  (116, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (116, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00608   284   NtQueryValueKey  (116,  (116, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (116, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00609   284   NtClose  (116, ... ) == 0x0
 00610   284   NtEnumerateKey  (112, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00611   284   NtClose  (112, ... ) == 0x0
 00612   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00613   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00614   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00615   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00616   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00618   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00620   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00621   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00622   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00623   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00624   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00625   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00627   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00628   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00629   284   NtClose  (112, ... ) == 0x0
 00630   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00631   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00632   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00633   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00634   284   NtClose  (112, ... ) == 0x0
 00635   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00636   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00637   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00638   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00639   284   NtClose  (112, ... ) == 0x0
 00640   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00642   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00643   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00644   284   NtClose  (112, ... ) == 0x0
 00645   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00646   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00647   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00648   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00649   284   NtClose  (112, ... ) == 0x0
 00650   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00651   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00652   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00653   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00654   284   NtClose  (112, ... ) == 0x0
 00655   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00656   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00657   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00658   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00659   284   NtClose  (112, ... ) == 0x0
 00660   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00661   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00662   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00663   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00664   284   NtClose  (112, ... ) == 0x0
 00665   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00666   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00667   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00668   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00669   284   NtClose  (112, ... ) == 0x0
 00670   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00671   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00672   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00673   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00674   284   NtClose  (112, ... ) == 0x0
 00675   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00677   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00678   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00679   284   NtClose  (112, ... ) == 0x0
 00680   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00682   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00683   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00684   284   NtClose  (112, ... ) == 0x0
 00685   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00686   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00687   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00688   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00689   284   NtClose  (112, ... ) == 0x0
 00690   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00691   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00692   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00693   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00694   284   NtClose  (112, ... ) == 0x0
 00695   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00696   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00697   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00698   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00699   284   NtClose  (112, ... ) == 0x0
 00700   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00701   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 112, ) }, ... 112, ) == 0x0
 00702   284   NtQueryValueKey  (112,  (112, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (112, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (112, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00703   284   NtClose  (112, ... ) == 0x0
 00704   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00705   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00706   284   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00707   284   NtClose  (112, ... ) == 0x0
 00708   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00709   284   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00710   284   NtOpenProcessToken  (-1, 0xa, ... 112, ) == 0x0
 00711   284   NtDuplicateToken  (112, 0xc, {24, 0, 0x0, 0, 1240256, 0x0}, 0, 2, ... 116, ) == 0x0
 00712   284   NtClose  (112, ... ) == 0x0
 00713   284   NtAccessCheck  (1350912, 116, 0x1, 1240384, 1240328, 56, 1240412, ... (0x1), ) == 0x0
 00714   284   NtClose  (116, ... ) == 0x0
 00715   284   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 116, ) }, ... 116, ) == 0x0
 00716   284   NtQueryValueKey  (116,  (116, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (116, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00717   284   NtClose  (116, ... ) == 0x0
 00718   284   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 116, ) }, ... 116, ) == 0x0
 00719   284   NtQuerySymbolicLinkObject  (116, ...  (116, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00720   284   NtClose  (116, ... ) == 0x0
 00721   284   NtQueryInformationFile  (104, 1238716, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 00722   284   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00723   284   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00724   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~1.tmp.exe"}, 1237396, ... ) }, 1237396, ... ) == 0x0
 00725   284   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 116, {status=0x0, info=1}, ) }, 3, 16417, ... 116, {status=0x0, info=1}, ) == 0x0
 00726   284   NtQueryDirectoryFile  (116, 0, 0, 0, 1236756, 616, BothDirectory, 1,  (116, 0, 0, 0, 1236756, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00727   284   NtClose  (116, ... ) == 0x0
 00728   284   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 116, {status=0x0, info=1}, ) }, 3, 16417, ... 116, {status=0x0, info=1}, ) == 0x0
 00729   284   NtQueryDirectoryFile  (116, 0, 0, 0, 1236756, 616, BothDirectory, 1,  (116, 0, 0, 0, 1236756, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00730   284   NtClose  (116, ... ) == 0x0
 00731   284   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00732   284   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00733   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00734   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 00735   284   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00736   284   NtClose  (116, ... ) == 0x0
 00737   284   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 116, ) }, ... 116, ) == 0x0
 00738   284   NtOpenKey  (0x20019, {24, 116, 0x40, 0, 0,  (0x20019, {24, 116, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 112, ) }, ... 112, ) == 0x0
 00739   284   NtClose  (116, ... ) == 0x0
 00740   284   NtQueryValueKey  (112,  (112, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00741   284   NtQueryValueKey  (112,  (112, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (112, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 00742   284   NtClose  (112, ... ) == 0x0
 00743   284   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 4063232, 4096, ) == 0x0
 00744   284   NtAllocateVirtualMemory  (-1, 4063232, 0, 4096, 4096, 4, ... 4063232, 4096, ) == 0x0
 00745   284   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 112, ) }, ... 112, ) == 0x0
 00746   284   NtQueryValueKey  (112,  (112, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00747   284   NtClose  (112, ... ) == 0x0
 00748   284   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00749   284   NtQueryInformationToken  (108, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00750   284   NtQueryInformationToken  (108, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00751   284   NtClose  (108, ... ) == 0x0
 00752   284   NtCreateProcessEx  (1242992, 2035711, 0, -1, 0, 100, 0, 0, 0, ... ) == 0x0
 00753   284   NtQueryInformationProcess  (108, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=568,ParentPid=280,}, 0x0, ) == 0x0
 00754   284   NtReadVirtualMemory  (108, 0x7ffdf008, 4, ...  (108, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 00755   284   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00756   284   NtAllocateVirtualMemory  (-1, 1351680, 0, 8192, 4096, 4, ... 1351680, 8192, ) == 0x0
 00757   284   NtReadVirtualMemory  (108, 0x9800000, 4096, ...  (108, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 00758   284   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00759   284   NtQueryInformationProcess  (108, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=568,ParentPid=280,}, 0x0, ) == 0x0
 00760   284   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 4128768, 4096, ) == 0x0
 00761   284   NtAllocateVirtualMemory  (108, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 00762   284   NtWriteVirtualMemory  (108, 0x10000,  (108, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 00763   284   NtAllocateVirtualMemory  (108, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 00764   284   NtWriteVirtualMemory  (108, 0x20000,  (108, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 00765   284   NtWriteVirtualMemory  (108, 0x7ffdf010,  (108, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00766   284   NtWriteVirtualMemory  (108, 0x7ffdf1e8,  (108, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00767   284   NtFreeVirtualMemory  (-1, (0x3f0000), 0, 32768, ... (0x3f0000), 4096, ) == 0x0
 00768   284   NtAllocateVirtualMemory  (108, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 00769   284   NtAllocateVirtualMemory  (108, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 00770   284   NtProtectVirtualMemory  (108, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 00771   284   NtCreateThread  (0x1f03ff, 0x0, 108, 1241256, 1241976, 1, ... 112, {568, 584}, ) == 0x0
 00772   284   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1344640, 1243076}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1344640, 1243076} "\0\0\0\0\0\0\1\0\2$\370w U\367wo\0\0\0p\0\0\08\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 280, 284, 1513, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wl\0\0\0p\0\0\08\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 280, 284, 1513, 0}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1344640, 1243076} "\0\0\0\0\0\0\1\0\2$\370w U\367wo\0\0\0p\0\0\08\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 280, 284, 1513, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wl\0\0\0p\0\0\08\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00773   284   NtResumeThread  (112, ... 1, ) == 0x0
 00774   284   NtClose  (104, ... ) == 0x0
 00775   284   NtClose  (100, ... ) == 0x0
 00776   284   NtQueryInformationProcess  (108, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=568,ParentPid=280,}, 0x0, ) == 0x0
 00777   284   NtUserWaitForInputIdle  (568, 30000, 0, ...
 00778   284   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 00779   284   NtClose  (100, ... ) == 0x0
 00324   544   NtDelayExecution  ... ) == 0x0
 00780   544   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 4128768, 65536, ) == 0x0
 00781   544   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00782   544   NtCreateSection  (0xf0007, 0x0, {13396, 0}, 4, 134217728, 0, ... 100, ) == 0x0
 00783   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 00784   544   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 00785   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 00786   544   NtFreeVirtualMemory  (-1, (0x3f0000), 0, 32768, ... (0x3f0000), 65536, ) == 0x0
 00787   544   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 00788   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00789   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00790   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00791   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00792   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00793   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00794   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00795   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00796   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00797   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00798   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00799   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00800   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00801   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00802   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00803   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00804   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00805   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00806   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00807   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00808   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00809   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00810   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00811   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00812   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00813   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00814   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00815   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00816   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00817   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00818   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00819   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00820   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00821   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00822   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00823   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00824   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00825   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00826   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00827   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00828   544   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 00829   544   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00830   544   NtContinue  (12710568, 0, ...
 00831   544   NtDelayExecution  (0, {-20480000, -1}, ...
 00330   536   NtDelayExecution  ... ) == 0x0
 00832   536   NtMapViewOfSection  (76, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ... (0x3f0000), {0, 0}, 20480, ) == 0x0
 00833   536   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00834   536   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc.dll"}, 10614716, ... ) }, 10614716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00836   536   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc.dll"}, 10614716, ... ) }, 10614716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 10614716, ... ) }, 10614716, ... ) == 0x0
 00838   536   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00839   536   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 116, ) == 0x0
 00840   536   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00841   536   NtClose  (104, ... ) == 0x0
 00842   536   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bb0000), 0x0, 16384, ) == 0x0
 00843   536   NtClose  (116, ... ) == 0x0
 00844   536   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00845   536   NtAllocateVirtualMemory  (-1, 10604544, 0, 4096, 4096, 260, ... 10604544, 4096, ) == 0x0
 00846   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc_os.dll"}, 10613912, ... ) }, 10613912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00847   536   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc_os.dll"}, 10613912, ... ) }, 10613912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 10613912, ... ) }, 10613912, ... ) == 0x0
 00849   536   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00850   536   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 104, ) == 0x0
 00851   536   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00852   536   NtClose  (116, ... ) == 0x0
 00853   536   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c60000), 0x0, 167936, ) == 0x0
 00854   536   NtClose  (104, ... ) == 0x0
 00855   536   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00856   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 10613108, ... ) }, 10613108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00857   536   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINTRUST.dll"}, 10613108, ... ) }, 10613108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00858   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 10613108, ... ) }, 10613108, ... ) == 0x0
 00859   536   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00860   536   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 116, ) == 0x0
 00861   536   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00862   536   NtClose  (104, ... ) == 0x0
 00863   536   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 00864   536   NtClose  (116, ... ) == 0x0
 00865   536   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00866   536   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00867   536   NtClose  (116, ... ) == 0x0
 00868   536   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00869   536   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00870   536   NtClose  (116, ... ) == 0x0
 00871   536   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00872   536   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00873   536   NtClose  (116, ... ) == 0x0
 00874   536   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00875   536   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 00876   536   NtClose  (116, ... ) == 0x0
 00877   536   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00878   536   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00879   536   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 116, ) }, ... 116, ) == 0x0
 00880   536   NtQueryValueKey  (116,  (116, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00881   536   NtClose  (116, ... ) == 0x0
 00882   536   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00883   536   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00884   536   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00885   536   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00886   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 116, ) }, ... 116, ) == 0x0
 00887   536   NtQueryValueKey  (116,  (116, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00888   536   NtQueryValueKey  (116,  (116, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00889   536   NtQueryValueKey  (116,  (116, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   536   NtClose  (116, ... ) == 0x0
 00891   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 116, ) }, ... 116, ) == 0x0
 00892   536   NtQueryValueKey  (116,  (116, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893   536   NtQueryValueKey  (116,  (116, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894   536   NtClose  (116, ... ) == 0x0
 00895   536   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   536   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   536   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00898   536   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00899   536   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00900   536   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 10614848, 0,  (0x1f0003, {24, 52, 0x80, 10614848, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00901   536   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 116, ) }, ... 116, ) == 0x0
 00902   536   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00903   536   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 12713984, 262144, ) == 0x0
 00904   536   NtAllocateVirtualMemory  (-1, 12713984, 0, 4096, 4096, 4, ... 12713984, 4096, ) == 0x0
 00905   536   NtAllocateVirtualMemory  (-1, 12718080, 0, 8192, 4096, 4, ... 12718080, 8192, ) == 0x0
 00906   536   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00907   536   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12976128, 1048576, ) == 0x0
 00908   536   NtAllocateVirtualMemory  (-1, 12976128, 0, 1048576, 4096, 4, ... 12976128, 1048576, ) == 0x0
 00909   536   NtCreateMutant  (0x1f0001, 0x0, 0, ... 104, ) == 0x0
 00910   536   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 120, ) == 0x0
 00911   536   NtCreateMutant  (0x1f0001, 0x0, 0, ... 124, ) == 0x0
 00912   536   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 128, ) == 0x0
 00913   536   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 132, ) == 0x0
 00914   536   NtSetEvent  (132, ... 0x0, ) == 0x0
 00915   536   NtDelayExecution  (0, {-40960000, -1}, ...
 00831   544   NtDelayExecution  ... ) == 0x0
 00916   544   NtContinue  (12710568, 0, ...
 00917   544   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 00918   544   NtContinue  (12710568, 0, ...
 00919   544   NtDelayExecution  (0, {-20480000, -1}, ...
 00915   536   NtDelayExecution  ... ) == 0x0
 00920   536   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00921   536   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 10616560,  (0x40100080, {24, 0, 0x40, 0, 10616560, "\??\C:\KUKU300a"}, 0x0, 32, 2, 5, 96, 0, 0, ... }, 0x0, 32, 2, 5, 96, 0, 0, ...
 00922   536   NtClose  (-2147482048, ... ) == 0x0
 00921   536   NtCreateFile  ... 136, {status=0x0, info=2}, ) == 0x0
 00923   536   NtClose  (136, ... ) == 0x0
 00924   536   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\KUKU300a"}, 7, 2113600, ... 136, {status=0x0, info=1}, ) }, 7, 2113600, ... 136, {status=0x0, info=1}, ) == 0x0
 00925   536   NtQueryInformationFile  (136, 10616624, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 00926   536   NtSetInformationFile  (136, 10616675, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 00927   536   NtClose  (136, ... ) == 0x0
 00928   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00929   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00930   536   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00931   536   NtClose  (136, ... ) == 0x0
 00932   536   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 136, ) }, ... 136, ) == 0x0
 00933   536   NtSetInformationObject  (136, Handle, {Inherit=0,ProtectFromClose=1,}, 10551552, ... ) == 0x0
 00934   536   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, ... 140, ) }, ... 140, ) == 0x0
 00935   536   NtEnumerateValueKey  (140, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (140, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) , Data=" (140, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) \0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) == 0x0
 00936   536   NtEnumerateValueKey  (140, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (140, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) , Data=" (140, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) \0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) == 0x0
 00937   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 144, ) }, ... 144, ) == 0x0
 00938   536   NtOpenKey  (0x20019, {24, 144, 0x40, 0, 0,  (0x20019, {24, 144, 0x40, 0, 0, "ActiveComputerName"}, ... 148, ) }, ... 148, ) == 0x0
 00939   536   NtQueryValueKey  (148,  (148, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (148, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (148, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00940   536   NtClose  (148, ... ) == 0x0
 00941   536   NtClose  (144, ... ) == 0x0
 00942   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 144, ) }, ... 144, ) == 0x0
 00943   536   NtQueryValueKey  (144,  (144, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (144, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (144, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 00944   536   NtClose  (144, ... ) == 0x0
 00945   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 144, ) }, ... 144, ) == 0x0
 00947   536   NtQueryValueKey  (144,  (144, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (144, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (144, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 00948   536   NtClose  (144, ... ) == 0x0
 00949   536   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00950   536   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   536   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 144, ) }, ... 144, ) == 0x0
 00952   536   NtQueryValueKey  (144,  (144, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   536   NtClose  (144, ... ) == 0x0
 00954   536   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   536   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00956   536   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 00957   536   NtQuerySystemTime  (... {-716668374, 29881643}, ) == 0x0
 00958   536   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 00959   536   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 152, ) == 0x0
 00960   536   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   536   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00962   536   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00963   536   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00964   536   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 156, ) == 0x0
 00965   536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 160, ) == 0x0
 00966   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 164, ) }, ... 164, ) == 0x0
 00967   536   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "ActiveComputerName"}, ... 168, ) }, ... 168, ) == 0x0
 00968   536   NtQueryValueKey  (168,  (168, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (168, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (168, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00969   536   NtClose  (168, ... ) == 0x0
 00970   536   NtClose  (164, ... ) == 0x0
 00971   536   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 164, ) == 0x0
 00972   536   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 168, ) == 0x0
 00973   536   NtDuplicateObject  (-1, 164, -1, 0x0, 0, 2, ... 172, ) == 0x0
 00974   536   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00975   536   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0
 00976   536   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00977   536   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00978   536   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10613660,  (0xc0100080, {24, 0, 0x40, 0, 10613660, "\??\PIPE\SfcApi"}, 0x0, 0, 3, 1, 64, 0, 0, ... 180, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 180, {status=0x0, info=1}, ) == 0x0
 00979   536   NtSetInformationFile  (180, 10613716, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00980   536   NtSetInformationFile  (180, 10613708, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00981   536   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00982   536   NtWriteFile  (180, 157, 0, 0,  (180, 157, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\0|\332\203O\350\322\21\230\7\0\300O\216\310P\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00983   536   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00984   536   NtReadFile  (180, 157, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (180, 157, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\242\34\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00985   536   NtFsControlFile  (180, 157, 0x0, 0x0, 0x11c017,  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\1\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0M\0E\0S\0S\0E\0N\0G\0E\0R\0\\0M\0S\0M\0S\0G\0S\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\242\34\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 116, 1024, ... {status=0x103, info=68},  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\1\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0M\0E\0S\0S\0E\0N\0G\0E\0R\0\\0M\0S\0M\0S\0G\0S\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\242\34\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00986   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 10615728, ... ) }, 10615728, ... ) == 0x0
 00987   536   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 00988   536   NtSetInformationFile  (184, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00989   536   NtClose  (184, ... ) == 0x0
 00990   536   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10615708,  (0xc0100080, {24, 0, 0x40, 0, 10615708, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 00991   536   NtQueryInformationFile  (-1, 10615760, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 00992   536   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 00993   536   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 00994   536   NtSetInformationFile  (184, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00995   536   NtClose  (184, ... ) == 0x0
 00996   536   NtDelayExecution  (0, {-10240000, -1}, ...
 00919   544   NtDelayExecution  ... ) == 0x0
 00997   544   NtContinue  (12710568, 0, ...
 00998   544   NtDelayExecution  (0, {-20480000, -1}, ...
 00996   536   NtDelayExecution  ... ) == 0x0
 00999   536   NtEnumerateValueKey  (140, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01000   536   NtClose  (140, ... ) == 0x0
 01001   536   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, ... 140, ) }, ... 140, ) == 0x0
 01002   536   NtEnumerateValueKey  (140, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (140, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) , Data= (140, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01003   536   NtEnumerateValueKey  (140, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (140, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) , Data= (140, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01004   536   NtFsControlFile  (180, 157, 0x0, 0x0, 0x11c017,  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\2\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0T\0R\0A\0Y\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 144, 1024, ... {status=0x103, info=28},  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\2\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0T\0R\0A\0Y\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01005   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 10615728, ... ) }, 10615728, ... ) == 0x0
 01006   536   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01007   536   NtSetInformationFile  (184, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01008   536   NtClose  (184, ... ) == 0x0
 01009   536   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10615708,  (0xc0100080, {24, 0, 0x40, 0, 10615708, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01010   536   NtQueryInformationFile  (-1, 10615760, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01011   536   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01012   536   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01013   536   NtSetInformationFile  (184, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01014   536   NtClose  (184, ... ) == 0x0
 01015   536   NtDelayExecution  (0, {-10240000, -1}, ...
 00998   544   NtDelayExecution  ... ) == 0x0
 01016   544   NtContinue  (12710568, 0, ...
 01017   544   NtDelayExecution  (0, {-20480000, -1}, ...
 01015   536   NtDelayExecution  ... ) == 0x0
 01018   536   NtEnumerateValueKey  (140, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (140, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) , Data= (140, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) }, 164, ) == 0x0
 01019   536   NtEnumerateValueKey  (140, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (140, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) , Data= (140, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) }, 164, ) == 0x0
 01020   536   NtFsControlFile  (180, 157, 0x0, 0x0, 0x11c017,  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\3\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0U\0S\0E\0R\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 144, 1024, ... {status=0x103, info=28},  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\3\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0U\0S\0E\0R\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01021   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 10615728, ... ) }, 10615728, ... ) == 0x0
 01022   536   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01023   536   NtSetInformationFile  (184, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01024   536   NtClose  (184, ... ) == 0x0
 01025   536   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10615708,  (0xc0100080, {24, 0, 0x40, 0, 10615708, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01026   536   NtQueryInformationFile  (-1, 10615760, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01027   536   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01028   536   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01029   536   NtSetInformationFile  (184, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01030   536   NtClose  (184, ... ) == 0x0
 01031   536   NtDelayExecution  (0, {-10240000, -1}, ... ) == 0x0
 01032   536   NtEnumerateValueKey  (140, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (140, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0v\0i\0p\0g\0g\0u\0d\0m\0e\0j\0.\0e\0x\0e\0\0\0"}, 98, ) , Data= (140, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0v\0i\0p\0g\0g\0u\0d\0m\0e\0j\0.\0e\0x\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01033   536   NtEnumerateValueKey  (140, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (140, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0v\0i\0p\0g\0g\0u\0d\0m\0e\0j\0.\0e\0x\0e\0\0\0"}, 98, ) , Data= (140, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0v\0i\0p\0g\0g\0u\0d\0m\0e\0j\0.\0e\0x\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01034   536   NtFsControlFile  (180, 157, 0x0, 0x0, 0x11c017,  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\4\0\0\0V\0\0\0\0\0\1\0p\342\0\20#\0\0\0\0\0\0\0#\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0Y\0S\0T\0E\0M\03\02\0\\0V\0I\0P\0G\0G\0U\0D\0M\0E\0J\0.\0E\0X\0E\0\0\0", 110, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 110, 1024, ... {status=0x103, info=28},  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\4\0\0\0V\0\0\0\0\0\1\0p\342\0\20#\0\0\0\0\0\0\0#\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0Y\0S\0T\0E\0M\03\02\0\\0V\0I\0P\0G\0G\0U\0D\0M\0E\0J\0.\0E\0X\0E\0\0\0", 110, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01035   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\VIPGGUDMEJ.EXE"}, 10615728, ... ) }, 10615728, ... ) == 0x0
 01036   536   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\VIPGGUDMEJ.EXE"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01037   536   NtSetInformationFile  (184, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01038   536   NtClose  (184, ... ) == 0x0
 01039   536   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10615708,  (0xc0100080, {24, 0, 0x40, 0, 10615708, "\??\C:\WINDOWS\SYSTEM32\VIPGGUDMEJ.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01040   536   NtQueryInformationFile  (-1, 10615760, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01041   536   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01042   536   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\VIPGGUDMEJ.EXE"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01043   536   NtSetInformationFile  (184, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01044   536   NtClose  (184, ... ) == 0x0
 01045   536   NtDelayExecution  (0, {-10240000, -1}, ...
 00504   540   NtDelayExecution  ... ) == 0x0
 01046   540   NtOpenKey  (0xf003f, {24, 136, 0x40, 0, 0,  (0xf003f, {24, 136, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 184, ) }, ... 184, ) == 0x0
 01047   540   NtSetValueKey  (184,  (184, "GlobalUserOffline", 0, 4, "\0\0\0\0", 4, ... , 0, 4,  (184, "GlobalUserOffline", 0, 4, "\0\0\0\0", 4, ... , 4, ...
 01048   540   NtSetInformationFile  (-2147482700, -135002316, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01049   540   NtSetInformationFile  (-2147482700, -135002352, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01050   540   NtSetInformationFile  (-2147482700, -135002408, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01051   540   NtSetInformationFile  (-2147482700, -135002716, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01047   540   NtSetValueKey  ... ) == 0x0
 01052   540   NtClose  (184, ... ) == 0x0
 01053   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 184, ) }, ... 184, ) == 0x0
 01054   540   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 01055   540   NtClose  (184, ... ) == 0x0
 01056   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 184, ) }, ... 184, ) == 0x0
 01057   540   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 01058   540   NtClose  (184, ... ) == 0x0
 01059   540   NtAllocateVirtualMemory  (-1, 11653120, 0, 4096, 4096, 260, ... 11653120, 4096, ) == 0x0
 01060   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 184, ) }, ... 184, ) == 0x0
 01061   540   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 01062   540   NtClose  (184, ... ) == 0x0
 01063   540   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01064   540   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 184, ) == 0x0
 01065   540   NtCallbackReturn  (0, 0, 0, ...
 01066   540   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 01067   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01068   540   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01069   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   540   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01071   540   NtCreateKey  (0xf003f, {24, 136, 0x40, 0, 0,  (0xf003f, {24, 136, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 188, 2, ) }, 0, 0x0, 0, ... 188, 2, ) == 0x0
 01072   540   NtQueryDefaultUILanguage  (11661652, ...
 01073   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01074   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482100, ) == 0x0
 01075   540   NtQueryInformationToken  (-2147482100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01076   540   NtClose  (-2147482100, ... ) == 0x0
 01077   540   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482100, ) }, ... -2147482100, ) == 0x0
 01078   540   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01079   540   NtOpenKey  (0x80000000, {24, -2147482100, 0x640, 0, 0,  (0x80000000, {24, -2147482100, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482096, ) }, ... -2147482096, ) == 0x0
 01080   540   NtQueryValueKey  (-2147482096,  (-2147482096, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01081   540   NtClose  (-2147482096, ... ) == 0x0
 01082   540   NtClose  (-2147482100, ... ) == 0x0
 01072   540   NtQueryDefaultUILanguage  ... ) == 0x0
 01083   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01084   540   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 01085   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 192, {status=0x0, info=1}, ) }, 1, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01086   540   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 192, ... 196, ) == 0x0
 01087   540   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xd60000), 0x0, 593920, ) == 0x0
 01088   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01089   540   NtAllocateVirtualMemory  (-1, 11649024, 0, 4096, 4096, 260, ... 11649024, 4096, ) == 0x0
 01090   540   NtQueryDefaultLocale  (1, 11659688, ... ) == 0x0
 01091   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   540   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 11660544, 1, 96, 0}  (24, {128, 156, new_msg, 0, 11660544, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\261\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\335\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\261\0\0\0\0\0" ... {128, 156, reply, 0, 280, 540, 2041, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\261\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\335\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\261\0\0\0\0\0" )  ... {128, 156, reply, 0, 280, 540, 2041, 0}  (24, {128, 156, new_msg, 0, 11660544, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\261\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\335\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\261\0\0\0\0\0" ... {128, 156, reply, 0, 280, 540, 2041, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\261\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\335\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\261\0\0\0\0\0" )  ) == 0x0
 01093   540   NtClose  (192, ... ) == 0x0
 01094   540   NtClose  (196, ... ) == 0x0
 01095   540   NtUnmapViewOfSection  (-1, 0xd60000, ... ) == 0x0
 01096   540   NtUnmapViewOfSection  (-1, 0xb1f400, ... ) == STATUS_NOT_MAPPED_VIEW
 01097   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01098   540   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01099   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01100   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01101   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 11658228, ... ) }, 11658228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01103   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01104   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01105   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 11658820, ... ) }, 11658820, ... ) == 0x0
 01106   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 196, {status=0x0, info=1}, ) }, 3, 33, ... 196, {status=0x0, info=1}, ) == 0x0
 01107   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01108   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01109   540   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 192, ... 200, ) == 0x0
 01110   540   NtClose  (192, ... ) == 0x0
 01111   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd60000), 0x0, 921600, ) == 0x0
 01112   540   NtClose  (200, ... ) == 0x0
 01113   540   NtUnmapViewOfSection  (-1, 0xd60000, ... ) == 0x0
 01114   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01115   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 192, ) == 0x0
 01116   540   NtQuerySection  (192, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01117   540   NtClose  (200, ... ) == 0x0
 01118   540   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 01119   540   NtClose  (192, ... ) == 0x0
 01120   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01121   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01122   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01123   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01124   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01125   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01126   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01127   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01128   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01129   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01130   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01131   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01132   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01133   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01134   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01135   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01136   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01137   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01138   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01139   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01140   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01141   540   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 11660004, ... ) , 42, 11660004, ... ) == 0x0
 01142   540   NtQueryDefaultUILanguage  (11658720, ...
 01143   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01144   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482100, ) == 0x0
 01145   540   NtQueryInformationToken  (-2147482100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01146   540   NtClose  (-2147482100, ... ) == 0x0
 01147   540   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482100, ) }, ... -2147482100, ) == 0x0
 01148   540   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01149   540   NtOpenKey  (0x80000000, {24, -2147482100, 0x640, 0, 0,  (0x80000000, {24, -2147482100, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482096, ) }, ... -2147482096, ) == 0x0
 01150   540   NtQueryValueKey  (-2147482096,  (-2147482096, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01151   540   NtClose  (-2147482096, ... ) == 0x0
 01152   540   NtClose  (-2147482100, ... ) == 0x0
 01142   540   NtQueryDefaultUILanguage  ... ) == 0x0
 01153   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01154   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 11657572, ... ) }, 11657572, ... ) == 0x0
 01155   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01156   540   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 192, ... 200, ) == 0x0
 01157   540   NtClose  (192, ... ) == 0x0
 01158   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd60000), 0x0, 4096, ) == 0x0
 01159   540   NtClose  (200, ... ) == 0x0
 01160   540   NtUnmapViewOfSection  (-1, 0xd60000, ... ) == 0x0
 01161   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 11657212, ... ) }, 11657212, ... ) == 0x0
 01162   540   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 11657912,  (0x80100080, {24, 0, 0x40, 0, 11657912, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 200, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 200, {status=0x0, info=1}, ) == 0x0
 01163   540   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 200, ... 192, ) == 0x0
 01164   540   NtClose  (200, ... ) == 0x0
 01165   540   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xd60000), {0, 0}, 4096, ) == 0x0
 01166   540   NtClose  (192, ... ) == 0x0
 01167   540   NtUnmapViewOfSection  (-1, 0xd60000, ... ) == 0x0
 01168   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 192, {status=0x0, info=1}, ) }, 1, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01169   540   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 192, ... 200, ) == 0x0
 01170   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xd60000), 0x0, 4096, ) == 0x0
 01171   540   NtQueryInformationFile  (192, 11657532, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 01172   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   540   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 11657612, 1, 96, 0}  (24, {128, 156, new_msg, 0, 11657612, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\300\0\0\0\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\214\350\261\0\0\0\0\0" ... {128, 156, reply, 0, 280, 540, 2042, 0} " \11\30\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\300\0\0\0\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\214\350\261\0\0\0\0\0" )  ... {128, 156, reply, 0, 280, 540, 2042, 0}  (24, {128, 156, new_msg, 0, 11657612, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\300\0\0\0\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\214\350\261\0\0\0\0\0" ... {128, 156, reply, 0, 280, 540, 2042, 0} " \11\30\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\300\0\0\0\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\214\350\261\0\0\0\0\0" )  ) == 0x0
 01174   540   NtClose  (192, ... ) == 0x0
 01175   540   NtClose  (200, ... ) == 0x0
 01176   540   NtUnmapViewOfSection  (-1, 0xd60000, ... ) == 0x0
 01177   540   NtUnmapViewOfSection  (-1, 0xb1e88c, ... ) == STATUS_NOT_MAPPED_VIEW
 01178   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01179   540   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01180   540   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 01181   540   NtUserGetDC  (0, ... ) == 0x1010050
 01182   540   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01183   540   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 01184   540   NtUserSystemParametersInfo  (66, 12, 11660024, 0, ... ) == 0x1
 01185   540   NtOpenProcessToken  (-1, 0x8, ... 200, ) == 0x0
 01186   540   NtAccessCheck  (1377720, 200, 0x1, 11659428, 11659372, 56, 11659456, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01187   540   NtClose  (200, ... ) == 0x0
 01188   540   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "Control Panel\Desktop"}, ... 200, ) }, ... 200, ) == 0x0
 01189   540   NtQueryValueKey  (200,  (200, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   540   NtClose  (200, ... ) == 0x0
 01191   540   NtUserSystemParametersInfo  (41, 500, 11659524, 0, ... ) == 0x1
 01192   540   NtOpenKey  (0x1, {24, 136, 0x40, 0, 0,  (0x1, {24, 136, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 200, ) }, ... 200, ) == 0x0
 01193   540   NtQueryValueKey  (200,  (200, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01194   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 192, ) }, ... 192, ) == 0x0
 01195   540   NtQueryValueKey  (192,  (192, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01196   540   NtClose  (192, ... ) == 0x0
 01197   540   NtClose  (200, ... ) == 0x0
 01198   540   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 01199   540   NtUserSystemParametersInfo  (4130, 0, 11660048, 0, ... ) == 0x1
 01200   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 200, ) }, ... 200, ) == 0x0
 01201   540   NtEnumerateValueKey  (200, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01202   540   NtClose  (200, ... ) == 0x0
 01203   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01204   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc03b
 01205   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc03d
 01206   540   NtUserFindExistingCursorIcon  (11659328, 11659344, 11659912, ... ) == 0x10011
 01207   540   NtUserRegisterClassExWOW  (11659780, 11659860, 11659844, 11659876, 0, 384, 0, ... ) == 0x810dc03f
 01208   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01209   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc041
 01210   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01211   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc043
 01212   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc045
 01213   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01214   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc047
 01215   540   NtUserFindExistingCursorIcon  (11659328, 11659344, 11659912, ... ) == 0x10011
 01216   540   NtUserRegisterClassExWOW  (11659780, 11659860, 11659844, 11659876, 0, 384, 0, ... ) == 0x810dc049
 01217   540   NtUserGetClassInfo  (1905590272, 11659944, 11659896, 11659972, 0, ... ) == 0xc049
 01218   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01219   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc04b
 01220   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01221   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc04d
 01222   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01223   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc04f
 01224   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc051
 01225   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01226   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc053
 01227   540   NtUserFindExistingCursorIcon  (11659328, 11659344, 11659912, ... ) == 0x10011
 01228   540   NtUserRegisterClassExWOW  (11659780, 11659860, 11659844, 11659876, 0, 384, 0, ... ) == 0x810dc055
 01229   540   NtUserRegisterClassExWOW  (11659780, 11659860, 11659844, 11659876, 0, 384, 0, ...
 01230   540   NtAllocateVirtualMemory  (-1, 6545408, 0, 4096, 4096, 32, ... 6545408, 4096, ) == 0x0
 01229   540   NtUserRegisterClassExWOW  ... ) == 0x810dc057
 01231   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01232   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc059
 01233   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10013
 01234   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc05b
 01235   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01236   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc05d
 01237   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01238   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc05f
 01239   540   NtUserFindExistingCursorIcon  (11659328, 11659344, 11659912, ... ) == 0x10011
 01240   540   NtUserRegisterClassExWOW  (11659780, 11659860, 11659844, 11659876, 0, 384, 0, ... ) == 0x810dc017
 01241   540   NtUserFindExistingCursorIcon  (11659328, 11659344, 11659912, ... ) == 0x10011
 01242   540   NtUserRegisterClassExWOW  (11659780, 11659860, 11659844, 11659876, 0, 384, 0, ... ) == 0x810dc019
 01243   540   NtUserFindExistingCursorIcon  (11659328, 11659344, 11659912, ... ) == 0x10013
 01244   540   NtUserRegisterClassExWOW  (11659780, 11659860, 11659844, 11659876, 0, 384, 0, ... ) == 0x810dc018
 01245   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01246   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc01a
 01247   540   NtUserFindExistingCursorIcon  (11659328, 11659344, 11659912, ... ) == 0x10011
 01248   540   NtUserRegisterClassExWOW  (11659780, 11659860, 11659844, 11659876, 0, 384, 0, ... ) == 0x810dc01c
 01249   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01250   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc01e
 01251   540   NtUserFindExistingCursorIcon  (11659328, 11659344, 11659912, ... ) == 0x10011
 01252   540   NtUserRegisterClassExWOW  (11659840, 11659920, 11659904, 11659936, 0, 384, 0, ... ) == 0x810dc01b
 01253   540   NtUserFindExistingCursorIcon  (11659324, 11659340, 11659908, ... ) == 0x10011
 01254   540   NtUserRegisterClassExWOW  (11659836, 11659916, 11659900, 11659932, 0, 384, 0, ... ) == 0x810dc068
 01255   540   NtUserFindExistingCursorIcon  (11659332, 11659348, 11659916, ... ) == 0x10011
 01256   540   NtUserRegisterClassExWOW  (11659784, 11659864, 11659848, 11659880, 0, 384, 0, ... ) == 0x810dc06a
 01257   540   NtCreateKey  (0x2001f, {24, 136, 0x40, 0, 0,  (0x2001f, {24, 136, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01258   540   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 4096, 4, ... 14155776, 262144, ) == 0x0
 01259   540   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 01260   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 11661512, ... ) }, 11661512, ... ) == 0x0
 01261   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01262   540   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 192, ... 204, ) == 0x0
 01263   540   NtClose  (192, ... ) == 0x0
 01264   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdc0000), 0x0, 229376, ) == 0x0
 01265   540   NtClose  (204, ... ) == 0x0
 01266   540   NtUnmapViewOfSection  (-1, 0xdc0000, ... ) == 0x0
 01267   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 11661828, ... ) }, 11661828, ... ) == 0x0
 01268   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01269   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 192, ) == 0x0
 01270   540   NtQuerySection  (192, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01271   540   NtClose  (204, ... ) == 0x0
 01272   540   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 01273   540   NtClose  (192, ... ) == 0x0
 01274   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01275   540   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01276   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 01277   540   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01278   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01279   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 11661628, ... ) }, 11661628, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 11661628, ... ) }, 11661628, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 11661628, ... ) }, 11661628, ... ) == 0x0
 01282   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01283   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01284   540   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01285   540   NtClose  (204, ... ) == 0x0
 01286   540   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01287   540   NtClose  (208, ... ) == 0x0
 01288   540   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 01289   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01290   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01292   540   NtQueryValueKey  (204,  (204, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293   540   NtQueryValueKey  (208,  (208, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01294   540   NtQueryValueKey  (204,  (204, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   540   NtQueryValueKey  (208,  (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01296   540   NtQueryValueKey  (204,  (204, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01297   540   NtQueryValueKey  (208,  (208, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01298   540   NtQueryValueKey  (204,  (204, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01299   540   NtQueryValueKey  (208,  (208, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   540   NtQueryValueKey  (204,  (204, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   540   NtQueryValueKey  (204,  (204, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   540   NtQueryValueKey  (204,  (204, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   540   NtQueryValueKey  (204,  (204, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304   540   NtQueryValueKey  (204,  (204, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305   540   NtQueryValueKey  (204,  (204, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01306   540   NtQueryValueKey  (204,  (204, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   540   NtQueryValueKey  (208,  (208, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01308   540   NtQueryValueKey  (204,  (204, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01309   540   NtQueryValueKey  (204,  (204, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01310   540   NtQueryValueKey  (208,  (208, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01311   540   NtQueryValueKey  (204,  (204, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   540   NtQueryValueKey  (208,  (208, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01313   540   NtQueryValueKey  (204,  (204, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01314   540   NtQueryValueKey  (208,  (208, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01315   540   NtQueryValueKey  (204,  (204, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01316   540   NtQueryValueKey  (208,  (208, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01317   540   NtQueryValueKey  (204,  (204, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01318   540   NtQueryValueKey  (208,  (208, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01319   540   NtQueryValueKey  (204,  (204, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01320   540   NtQueryValueKey  (208,  (208, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321   540   NtQueryValueKey  (204,  (204, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01322   540   NtQueryValueKey  (208,  (208, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01323   540   NtQueryValueKey  (204,  (204, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01324   540   NtQueryValueKey  (208,  (208, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01325   540   NtQueryValueKey  (204,  (204, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01326   540   NtQueryValueKey  (204,  (204, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01327   540   NtQueryValueKey  (204,  (204, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01328   540   NtQueryValueKey  (204,  (204, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01329   540   NtQueryValueKey  (204,  (204, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01330   540   NtQueryValueKey  (204,  (204, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01331   540   NtQueryValueKey  (204,  (204, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332   540   NtQueryValueKey  (204,  (204, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01333   540   NtQueryValueKey  (204,  (204, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01334   540   NtQueryValueKey  (204,  (204, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01335   540   NtQueryValueKey  (204,  (204, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01336   540   NtQueryValueKey  (204,  (204, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01337   540   NtQueryValueKey  (204,  (204, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01338   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 01339   540   NtQueryValueKey  (212,  (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01340   540   NtClose  (212, ... ) == 0x0
 01341   540   NtClose  (208, ... ) == 0x0
 01342   540   NtClose  (204, ... ) == 0x0
 01343   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01344   540   NtQueryValueKey  (204,  (204, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345   540   NtQueryValueKey  (204,  (204, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   540   NtQueryValueKey  (204,  (204, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01347   540   NtClose  (204, ... ) == 0x0
 01348   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01349   540   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 208, ) == 0x0
 01350   540   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01351   540   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 11662104, 112, ... 216, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 11662104, 112, ... 216, 0x0, 0x0, 0x0, 112, ) == 0x0
 01352   540   NtRequestWaitReplyPort  (216, {128, 152, new_msg, 0, 127212, 1310720, 11661868, 2012750850}  (216, {128, 152, new_msg, 0, 127212, 1310720, 11661868, 2012750850} "\0\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210\6\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0\2603\25\0\3303\25\0H5\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0W\1\0\0\5\0\0\0" ... {128, 152, reply, 0, 280, 540, 2044, 0} "\7\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0\2603\25\0\3303\25\0H5\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0W\1\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 280, 540, 2044, 0}  (216, {128, 152, new_msg, 0, 127212, 1310720, 11661868, 2012750850} "\0\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210\6\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0\2603\25\0\3303\25\0H5\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0W\1\0\0\5\0\0\0" ... {128, 152, reply, 0, 280, 540, 2044, 0} "\7\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0\2603\25\0\3303\25\0H5\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0W\1\0\0\5\0\0\0" )  ) == 0x0
 01353   540   NtRequestWaitReplyPort  (216, {64, 88, new_msg, 0, 0, 0, 0, 0}  (216, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 280, 540, 2045, 0} "\2z\0\0\1\0*\370\277\6O\200\374\70\300\244K*\370X\5O\200\0\260\375\177\0\0\0\0\340T\14\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 280, 540, 2045, 0}  (216, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 280, 540, 2045, 0} "\2z\0\0\1\0*\370\277\6O\200\374\70\300\244K*\370X\5O\200\0\260\375\177\0\0\0\0\340T\14\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 01354   540   NtClose  (212, ... ) == 0x0
 01355   540   NtClose  (216, ... ) == 0x0
 01356   540   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) , 0, ... 216, 2, ) == 0x0
 01357   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01358   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01359   540   NtQueryValueKey  (216,  (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01360   540   NtQueryValueKey  (216,  (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01361   540   NtClose  (216, ... ) == 0x0
 01362   540   NtClose  (212, ... ) == 0x0
 01363   540   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01364   540   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 11661968, 112, ... 216, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 11661968, 112, ... 216, 0x0, 0x0, 0x0, 112, ) == 0x0
 01365   540   NtRequestWaitReplyPort  (216, {128, 152, new_msg, 0, 127076, 1310720, 11661732, 2012750850}  (216, {128, 152, new_msg, 0, 127076, 1310720, 11661732, 2012750850} "\0\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210\6\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0@3\25\0\3403\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\261\0\220\363\261\0x\1\24\0\2406\25\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 280, 540, 2048, 0} "\7\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0@3\25\0\3403\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\261\0\220\363\261\0x\1\24\0\2406\25\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 280, 540, 2048, 0}  (216, {128, 152, new_msg, 0, 127076, 1310720, 11661732, 2012750850} "\0\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210\6\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0@3\25\0\3403\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\261\0\220\363\261\0x\1\24\0\2406\25\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 280, 540, 2048, 0} "\7\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0@3\25\0\3403\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\261\0\220\363\261\0x\1\24\0\2406\25\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 01366   540   NtRequestWaitReplyPort  (216, {44, 68, new_msg, 0, 280, 540, 2045, 0}  (216, {44, 68, new_msg, 0, 280, 540, 2045, 0} "\1z\0\0A\2\4\0\277\6O\200\374\70\300\244K*\370X\5O\200\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 280, 540, 2049, 0} "\2`\372\177\4\00\300\0\0\0\0\364\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 280, 540, 2049, 0}  (216, {44, 68, new_msg, 0, 280, 540, 2045, 0} "\1z\0\0A\2\4\0\277\6O\200\374\70\300\244K*\370X\5O\200\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 280, 540, 2049, 0} "\2`\372\177\4\00\300\0\0\0\0\364\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 01367   540   NtRequestWaitReplyPort  (216, {64, 88, new_msg, 56, 0, 1, 0, 0}  (216, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\261\0@\0\314w\3302\25\0X\364\261\0\300\364\261\0\0\267\362v\300\364\261\0\3302\25\0\1\0\0\0\2406\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 280, 540, 2050, 0} "\10\364\261\0@\0\314w\3302\25\0X\364\261\0\300\364\261\0\0\267\362v\300\364\261\0\3302\25\0\1\0\0\0\2406\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 280, 540, 2050, 0}  (216, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\261\0@\0\314w\3302\25\0X\364\261\0\300\364\261\0\0\267\362v\300\364\261\0\3302\25\0\1\0\0\0\2406\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 280, 540, 2050, 0} "\10\364\261\0@\0\314w\3302\25\0X\364\261\0\300\364\261\0\0\267\362v\300\364\261\0\3302\25\0\1\0\0\0\2406\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01368   540   NtClose  (212, ... ) == 0x0
 01369   540   NtClose  (216, ... ) == 0x0
 01370   540   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) , 0, ... 216, 2, ) == 0x0
 01371   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01372   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01373   540   NtQueryValueKey  (216,  (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01374   540   NtQueryValueKey  (216,  (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01375   540   NtClose  (216, ... ) == 0x0
 01376   540   NtClose  (212, ... ) == 0x0
 01377   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01378   540   NtQueryValueKey  (212,  (212, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379   540   NtClose  (212, ... ) == 0x0
 01380   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 11661512, ... ) }, 11661512, ... ) == 0x0
 01381   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01382   540   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 212, ... 216, ) == 0x0
 01383   540   NtClose  (212, ... ) == 0x0
 01384   540   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd60000), 0x0, 16384, ) == 0x0
 01385   540   NtClose  (216, ... ) == 0x0
 01386   540   NtUnmapViewOfSection  (-1, 0xd60000, ... ) == 0x0
 01387   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 11661828, ... ) }, 11661828, ... ) == 0x0
 01388   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01389   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01390   540   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01391   540   NtClose  (216, ... ) == 0x0
 01392   540   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 01393   540   NtClose  (212, ... ) == 0x0
 01394   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 212, ) }, ... 212, ) == 0x0
 01395   540   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01396   540   NtClose  (212, ... ) == 0x0
 01397   540   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01398   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 216, ) }, ... 216, ) == 0x0
 01399   540   NtQueryValueKey  (216,  (216, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (216, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01400   540   NtClose  (216, ... ) == 0x0
 01401   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 11661512, ... ) }, 11661512, ... ) == 0x0
 01402   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01403   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14024704, 65536, ) == 0x0
 01404   540   NtAllocateVirtualMemory  (-1, 14024704, 0, 4096, 4096, 4, ... 14024704, 4096, ) == 0x0
 01405   540   NtAllocateVirtualMemory  (-1, 14028800, 0, 8192, 4096, 4, ... 14028800, 8192, ) == 0x0
 01406   540   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 01407   540   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 216, ) == 0x0
 01408   540   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 11661788, 112, ... 220, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 11661788, 112, ... 220, 0x0, 0x0, 0x0, 112, ) == 0x0
 01409   540   NtRequestWaitReplyPort  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 11661552}  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 11661552} "\0$\370w\240\367\261\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210\6\25\0\4\0\0\0\210\6\25\0\20\344\314w\210\6\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\270=\25\0\0\0\0\0p?\25\0\330=\25\0H?\25\0\0\0\0\0\0\0\0\0\0\0\0\0p?\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 280, 540, 2053, 0} "\7$\370w\240\367\261\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210\6\25\0\377\377\377\377\210\6\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\270=\25\0\0\0\0\0p?\25\0\330=\25\0H?\25\0\0\0\0\0\0\0\0\0\0\0\0\0p?\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {128, 152, reply, 0, 280, 540, 2053, 0}  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 11661552} "\0$\370w\240\367\261\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210\6\25\0\4\0\0\0\210\6\25\0\20\344\314w\210\6\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\270=\25\0\0\0\0\0p?\25\0\330=\25\0H?\25\0\0\0\0\0\0\0\0\0\0\0\0\0p?\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 280, 540, 2053, 0} "\7$\370w\240\367\261\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210\6\25\0\377\377\377\377\210\6\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\270=\25\0\0\0\0\0p?\25\0\330=\25\0H?\25\0\0\0\0\0\0\0\0\0\0\0\0\0p?\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01410   540   NtRequestWaitReplyPort  (220, {104, 128, new_msg, 0, 280, 540, 2049, 0}  (220, {104, 128, new_msg, 0, 280, 540, 2049, 0} "\1`\0\0A\2\11\0\0\0\0\0\364\5\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\244E\25\0\22\0\0\0\0\0\0\0\22\0\0\0w\0w\0w\0.\0m\0i\0c\0r\0o\0s\0o\0f\0t\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 280, 540, 2054, 0} "\2\212T\200\1\0(\201\214+\360\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 280, 540, 2054, 0}  (220, {104, 128, new_msg, 0, 280, 540, 2049, 0} "\1`\0\0A\2\11\0\0\0\0\0\364\5\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\244E\25\0\22\0\0\0\0\0\0\0\22\0\0\0w\0w\0w\0.\0m\0i\0c\0r\0o\0s\0o\0f\0t\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 280, 540, 2054, 0} "\2\212T\200\1\0(\201\214+\360\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 01411   540   NtClose  (216, ... ) == 0x0
 01412   540   NtClose  (220, ... ) == 0x0
 01413   540   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 220, ) }, ... 220, ) == 0x0
 01414   540   NtQueryValueKey  (220,  (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01415   540   NtQueryValueKey  (220,  (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01416   540   NtQueryValueKey  (220,  (220, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   540   NtClose  (220, ... ) == 0x0
 01418   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 11662548, ... ) }, 11662548, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01420   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasadhlp.dll"}, 11662548, ... ) }, 11662548, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01421   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 11662548, ... ) }, 11662548, ... ) == 0x0
 01422   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 220, {status=0x0, info=1}, ) }, 5, 96, ... 220, {status=0x0, info=1}, ) == 0x0
 01423   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 220, ... 216, ) == 0x0
 01424   540   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01425   540   NtClose  (220, ... ) == 0x0
 01426   540   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 01427   540   NtClose  (216, ... ) == 0x0
 01428   540   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 216, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 216, {status=0x0, info=0}, ) == 0x0
 01429   540   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 220, ) == 0x0
 01430   540   NtDeviceIoControlFile  (216, 220, 0x0, 0x0, 0xf14014,  (216, 220, 0x0, 0x0, 0xf14014, "\3\0\0\0www.microsoft.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 01431   540   NtClose  (220, ... ) == 0x0
 01432   540   NtClose  (216, ... ) == 0x0
 01433   540   NtDelayExecution  (0, {1770094592, -2}, ...
 01017   544   NtDelayExecution  ... ) == 0x0
 01045   536   NtDelayExecution  ... ) == 0x0
 01434   544   NtContinue  (12710568, 0, ...
 01435   544   NtDelayExecution  (0, {-20480000, -1}, ...
 01436   536   NtEnumerateValueKey  (140, 3, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01437   536   NtClose  (140, ... ) == 0x0
 01438   536   NtDelayExecution  (0, {-10240000, -1}, ... ) == 0x0
 01439   536   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 140, {status=0x0, info=1}, ) }, 3, 16417, ... 140, {status=0x0, info=1}, ) == 0x0
 01440   536   NtQueryDirectoryFile  (140, 0, 0, 0, 10615268, 616, BothDirectory, 1,  (140, 0, 0, 0, 10615268, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01441   536   NtAllocateVirtualMemory  (-1, 1396736, 0, 8192, 4096, 4, ... 1396736, 8192, ) == 0x0
 01442   536   NtQueryDirectoryFile  (140, 0, 0, 0, 1394136, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4018}, ) == 0x0
 01443   536   NtDelayExecution  (0, {-10240000, -1}, ...
 01435   544   NtDelayExecution  ... ) == 0x0
 01444   544   NtContinue  (12710568, 0, ...
 01445   544   NtDelayExecution  (0, {-20480000, -1}, ...
 01443   536   NtDelayExecution  ... ) == 0x0
 01446   536   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 216, {status=0x0, info=1}, ) }, 3, 16417, ... 216, {status=0x0, info=1}, ) == 0x0
 01447   536   NtQueryDirectoryFile  (216, 0, 0, 0, 10615208, 616, BothDirectory, 1,  (216, 0, 0, 0, 10615208, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01448   536   NtQueryDirectoryFile  (216, 0, 0, 0, 1398240, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3982}, ) == 0x0
 01449   536   NtDelayExecution  (0, {-10240000, -1}, ... ) == 0x0
 01450   536   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\REPAIR\"}, 3, 16417, ... 220, {status=0x0, info=1}, ) }, 3, 16417, ... 220, {status=0x0, info=1}, ) == 0x0
 01451   536   NtQueryDirectoryFile  (220, 0, 0, 0, 10615148, 616, BothDirectory, 1,  (220, 0, 0, 0, 10615148, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01452   536   NtAllocateVirtualMemory  (-1, 1404928, 0, 8192, 4096, 4, ... 1404928, 8192, ) == 0x0
 01453   536   NtQueryDirectoryFile  (220, 0, 0, 0, 1402344, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1240}, ) == 0x0
 01454   536   NtQueryDirectoryFile  (220, 0, 0, 0, 1402344, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01455   536   NtClose  (220, ... ) == 0x0
 01456   536   NtDelayExecution  (0, {-5120000, -1}, ... ) == 0x0
 01457   536   NtDelayExecution  (0, {-10240000, -1}, ...
 01445   544   NtDelayExecution  ... ) == 0x0
 01458   544   NtContinue  (12710568, 0, ...
 01459   544   NtDelayExecution  (0, {-20480000, -1}, ...
 01457   536   NtDelayExecution  ... ) == 0x0
 01460   536   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\INF\"}, 3, 16417, ... 220, {status=0x0, info=1}, ) }, 3, 16417, ... 220, {status=0x0, info=1}, ) == 0x0
 01461   536   NtQueryDirectoryFile  (220, 0, 0, 0, 10615148, 616, BothDirectory, 1,  (220, 0, 0, 0, 10615148, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01462   536   NtQueryDirectoryFile  (220, 0, 0, 0, 1402344, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3990}, ) == 0x0
 01463   536   NtFsControlFile  (180, 157, 0x0, 0x0, 0x11c017,  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\5\0\0\0H\0\0\0\0\0\1\0p\342\0\20\34\0\0\0\0\0\0\0\34\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0I\0N\0F\0\\0u\0n\0r\0e\0g\0m\0p\02\0.\0e\0x\0e\0\0\0", 96, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 96, 1024, ... {status=0x103, info=28},  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\5\0\0\0H\0\0\0\0\0\1\0p\342\0\20\34\0\0\0\0\0\0\0\34\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0I\0N\0F\0\\0u\0n\0r\0e\0g\0m\0p\02\0.\0e\0x\0e\0\0\0", 96, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01464   536   NtDelayExecution  (0, {-20480000, -1}, ...
 01459   544   NtDelayExecution  ... ) == 0x0
 01465   544   NtContinue  (12710568, 0, ...
 01466   544   NtDelayExecution  (0, {-20480000, -1}, ...
 01464   536   NtDelayExecution  ... ) == 0x0
 01467   536   NtQueryDirectoryFile  (220, 0, 0, 0, 1402344, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4014}, ) == 0x0
 01468   536   NtQueryDirectoryFile  (220, 0, 0, 0, 1402344, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3986}, ) == 0x0
 01469   536   NtDelayExecution  (0, {-81920000, -1}, ...
 01466   544   NtDelayExecution  ... ) == 0x0
 01470   544   NtContinue  (12710568, 0, ...
 01471   544   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01472   544   NtContinue  (12710568, 0, ...
 01473   544   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01474   544   NtContinue  (12710568, 0, ...
 01475   544   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01476   544   NtContinue  (12710568, 0, ...
 01477   544   NtDelayExecution  (0, {-20480000, -1}, ...
 01469   536   NtDelayExecution  ... ) == 0x0
 01478   536   NtQueryDirectoryFile  (220, 0, 0, 0, 1402344, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4044}, ) == 0x0
 01479   536   NtQueryDirectoryFile  (220, 0, 0, 0, 1402344, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4078}, ) == 0x0
 01480   536   NtQueryDirectoryFile  (220, 0, 0, 0, 1402344, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4066}, ) == 0x0
 01481   536   NtDelayExecution  (0, {-81920000, -1}, ...
 01477   544   NtDelayExecution  ... ) == 0x0
 01482   544   NtContinue  (12710568, 0, ...
 01483   544   NtDelayExecution  (0, {-20480000, -1}, ...
 00777   284   NtUserWaitForInputIdle  ... ) == 0x102
 01484   284   NtClose  (108, ... ) == 0x0
 01485   284   NtClose  (112, ... ) == 0x0
 01486   284   NtContinue  (1244396, 0, ...
 01487   284   NtAllocateVirtualMemory  (-1, 0, 0, 5700, 4096, 64, ... 14417920, 8192, ) == 0x0
 01488   284   NtAllocateVirtualMemory  (-1, 0, 0, 52884, 4096, 64, ... 14483456, 53248, ) == 0x0
 01489   284   NtAllocateVirtualMemory  (-1, 0, 0, 78688, 4096, 4, ... 14548992, 81920, ) == 0x0
 01490   284   NtFreeVirtualMemory  (-1, (0xde0000), 0, 32768, ... (0xde0000), 81920, ) == 0x0
 01491   284   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 01492   284   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 01493   284   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 01494   284   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 01495   284   NtFreeVirtualMemory  (-1, (0xdd0000), 0, 32768, ... (0xdd0000), 53248, ) == 0x0
 01496   284   NtAllocateVirtualMemory  (-1, 0, 0, 90087, 4096, 4, ... 14483456, 90112, ) == 0x0
 01497   284   NtFreeVirtualMemory  (-1, (0xdd0000), 90087, 4, ... ) == STATUS_INVALID_PARAMETER_4
 01498   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 112, ) }, ... 112, ) == 0x0
 01499   284   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 01500   284   NtClose  (112, ... ) == 0x0
 01501   284   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 112, ) }, ... 112, ) == 0x0
 01502   284   NtQueryValueKey  (112,  (112, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01503   284   NtClose  (112, ... ) == 0x0
 01504   284   NtQueryDefaultUILanguage  (1241408, ...
 01505   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01506   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482092, ) == 0x0
 01507   284   NtQueryInformationToken  (-2147482092, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01508   284   NtClose  (-2147482092, ... ) == 0x0
 01509   284   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482092, ) }, ... -2147482092, ) == 0x0
 01510   284   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511   284   NtOpenKey  (0x80000000, {24, -2147482092, 0x640, 0, 0,  (0x80000000, {24, -2147482092, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482104, ) }, ... -2147482104, ) == 0x0
 01512   284   NtQueryValueKey  (-2147482104,  (-2147482104, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513   284   NtClose  (-2147482104, ... ) == 0x0
 01514   284   NtClose  (-2147482092, ... ) == 0x0
 01504   284   NtQueryDefaultUILanguage  ... ) == 0x0
 01515   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516   284   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 112, {status=0x0, info=1}, ) }, 1, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01517   284   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 112, ... 108, ) == 0x0
 01518   284   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xdf0000), 0x0, 8323072, ) == 0x0
 01519   284   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01520   284   NtQueryDefaultLocale  (1, 1239444, ... ) == 0x0
 01521   284   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01522   284   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240300, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240300, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1p\0\0\0\377\377\377\377\0\0\0\0\20\311\26\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\354\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 280, 284, 2281, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1p\0\0\0\377\377\377\377\0\0\0\0\20\311\26\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\354\363\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 280, 284, 2281, 0}  (24, {128, 156, new_msg, 0, 1240300, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1p\0\0\0\377\377\377\377\0\0\0\0\20\311\26\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\354\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 280, 284, 2281, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1p\0\0\0\377\377\377\377\0\0\0\0\20\311\26\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\354\363\22\0\0\0\0\0" )  ) == 0x0
 01523   284   NtClose  (112, ... ) == 0x0
 01524   284   NtClose  (108, ... ) == 0x0
 01525   284   NtUnmapViewOfSection  (-1, 0xdf0000, ... ) == 0x0
 01526   284   NtUnmapViewOfSection  (-1, 0x12f3ec, ... ) == STATUS_NOT_MAPPED_VIEW
 01527   284   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01528   284   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01529   284   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01530   284   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01531   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238528, ... ) }, 1238528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   284   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01533   284   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01534   284   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01535   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239120, ... ) }, 1239120, ... ) == 0x0
 01536   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 108, {status=0x0, info=1}, ) }, 3, 33, ... 108, {status=0x0, info=1}, ) == 0x0
 01537   284   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01538   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 112, ) }, ... 112, ) == 0x0
 01539   284   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 01540   284   NtClose  (112, ... ) == 0x0
 01541   284   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {280, 0}, ... 112, ) == 0x0
 01542   284   NtQueryInformationProcess  (112, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01543   284   NtClose  (112, ... ) == 0x0
 01544   284   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01545   284   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 01546   284   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 01547   284   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "Control Panel\Desktop"}, ... 112, ) }, ... 112, ) == 0x0
 01548   284   NtQueryValueKey  (112,  (112, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01549   284   NtClose  (112, ... ) == 0x0
 01550   284   NtUserSystemParametersInfo  (41, 500, 1240984, 0, ... ) == 0x1
 01551   284   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 01552   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01553   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01554   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec03b
 01555   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01556   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec03d
 01557   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01558   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01559   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec03f
 01560   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01561   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01562   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec041
 01563   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01564   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01565   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec043
 01566   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01567   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec045
 01568   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01569   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01570   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec047
 01571   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01572   284   NtUserFindExistingCursorIcon  (1240772, 1240788, 1241356, ... ) == 0x10011
 01573   284   NtUserRegisterClassExWOW  (1241224, 1241304, 1241288, 1241320, 0, 384, 0, ... ) == 0x810ec049
 01574   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01575   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01576   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec04b
 01577   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01578   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01579   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec04d
 01580   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01581   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01582   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec04f
 01583   284   NtUserGetClassInfo  (1999896576, 1241396, 1241348, 1241424, 0, ... ) == 0x0
 01584   284   NtUserRegisterClassExWOW  (1241232, 1241312, 1241296, 1241328, 0, 384, 0, ... ) == 0x810ec051
 01585   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01586   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01587   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec053
 01588   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01589   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01590   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec055
 01591   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec057
 01592   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01593   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01594   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec059
 01595   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01596   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10013
 01597   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec05b
 01598   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01599   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01600   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec05d
 01601   284   NtUserGetClassInfo  (1999896576, 1241392, 1241344, 1241420, 0, ... ) == 0x0
 01602   284   NtUserFindExistingCursorIcon  (1240776, 1240792, 1241360, ... ) == 0x10011
 01603   284   NtUserRegisterClassExWOW  (1241228, 1241308, 1241292, 1241324, 0, 384, 0, ... ) == 0x810ec05f
 01604   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc03b
 01605   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc03d
 01606   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc03f
 01607   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc041
 01608   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc043
 01609   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc045
 01610   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc047
 01611   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc049
 01612   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc04b
 01613   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc04d
 01614   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc04f
 01615   284   NtUserGetClassInfo  (1999896576, 1243148, 1243100, 1243176, 0, ... ) == 0xc051
 01616   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc053
 01617   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc055
 01618   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc059
 01619   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc05b
 01620   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc05d
 01621   284   NtUserGetClassInfo  (1999896576, 1243144, 1243096, 1243172, 0, ... ) == 0xc05f
 01622   284   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01623   284   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01624   284   NtDelayExecution  (0, {-10000000, -1}, ...
 01483   544   NtDelayExecution  ... ) == 0x0
 01625   544   NtContinue  (12710568, 0, ...
 01626   544   NtDelayExecution  (0, {-20480000, -1}, ...
 01624   284   NtDelayExecution  ... ) == 0x0
 01627   284   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "a1c21d0e0d6af099e3b6ed38f9d85d58ced8"}, 0, ... 112, ) }, 0, ... 112, ) == 0x0
 01628   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01629   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01630   284   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == 0x0
 01632   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 224, {status=0x0, info=1}, ) }, 5, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 01633   284   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 224, ... 228, ) == 0x0
 01634   284   NtQuerySection  (228, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01635   284   NtClose  (224, ... ) == 0x0
 01636   284   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01637   284   NtClose  (228, ... ) == 0x0
 01638   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 228, ) }, ... 228, ) == 0x0
 01639   284   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 01640   284   NtClose  (228, ... ) == 0x0
 01641   284   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 228, ) == 0x0
 01642   284   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 01643   284   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 232, ) }, ... 232, ) == 0x0
 01644   284   NtNotifyChangeKey  (232, 224, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 01645   284   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01646   284   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 236, ) == 0x0
 01647   284   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 240, ) == 0x0
 01648   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01649   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01650   284   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01651   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == 0x0
 01652   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01653   284   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 248, ) == 0x0
 01654   284   NtQuerySection  (248, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01655   284   NtClose  (244, ... ) == 0x0
 01656   284   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 01657   284   NtClose  (248, ... ) == 0x0
 01658   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01659   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01660   284   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01661   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == 0x0
 01662   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 248, {status=0x0, info=1}, ) }, 5, 96, ... 248, {status=0x0, info=1}, ) == 0x0
 01663   284   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 248, ... 244, ) == 0x0
 01664   284   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01665   284   NtClose  (248, ... ) == 0x0
 01666   284   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01667   284   NtClose  (244, ... ) == 0x0
 01668   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01669   284   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14614528, 262144, ) == 0x0
 01670   284   NtAllocateVirtualMemory  (-1, 14614528, 0, 4096, 4096, 4, ... 14614528, 4096, ) == 0x0
 01671   284   NtAllocateVirtualMemory  (-1, 14618624, 0, 8192, 4096, 4, ... 14618624, 8192, ) == 0x0
 01672   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01673   284   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01674   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01675   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01676   284   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01677   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == 0x0
 01678   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01679   284   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 248, ) == 0x0
 01680   284   NtQuerySection  (248, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01681   284   NtClose  (244, ... ) == 0x0
 01682   284   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01683   284   NtClose  (248, ... ) == 0x0
 01684   284   NtAllocateVirtualMemory  (-1, 3948544, 0, 8192, 4096, 4, ... 3948544, 8192, ) == 0x0
 01685   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01686   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 248, ) == 0x0
 01687   284   NtQueryInformationToken  (248, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01688   284   NtClose  (248, ... ) == 0x0
 01689   284   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 248, ) }, ... 248, ) == 0x0
 01690   284   NtOpenKey  (0x20019, {24, 248, 0x40, 0, 0,  (0x20019, {24, 248, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01691   284   NtClose  (248, ... ) == 0x0
 01692   284   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 248, ) }, ... 248, ) == 0x0
 01693   284   NtQueryValueKey  (248,  (248, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01694   284   NtQueryValueKey  (248,  (248, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01695   284   NtQueryValueKey  (248,  (248, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01696   284   NtQueryValueKey  (248,  (248, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01697   284   NtClose  (248, ... ) == 0x0
 01698   284   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 248, ) }, ... 248, ) == 0x0
 01699   284   NtQueryValueKey  (248,  (248, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (248, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01700   284   NtQueryValueKey  (248,  (248, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01701   284   NtQueryValueKey  (248,  (248, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01702   284   NtQueryValueKey  (248,  (248, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01703   284   NtQueryValueKey  (248,  (248, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01704   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 01705   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01706   284   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 244, ... 252, ) == 0x0
 01707   284   NtClose  (244, ... ) == 0x0
 01708   284   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe30000), 0x0, 135168, ) == 0x0
 01709   284   NtClose  (252, ... ) == 0x0
 01710   284   NtUnmapViewOfSection  (-1, 0xe30000, ... ) == 0x0
 01711   284   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 01712   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238660, ... ) }, 1238660, ... ) == 0x0
 01713   284   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 01714   284   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239184,  (0x80100080, {24, 0, 0x40, 0, 1239184, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 252, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 252, {status=0x0, info=1}, ) == 0x0
 01715   284   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 252, ... 244, ) == 0x0
 01716   284   NtMapViewOfSection  (244, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe30000), {0, 0}, 135168, ) == 0x0
 01717   284   NtQueryDefaultLocale  (1, 1238992, ... ) == 0x0
 01718   284   NtQueryVirtualMemory  (-1, 0xe30000, Basic, 28, ... {BaseAddress=0xe30000,AllocationBase=0xe30000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01719   284   NtQueryVirtualMemory  (-1, 0xe30000, Basic, 28, ... {BaseAddress=0xe30000,AllocationBase=0xe30000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01720   284   NtReadFile  (252, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (252, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01721   284   NtQueryInformationFile  (252, 1239236, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01722   284   NtSetInformationFile  (252, 1239236, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01723   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01724   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01725   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01726   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01727   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01728   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01729   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01730   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01731   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01732   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01733   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01734   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01735   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01736   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01737   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01738   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01739   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01740   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01741   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01742   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01743   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01744   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01745   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01746   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01747   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01748   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01749   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01750   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01751   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01752   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01753   284   NtReadFile  (252, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (252, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01754   284   NtQueryInformationFile  (252, 1239236, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01755   284   NtSetInformationFile  (252, 1239236, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01756   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01757   284   NtReadFile  (252, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (252, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 01758   284   NtUnmapViewOfSection  (-1, 0xe30000, ... ) == 0x0
 01759   284   NtClose  (244, ... ) == 0x0
 01760   284   NtClose  (252, ... ) == 0x0
 01761   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237716, ... ) }, 1237716, ... ) == 0x0
 01762   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 252, {status=0x0, info=1}, ) }, 5, 96, ... 252, {status=0x0, info=1}, ) == 0x0
 01763   284   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 252, ... 244, ) == 0x0
 01764   284   NtClose  (252, ... ) == 0x0
 01765   284   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe30000), 0x0, 135168, ) == 0x0
 01766   284   NtClose  (244, ... ) == 0x0
 01767   284   NtUnmapViewOfSection  (-1, 0xe30000, ... ) == 0x0
 01768   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238032, ... ) }, 1238032, ... ) == 0x0
 01769   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01770   284   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 252, ) == 0x0
 01771   284   NtQuerySection  (252, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01772   284   NtClose  (244, ... ) == 0x0
 01773   284   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 01774   284   NtClose  (252, ... ) == 0x0
 01775   284   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01776   284   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01777   284   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01778   284   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01779   284   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01780   284   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01781   284   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01782   284   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01783   284   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01784   284   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01785   284   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01786   284   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01787   284   NtAllocateVirtualMemory  (-1, 1413120, 0, 20480, 4096, 4, ... 1413120, 20480, ) == 0x0
 01788   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01789   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01790   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01791   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01792   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01793   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01794   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01795   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01796   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01797   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01798   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01799   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01800   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01801   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01802   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01803   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01804   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01805   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01806   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01807   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01808   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01809   284   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01810   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236984, ... ) }, 1236984, ... ) == 0x0
 01811   284   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237716,  (0x80100080, {24, 0, 0x40, 0, 1237716, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 252, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 252, {status=0x0, info=1}, ) == 0x0
 01812   284   NtQueryVolumeInformationFile  (252, 1237876, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01813   284   NtQueryInformationFile  (252, 1237768, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01814   284   NtQueryInformationFile  (252, 1238060, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01815   284   NtClose  (252, ... ) == 0x0
 01816   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236476, ... ) }, 1236476, ... ) == 0x0
 01817   284   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237208,  (0x80100080, {24, 0, 0x40, 0, 1237208, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 252, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 252, {status=0x0, info=1}, ) == 0x0
 01818   284   NtQueryVolumeInformationFile  (252, 1237368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01819   284   NtQueryInformationFile  (252, 1237260, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01820   284   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 252, ... 244, ) == 0x0
 01821   284   NtMapViewOfSection  (244, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe30000), {0, 0}, 135168, ) == 0x0
 01822   284   NtQueryDefaultLocale  (1, 1237348, ... ) == 0x0
 01823   284   NtQueryVirtualMemory  (-1, 0xe30000, Basic, 28, ... {BaseAddress=0xe30000,AllocationBase=0xe30000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01824   284   NtQueryVirtualMemory  (-1, 0xe30000, Basic, 28, ... {BaseAddress=0xe30000,AllocationBase=0xe30000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01825   284   NtQueryDefaultLocale  (1, 1237348, ... ) == 0x0
 01826   284   NtQueryVirtualMemory  (-1, 0xe30000, Basic, 28, ... {BaseAddress=0xe30000,AllocationBase=0xe30000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01827   284   NtQueryVirtualMemory  (-1, 0xe30000, Basic, 28, ... {BaseAddress=0xe30000,AllocationBase=0xe30000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01828   284   NtReadFile  (252, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (252, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01829   284   NtQueryInformationFile  (252, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01830   284   NtSetInformationFile  (252, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01831   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01832   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01833   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01834   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01835   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01836   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01837   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01838   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01839   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01840   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01841   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01842   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01843   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01844   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01845   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01846   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01847   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01848   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01849   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01850   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01851   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01852   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01853   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01854   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01855   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01856   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01857   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01858   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01859   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01860   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01861   284   NtReadFile  (252, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (252, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01862   284   NtQueryInformationFile  (252, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01863   284   NtSetInformationFile  (252, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01864   284   NtQueryInformationFile  (252, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01865   284   NtSetInformationFile  (252, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01866   284   NtReadFile  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (252, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01867   284   NtReadFile  (252, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (252, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01868   284   NtUnmapViewOfSection  (-1, 0xe30000, ... ) == 0x0
 01869   284   NtClose  (244, ... ) == 0x0
 01870   284   NtClose  (252, ... ) == 0x0
 01871   284   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 252, ) }, ... 252, ) == 0x0
 01872   284   NtQueryValueKey  (252,  (252, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01873   284   NtQueryValueKey  (252,  (252, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01874   284   NtQueryValueKey  (252,  (252, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01875   284   NtQueryValueKey  (252,  (252, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01876   284   NtClose  (252, ... ) == 0x0
 01877   284   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01878   284   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01879   284   NtOpenProcessToken  (-1, 0x8, ... 252, ) == 0x0
 01880   284   NtQueryInformationToken  (252, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01881   284   NtClose  (252, ... ) == 0x0
 01882   284   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 252, {status=0x0, info=0}, ) }, 7, 16, ... 252, {status=0x0, info=0}, ) == 0x0
 01883   284   NtDeviceIoControlFile  (252, 0, 0x0, 0x0, 0x390008,  (252, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\351-8\374\13&\305:\237\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01884   284   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01885   284   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01886   284   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01887   284   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01888   284   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01889   284   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01890   284   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01891   284   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482096, 2, ) }, 0, 0x0, 0, ... -2147482096, 2, ) == 0x0
 01892   284   NtSetValueKey  (-2147482096,  (-2147482096, "Seed", 0, 3, "\253\375\342\235vd\5*\306\5,!!\366\371\317\377\34u\252$8\343~#\-K\250\331\377=o\37r\200ji5\31(A\2646{\\332l\220{\20nY\334!{8\2\201\300\243\325\366\263\206\320\361!\256\247\311\242d\326\242N\266\354\362f", 80, ... , 0, 3,  (-2147482096, "Seed", 0, 3, "\253\375\342\235vd\5*\306\5,!!\366\371\317\377\34u\252$8\343~#\-K\250\331\377=o\37r\200ji5\31(A\2646{\\332l\220{\20nY\334!{8\2\201\300\243\325\366\263\206\320\361!\256\247\311\242d\326\242N\266\354\362f", 80, ... , 80, ...
 01893   284   NtSetInformationFile  (-2147482808, -104227204, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01894   284   NtSetInformationFile  (-2147482808, -104227240, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01892   284   NtSetValueKey  ... ) == 0x0
 01895   284   NtClose  (-2147482096, ... ) == 0x0
 01883   284   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\360\257\270\12\15k\274!\235\245\233;X\33s\230\376$\23|\313Z\250C\344\325\230\257\204\37\14\X\331}\340\334z-&78\245\313\255\317\375\303\274_E\342/\307\6N\30\324\30\254(\13\244NF^\17\326\6\257j\241\317Z?\213Y~\2409\360\24\317\273\303\341\3703m\364\202esy\14\334\336\243fc~\253\233I\327\274y:(a\3462\323\0\303n\237@\10@\5d\215qP\203ad\261\365\270\20\317E\3078G\277/T\336\272\355\336\205\232r\256e\242\337\274z\36_\240\226TNck\35\10\301\236ah;Hk\251UU\337\264\0F\377\221{,\203\317\21\316\262\251\3038il2\207vT\370\214,V\202\2548\325\310(\256\233\215\255\276\226]\332\224\4)\311, ) , ) == 0x0
 01896   284   NtClose  (248, ... ) == 0x0
 01897   284   NtDeviceIoControlFile  (252, 0, 0x0, 0x0, 0x390008,  (252, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\262\210+\36}\301\10\256\206\13\223s/\312\370\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01898   284   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01899   284   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01900   284   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01901   284   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01902   284   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01903   284   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01904   284   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01905   284   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482096, 2, ) }, 0, 0x0, 0, ... -2147482096, 2, ) == 0x0
 01906   284   NtSetValueKey  (-2147482096,  (-2147482096, "Seed", 0, 3, "%\2355<\213@\302\243\37\371\200\332\12\237t\324#\353\200\32Y\371\237\6w\311\24\351wi\12\331\277?\206k\24W\37`\331e\202\346\24 \341+\233\241\31K\222v\22\334~\%\241\334\200\263\243\220(0\355\241\271\24\253\26\275\237Ux\36", 80, ... ) , 0, 3,  (-2147482096, "Seed", 0, 3, "%\2355<\213@\302\243\37\371\200\332\12\237t\324#\353\200\32Y\371\237\6w\311\24\351wi\12\331\277?\206k\24W\37`\331e\202\346\24 \341+\233\241\31K\222v\22\334~\%\241\334\200\263\243\220(0\355\241\271\24\253\26\275\237Ux\36", 80, ... ) , 80, ... ) == 0x0
 01907   284   NtClose  (-2147482096, ... ) == 0x0
 01897   284   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\203\312\255\207Qu\341\317\14x\365\316\305rC\364\212\2036Xw\317a\221\3013\354\255\10\323b\226\365#\202\215~R\343\355p\230\207\245\217I7\245\377$\35q\233'\256\317\307\301\323\225_\325\333\215\243KT\216\261\1\320* \32\24[;\356\203b*\32k\304\245\351,j\304\310\233\226c}\303m\341\333\37\311\247\367\355\31\235\250\262kY\302\4E\301*\16k\4]\272]'\17\350\\201/x\274\206'\313\204\255\79\244!l\202k@\311uv\2yJ)y\25;\205\272\351\35\345\372|\23\372U\216c\3760\237\37c!\255\342 \355U\330IY\217\2168 \244\310\324r\256\30!dd`q\306\272+YJ\224\325\335\265\34r\235\355m\310<\322?\251\0\31\35\207\354\267\355\1 q\373\305\336<[\240X\332\312*E\313s\375/\320\333'P\260s\24\313\325F\215U\373\320\353)m\327\250\210", ) , ) == 0x0
 01908   284   NtDeviceIoControlFile  (252, 0, 0x0, 0x0, 0x390008,  (252, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\262\210+\36}\301\10\365#\30q\5\310\7l\353\13\223s/\312\370\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01909   284   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01910   284   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01911   284   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01912   284   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01913   284   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01914   284   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01915   284   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01916   284   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482096, 2, ) }, 0, 0x0, 0, ... -2147482096, 2, ) == 0x0
 01917   284   NtSetValueKey  (-2147482096,  (-2147482096, "Seed", 0, 3, "F9\245\302\254\231\335\271\316\3749t\254S\305v\r9\367\4\23%\325\256$\370\14h&\3104ey\242\346\213\305\307\231\321\270p\24\224\33\317\247\235;'\317\355S\266#\267\303BH-\261-\2651\235\244\226 V\212\320\3728\213\337\215P^\265", 80, ... ) , 0, 3,  (-2147482096, "Seed", 0, 3, "F9\245\302\254\231\335\271\316\3749t\254S\305v\r9\367\4\23%\325\256$\370\14h&\3104ey\242\346\213\305\307\231\321\270p\24\224\33\317\247\235;'\317\355S\266#\267\303BH-\261-\2651\235\244\226 V\212\320\3728\213\337\215P^\265", 80, ... ) , 80, ... ) == 0x0
 01918   284   NtClose  (-2147482096, ... ) == 0x0
 01908   284   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\366\0\240vm4\364\361\177\257\204a\5\207\220\262\16\6+\317\355\377\212\353~\300\300\271"\334\320\3w\332z\315\273q\267z:}\201\200];\302\316\4):^\302\222a\353F\225\6\365\272\363\256m\336\23\271\332$ `\23\374\334(\4\222\364[\36\26\10\222\25\274\224%\33\370@\205\200\312\1\326f\336\376H\341\20\14\207/\20l\344\261\340\374\331\334\325AP\35\201h'\277\364\33\221r6\223\26\247\236\374u\200h\263\253\2025\333\312A\365g\261"'\257\H\277\267\14{\332\303e\222\372\31\36\214\374&\307\271B\353\264\202\12\362<\30$(\253\333"\2139\341\227\246\311\25v\30\256\276\262e\273\253\365rXU\207\140\330\244\335\353\307\324\347\223r"\4j"T2?{,\213\333\256\335\17\3625;\230\30E\27\264\245\202\242E\^\356\374\13\236\2319v\2142B\347*\341\1D\17\323J", ) \334\320\3w\332z\315\273q\267z:}\201\200];\302\316\4):^\302\222a\353F\225\6\365\272\363\256m\336\23\271\332$ `\23\374\334(\4\222\364[\36\26\10\222\25\274\224%\33\370@\205\200\312\1\326f\336\376H\341\20\14\207/\20l\344\261\340\374\331\334\325AP\35\201h'\277\364\33\221r6\223\26\247\236\374u\200h\263\253\2025\333\312A\365g\261 ... {status=0x0, info=256}, "\366\0\240vm4\364\361\177\257\204a\5\207\220\262\16\6+\317\355\377\212\353~\300\300\271"\334\320\3w\332z\315\273q\267z:}\201\200];\302\316\4):^\302\222a\353F\225\6\365\272\363\256m\336\23\271\332$ `\23\374\334(\4\222\364[\36\26\10\222\25\274\224%\33\370@\205\200\312\1\326f\336\376H\341\20\14\207/\20l\344\261\340\374\331\334\325AP\35\201h'\277\364\33\221r6\223\26\247\236\374u\200h\263\253\2025\333\312A\365g\261"'\257\H\277\267\14{\332\303e\222\372\31\36\214\374&\307\271B\353\264\202\12\362<\30$(\253\333"\2139\341\227\246\311\25v\30\256\276\262e\273\253\365rXU\207\140\330\244\335\353\307\324\347\223r"\4j"T2?{,\213\333\256\335\17\3625;\230\30E\27\264\245\202\242E\^\356\374\13\236\2319v\2142B\347*\341\1D\17\323J", ) \2139\341\227\246\311\25v\30\256\276\262e\273\253\365rXU\207\140\330\244\335\353\307\324\347\223r ... {status=0x0, info=256}, "\366\0\240vm4\364\361\177\257\204a\5\207\220\262\16\6+\317\355\377\212\353~\300\300\271"\334\320\3w\332z\315\273q\267z:}\201\200];\302\316\4):^\302\222a\353F\225\6\365\272\363\256m\336\23\271\332$ `\23\374\334(\4\222\364[\36\26\10\222\25\274\224%\33\370@\205\200\312\1\326f\336\376H\341\20\14\207/\20l\344\261\340\374\331\334\325AP\35\201h'\277\364\33\221r6\223\26\247\236\374u\200h\263\253\2025\333\312A\365g\261"'\257\H\277\267\14{\332\303e\222\372\31\36\214\374&\307\271B\353\264\202\12\362<\30$(\253\333"\2139\341\227\246\311\25v\30\256\276\262e\273\253\365rXU\207\140\330\244\335\353\307\324\347\223r"\4j"T2?{,\213\333\256\335\17\3625;\230\30E\27\264\245\202\242E\^\356\374\13\236\2319v\2142B\347*\341\1D\17\323J", ) T2?{,\213\333\256\335\17\3625;\230\30E\27\264\245\202\242E\^\356\374\13\236\2319v\2142B\347*\341\1D\17\323J", ) == 0x0
 01919   284   NtDeviceIoControlFile  (252, 0, 0x0, 0x0, 0x390008,  (252, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\262\210+\36}\301\10\365#\30q\5\310\77N\30q\5\310\7l\353\13\223s/\312\370\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01920   284   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01921   284   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01922   284   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01923   284   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01924   284   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01925   284   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01926   284   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01927   284   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482096, 2, ) }, 0, 0x0, 0, ... -2147482096, 2, ) == 0x0
 01928   284   NtSetValueKey  (-2147482096,  (-2147482096, "Seed", 0, 3, "Vi\323\10\205\13x\222\216\246\35\337\317\25\201\252$\205QEI0NQ*\275}\24\@dh+\36/A\305\345\334\335i\277\274\271\36\250\35bC\13\354\231\244\202u\234\2\224\354\171\30\234!p\310\31\313\372O\13e\316\26;\261;\335\310\370", 80, ... ) , 0, 3,  (-2147482096, "Seed", 0, 3, "Vi\323\10\205\13x\222\216\246\35\337\317\25\201\252$\205QEI0NQ*\275}\24\@dh+\36/A\305\345\334\335i\277\274\271\36\250\35bC\13\354\231\244\202u\234\2\224\354\171\30\234!p\310\31\313\372O\13e\316\26;\261;\335\310\370", 80, ... ) , 80, ... ) == 0x0
 01929   284   NtClose  (-2147482096, ... ) == 0x0
 01919   284   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "_:U\307^\33a7\320W\343\372h\344>JH4|\226\323]\327\215H\276\216\307\275\261\242\4J|A\210\257\5\336d3\273\276@\243C[\336\230Cs\310\32S\2606\25\364\325EK\243\350p\23\33HG\260\356\317?\336\302?'\34\2\32E\336p\300\10\364=\272\365\27\215\300{\16Q\227X\257\24\\350\252K\223\245\305s\346&3H\335\32 @\245]@\2627\311\335\7H\33\203\332s\312\215\11\363\357h\372F\320\365\20\4.$\366}\242\301,\216\334`\343\231 \3069\350\252n\216\0\213\204Jd\303"\322_\13\13\20}IL\204S%\321\357*UB\31m8*\14\214\353P\5>r\245l\233\324\202"\234\360\243\4\17\354Np\5\333.\330\31A\347z{\10\350-\355EQ\334.\33\212\4t\260\331f\201C=\313ek\10\201z\320(Y\220\13{(\7'c\330\3132\370L", ) \322_\13\13\20}IL\204S%\321\357*UB\31m8*\14\214\353P\5>r\245l\233\324\202 ... {status=0x0, info=256}, "_:U\307^\33a7\320W\343\372h\344>JH4|\226\323]\327\215H\276\216\307\275\261\242\4J|A\210\257\5\336d3\273\276@\243C[\336\230Cs\310\32S\2606\25\364\325EK\243\350p\23\33HG\260\356\317?\336\302?'\34\2\32E\336p\300\10\364=\272\365\27\215\300{\16Q\227X\257\24\\350\252K\223\245\305s\346&3H\335\32 @\245]@\2627\311\335\7H\33\203\332s\312\215\11\363\357h\372F\320\365\20\4.$\366}\242\301,\216\334`\343\231 \3069\350\252n\216\0\213\204Jd\303"\322_\13\13\20}IL\204S%\321\357*UB\31m8*\14\214\353P\5>r\245l\233\324\202"\234\360\243\4\17\354Np\5\333.\330\31A\347z{\10\350-\355EQ\334.\33\212\4t\260\331f\201C=\313ek\10\201z\320(Y\220\13{(\7'c\330\3132\370L", ) , ) == 0x0
 01930   284   NtDeviceIoControlFile  (252, 0, 0x0, 0x0, 0x390008,  (252, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\262\210+\36}\301\10\365#\30q\5\310\77N\30q\5\310\77N\30q\5\310\7l\353\13\223s/\312\370\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01931   284   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01932   284   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01933   284   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01934   284   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01935   284   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01936   284   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01937   284   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01938   284   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482096, 2, ) }, 0, 0x0, 0, ... -2147482096, 2, ) == 0x0
 01939   284   NtSetValueKey  (-2147482096,  (-2147482096, "Seed", 0, 3, "=\252\242e\2508\200\0\350\220\12C\15:\21.\217@\364_6\1$A.\361\207\346\213\336\234@\311]\15\13zs\2404\14\200\367\3743B\354-\323\35I\266%\213\363\256gB\3058J\326\353(/Z\300LG\234\370\277\273\322@\361O-&\222", 80, ... ) , 0, 3,  (-2147482096, "Seed", 0, 3, "=\252\242e\2508\200\0\350\220\12C\15:\21.\217@\364_6\1$A.\361\207\346\213\336\234@\311]\15\13zs\2404\14\200\367\3743B\354-\323\35I\266%\213\363\256gB\3058J\326\353(/Z\300LG\234\370\277\273\322@\361O-&\222", 80, ... ) , 80, ... ) == 0x0
 01940   284   NtClose  (-2147482096, ... ) == 0x0
 01930   284   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "1[*y3\350\0'\360\275\352\3410\261\1\336\224\255\3329\3716\332J=\362\216\2\271"\352\326\356w\263G\305V~\30\220qH\342w\235|gbk\365}\351%!\302\35Kw\206\21&\242\242\207\307\305\307l\1T\246\317tH\354\247F\246\317Y\327jCPq\222V\320\304\17\370\346\374K\226%\312L\7\244uG\273}g\225\363p\22\354\360\274z\33]\244\345\372\353\247\272\241\37\341\351y\336\21D\2Gu\252E^\327\4\360+\21$y.`;\7\34\262\13\202\222\177@\270n\357Z,\350\23#Yy1yxM5\34\330l(\1\20\242\213\373\7@\345\224\246F\12s\37C\7\273[\0\236\226O\177\6\271|\2776\376d'\325?g\323\306]\352+\26\303\3645\374\231\201cr\211\17\305\26\241\245a\322u\331\223u\370\23\0m\222\235\370W' \357h\246e!\345\230\247\10MB\256\360", ) \352\326\356w\263G\305V~\30\220qH\342w\235|gbk\365}\351%!\302\35Kw\206\21&\242\242\207\307\305\307l\1T\246\317tH\354\247F\246\317Y\327jCPq\222V\320\304\17\370\346\374K\226%\312L\7\244uG\273}g\225\363p\22\354\360\274z\33]\244\345\372\353\247\272\241\37\341\351y\336\21D\2Gu\252E^\327\4\360+\21$y.`;\7\34\262\13\202\222\177@\270n\357Z,\350\23#Yy1yxM5\34\330l(\1\20\242\213\373\7@\345\224\246F\12s\37C\7\273[\0\236\226O\177\6\271|\2776\376d'\325?g\323\306]\352+\26\303\3645\374\231\201cr\211\17\305\26\241\245a\322u\331\223u\370\23\0m\222\235\370W' \357h\246e!\345\230\247\10MB\256\360", ) == 0x0
 01941   284   NtDeviceIoControlFile  (252, 0, 0x0, 0x0, 0x390008,  (252, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\262\210+\36}\301\10\365#\30q\5\310\77N\30q\5\310\77N\30q\5\310\77N\30q\5\310\7l\353\13\223s/\312\370\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01942   284   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01943   284   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01944   284   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01945   284   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01946   284   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01947   284   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01948   284   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01949   284   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482096, 2, ) }, 0, 0x0, 0, ... -2147482096, 2, ) == 0x0
 01950   284   NtSetValueKey  (-2147482096,  (-2147482096, "Seed", 0, 3, "^\343\363\373\242|\7\304\306'\346\342\255\206\23\24\307#\246\202?a\322\277\270[\307%\254\374\7\217+`\217N\245\3436\210\221\16]`\27\23.bj\354\263\241T\217\314W\306d\207\223\320\204R\234Sc\14\241\234\326\7\276\264\243\6\361R\345!?", 80, ... ) , 0, 3,  (-2147482096, "Seed", 0, 3, "^\343\363\373\242|\7\304\306'\346\342\255\206\23\24\307#\246\202?a\322\277\270[\307%\254\374\7\217+`\217N\245\3436\210\221\16]`\27\23.bj\354\263\241T\217\314W\306d\207\223\320\204R\234Sc\14\241\234\326\7\276\264\243\6\361R\345!?", 80, ... ) , 80, ... ) == 0x0
 01951   284   NtClose  (-2147482096, ... ) == 0x0
 01941   284   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\233J\317\356<\301\246\370\237|/O\242\203\26qe\2p<\212\233\365\177Y\200\30g\235\346\331\372\7\237\22\306\17\25\1\210=\75\212\27\327\323\347L\201\272\351s\350\11N\231\225o\355\342&\5\357\310Y\250\240\341\346\245+\366\346j\333\212q\215\366\311CD&\326Y\25\356p\307\267c\243I?\206h\3212s?\226\314\371\21L[\350\365^\260\323Si\261\332Mu\221\334b\214\3765I\336\307{H\261\241k\374\34$\36\277\312\215\232g\333\225\315\20203G1\206S\346\254\26\17\216\15ir\177\3RW\253xp\33o\276\373\335G\5\332\207\272\2br\340>9\237>\245*}(\33\307\210J\320\246\276\326 \3308\246\331\261\363\317Y\216\313d\13L\16\314\327\230-n\262\27\267\326\220w\204\317\256ex\11\264b\203\321\344\353\205\235\162\216\217SA\354!q\223\231\233\350\330I\4\23k", ) , ) == 0x0
 01952   284   NtDeviceIoControlFile  (252, 0, 0x0, 0x0, 0x390008,  (252, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\262\210+\36}\301\10\365#\30q\5\310\77N\30q\5\310\77N\30q\5\310\77N\30q\5\310\77N\30q\5\310\7l\353\13\223s/\312\370\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01953   284   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01954   284   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01955   284   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01956   284   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01957   284   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01958   284   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01959   284   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01960   284   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482096, 2, ) }, 0, 0x0, 0, ... -2147482096, 2, ) == 0x0
 01961   284   NtSetValueKey  (-2147482096,  (-2147482096, "Seed", 0, 3, "\357s\361\312W\266\356\3[\203\305\237<\376\363X2\303D\374\215e\360\371\253/\3203\363\31\327a"R\368,\351]\237\345\203\237r\212}\22\346L\353\354\4\17\225\332\&\337\314\323\333\373\276R\242\300\354E\20\21\246H\355(&\366\377\315\376w", 80, ... ) , 0, 3,  (-2147482096, "Seed", 0, 3, "\357s\361\312W\266\356\3[\203\305\237<\376\363X2\303D\374\215e\360\371\253/\3203\363\31\327a"R\368,\351]\237\345\203\237r\212}\22\346L\353\354\4\17\225\332\&\337\314\323\333\373\276R\242\300\354E\20\21\246H\355(&\366\377\315\376w", 80, ... ) R\368,\351]\237\345\203\237r\212}\22\346L\353\354\4\17\225\332\&\337\314\323\333\373\276R\242\300\354E\20\21\246H\355(&\366\377\315\376w", 80, ... ) == 0x0
 01962   284   NtClose  (-2147482096, ... ) == 0x0
 01952   284   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\24"\237K\226)skd\256\212\333:\335\326\24\23\347\35'\364nO\23\333\277\23(\177\246\307/\323\51\326\17\236\32\215](\2067e'9}iu\276$\4\270\322u\356\220\275\206\355+!a\327\213\235\337\350$ \325o\302s\2144M\211\342\311\31\275\313\346\202+\253\373\356\347KXe:Q-y]<\210\204,\324\232\234\303\25G?\31\264s\2125\323\254n\315\241\234\351\25Y\303\243\10\251\314\22(9\201\4IJ1\250$\360\$\22\\27c\36\210\3\4\21x\221\361\30\333.H\32\31\3467\315\365\341\270\250\206\273\307\262'\341\347@\271;gr\341\233;`\277\A\360\340"\254N\254\310\245\317S\315B\177rK&\327\5\216\16\272\340\10Y\16\4\365\327g\341\27.\252\20\227/\21!\374\317\330\224\357R\272\260\332}-K~\237\310, ) \237K\226)skd\256\212\333:\335\326\24\23\347\35'\364nO\23\333\277\23(\177\246\307/\323\51\326\17\236\32\215](\2067e'9}iu\276$\4\270\322u\356\220\275\206\355+!a\327\213\235\337\350$ \325o\302s\2144M\211\342\311\31\275\313\346\202+\253\373\356\347KXe:Q-y]<\210\204,\324\232\234\303\25G?\31\264s\2125\323\254n\315\241\234\351\25Y\303\243\10\251\314\22(9\201\4IJ1\250$\360\$\22\\27c\36\210\3\4\21x\221\361\30\333.H\32\31\3467\315\365\341\270\250\206\273\307\262'\341\347@\271;gr\341\233;`\277\A\360\340 ... {status=0x0, info=256}, "\24"\237K\226)skd\256\212\333:\335\326\24\23\347\35'\364nO\23\333\277\23(\177\246\307/\323\51\326\17\236\32\215](\2067e'9}iu\276$\4\270\322u\356\220\275\206\355+!a\327\213\235\337\350$ \325o\302s\2144M\211\342\311\31\275\313\346\202+\253\373\356\347KXe:Q-y]<\210\204,\324\232\234\303\25G?\31\264s\2125\323\254n\315\241\234\351\25Y\303\243\10\251\314\22(9\201\4IJ1\250$\360\$\22\\27c\36\210\3\4\21x\221\361\30\333.H\32\31\3467\315\365\341\270\250\206\273\307\262'\341\347@\271;gr\341\233;`\277\A\360\340"\254N\254\310\245\317S\315B\177rK&\327\5\216\16\272\340\10Y\16\4\365\327g\341\27.\252\20\227/\21!\374\317\330\224\357R\272\260\332}-K~\237\310, ) , ) == 0x0
 01963   284   NtDeviceIoControlFile  (252, 0, 0x0, 0x0, 0x390008,  (252, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\262\210+\36}\301\10\365#\30q\5\310\77N\30q\5\310\77N\30q\5\310\77N\30q\5\310\77N\30q\5\310\77N\30q\5\310\7l\353\13\223s/\312\370\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01964   284   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01965   284   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01966   284   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01967   284   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01968   284   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01969   284   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01970   284   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01971   284   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482096, 2, ) }, 0, 0x0, 0, ... -2147482096, 2, ) == 0x0
 01972   284   NtSetValueKey  (-2147482096,  (-2147482096, "Seed", 0, 3, "\265IA\21\222\200>v\246_\222\315s\363;g\202\336\267\210u\366\253\4\14L\257\203)fQ\345]\3067\273\243T\342\5\1\5cj\220\365\264$\0\217\262V1Q\372+\346xK\371\352\353\335\363V\233Q\3640\205=\377\3626\3\12\215\246\3\1", 80, ... ) , 0, 3,  (-2147482096, "Seed", 0, 3, "\265IA\21\222\200>v\246_\222\315s\363;g\202\336\267\210u\366\253\4\14L\257\203)fQ\345]\3067\273\243T\342\5\1\5cj\220\365\264$\0\217\262V1Q\372+\346xK\371\352\353\335\363V\233Q\3640\205=\377\3626\3\12\215\246\3\1", 80, ... ) , 80, ... ) == 0x0
 01973   284   NtClose  (-2147482096, ... ) == 0x0
 01963   284   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\314!\274I:\\374b\206UAH\245\351%\337\250\3\244\244\336\312|@\0\223E\207Y\243\254\345\307\331\225\272W \363e!GW\377\322\246M\236\301Z\14\272\374\354\306\274D\35\12U\211#\272'76\303\256\206Sh\324\340\276\366\330\331\314\211Wd\257m\275\370\25\200\3109\375\342\242\15\266pcA\233\203\252\324\216\260jV\35\337\207\315)n\342c\330p\301 \17\377rC\264\211y\215\2704#~\356\217\307\335U\322#nJ\21\275#S\31\16\35\24vK\334U\3339\305l\31f\255\233\237\377h\317G\250y\20D\266\231\31\325e\224f\311\236\233\0\343\355D\177\206\15g#\331\334\252V\2747\310\139h\23\337x\2254\217vx\20\360\323\323\302&s\356"Cx^A\35\264^\347S\212n8\302\377\317\371\255o[\10\20"E\32>\202\331\336n\316\313Y\224/\374\36\345\256\326\26%\335\304", ) Cx^A\35\264^\347S\212n8\302\377\317\371\255o[\10\20 ... {status=0x0, info=256}, "\314!\274I:\\374b\206UAH\245\351%\337\250\3\244\244\336\312|@\0\223E\207Y\243\254\345\307\331\225\272W \363e!GW\377\322\246M\236\301Z\14\272\374\354\306\274D\35\12U\211#\272'76\303\256\206Sh\324\340\276\366\330\331\314\211Wd\257m\275\370\25\200\3109\375\342\242\15\266pcA\233\203\252\324\216\260jV\35\337\207\315)n\342c\330p\301 \17\377rC\264\211y\215\2704#~\356\217\307\335U\322#nJ\21\275#S\31\16\35\24vK\334U\3339\305l\31f\255\233\237\377h\317G\250y\20D\266\231\31\325e\224f\311\236\233\0\343\355D\177\206\15g#\331\334\252V\2747\310\139h\23\337x\2254\217vx\20\360\323\323\302&s\356"Cx^A\35\264^\347S\212n8\302\377\317\371\255o[\10\20"E\32>\202\331\336n\316\313Y\224/\374\36\345\256\326\26%\335\304", ) , ) == 0x0
 01974   284   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 248, {status=0x0, info=1}, ) }, 3, 33, ... 248, {status=0x0, info=1}, ) == 0x0
 01975   284   NtQueryVolumeInformationFile  (248, 1238964, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01976   284   NtClose  (12, ... ) == 0x0
 01977   284   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01978   284   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238184,  (0x80100080, {24, 0, 0x40, 0, 1238184, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 01979   284   NtQueryInformationFile  (12, 1239120, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01980   284   NtQueryInformationFile  (12, 1239092, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01981   284   NtQueryInformationFile  (12, 1239044, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01982   284   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 01983   284   NtQueryInformationFile  (12, 1432080, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01984   284   NtQueryInformationFile  (12, 1237588, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01985   284   NtQueryInformationFile  (12, 1237432, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01986   284   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1237440,  (0x40110080, {24, 0, 0x40, 0, 1237440, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01987   284   NtClose  (-2147482096, ... ) == 0x0
 01986   284   NtCreateFile  ... 244, {status=0x0, info=2}, ) == 0x0
 01988   284   NtQueryVolumeInformationFile  (244, 1236812, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01989   284   NtQueryInformationFile  (244, 1236772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01990   284   NtQueryVolumeInformationFile  (12, 1236812, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01991   284   NtQueryVolumeInformationFile  (12, 1236496, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01992   284   NtSetInformationFile  (244, 1236600, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01993   284   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 256, ) == 0x0
 01994   284   NtMapViewOfSection  (256, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe30000), {0, 0}, 139264, ) == 0x0
 01995   284   NtClose  (256, ... ) == 0x0
 01996   284   NtWriteFile  (244, 0, 0, 0,  (244, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\0@\2\0\0\20\0\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\240\2\0\217\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0 \2\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01997   284   NtWriteFile  (244, 0, 0, 0,  (244, 0, 0, 0, ".\342\234`\272\3774\336\20/\250\206\3772\332\245\O\32\233e\240\3344s\343\243^m\353_\325O\377#\2630\213\225:^\375\372?\264\305M\357\13\212\315\372\321\315C,\312\12\244\254\271\302<\215\351G\264"7A\340\375\30\247o@\217[\13\22A\\330_\366x\202[\233\27\334\36\312\236z`g\334bV\246\320-9}\35\237\37\357\315D4\250\267"Q\226\262\231\356\310\235}\211k\316id\347\3f\13\34z\227\357*\374[\316F\256W\\267ee\274\34\213Aq\4\3248\346L\23\225\230\3406\333}\2534\27\35\303\325\237\20U\255+\205\332z\210|\324\12\253\37$\13\17\244\232m\355\20p:\4\316@\260\33j\266:\246\335q\360D\257)\263\302\306F\356\32\352-\325.~\365g\212r\236\217\370s\376\35\325J\276\276\15E\270\34~\323\255wa\2742\363\26\315\32\344\34\260Y\233m\205k\374V\352V\3645\212\313.\232d.\370\20\341<\4\36\313u\206\31\267\313,\310w\353r\3238\264%\264C\267\2s\224~\342d\200\314B<"\324\301s\352\30]\305o\2738\263(\217\261\223\263\230\360\0\333`\377\31(0\212\301|\222Y\356\5\222]\361\354+\334\11\276\0l\316q\203\334\250r\212\5\226&\256I\343e\256\37]\3334\34-\261\301~\321>\245^\350\30\352su\256\231g\244\14W\315\33\367\4\275\306(\233\302.\260h\2567\267[\2308\256f\300\315\233\346\15\260&\211\253\221\301Q\233\14\277.\300S\333r\341\33\273\327\224\4\14\3326\264\302\336t\376\\210E\226v\325\23T\276", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) 7A\340\375\30\247o@\217[\13\22A\\330_\366x\202[\233\27\334\36\312\236z`g\334bV\246\320-9}\35\237\37\357\315D4\250\267 (244, 0, 0, 0, ".\342\234`\272\3774\336\20/\250\206\3772\332\245\O\32\233e\240\3344s\343\243^m\353_\325O\377#\2630\213\225:^\375\372?\264\305M\357\13\212\315\372\321\315C,\312\12\244\254\271\302<\215\351G\264"7A\340\375\30\247o@\217[\13\22A\\330_\366x\202[\233\27\334\36\312\236z`g\334bV\246\320-9}\35\237\37\357\315D4\250\267"Q\226\262\231\356\310\235}\211k\316id\347\3f\13\34z\227\357*\374[\316F\256W\\267ee\274\34\213Aq\4\3248\346L\23\225\230\3406\333}\2534\27\35\303\325\237\20U\255+\205\332z\210|\324\12\253\37$\13\17\244\232m\355\20p:\4\316@\260\33j\266:\246\335q\360D\257)\263\302\306F\356\32\352-\325.~\365g\212r\236\217\370s\376\35\325J\276\276\15E\270\34~\323\255wa\2742\363\26\315\32\344\34\260Y\233m\205k\374V\352V\3645\212\313.\232d.\370\20\341<\4\36\313u\206\31\267\313,\310w\353r\3238\264%\264C\267\2s\224~\342d\200\314B<"\324\301s\352\30]\305o\2738\263(\217\261\223\263\230\360\0\333`\377\31(0\212\301|\222Y\356\5\222]\361\354+\334\11\276\0l\316q\203\334\250r\212\5\226&\256I\343e\256\37]\3334\34-\261\301~\321>\245^\350\30\352su\256\231g\244\14W\315\33\367\4\275\306(\233\302.\260h\2567\267[\2308\256f\300\315\233\346\15\260&\211\253\221\301Q\233\14\277.\300S\333r\341\33\273\327\224\4\14\3326\264\302\336t\376\\210E\226v\325\23T\276", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \324\301s\352\30]\305o\2738\263(\217\261\223\263\230\360\0\333`\377\31(0\212\301|\222Y\356\5\222]\361\354+\334\11\276\0l\316q\203\334\250r\212\5\226&\256I\343e\256\37]\3334\34-\261\301~\321>\245^\350\30\352su\256\231g\244\14W\315\33\367\4\275\306(\233\302.\260h\2567\267[\2308\256f\300\315\233\346\15\260&\211\253\221\301Q\233\14\277.\300S\333r\341\33\273\327\224\4\14\3326\264\302\336t\376\\210E\226v\325\23T\276", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01998   284   NtWriteFile  (244, 0, 0, 0,  (244, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16384, 0x0, 0, ... {status=0x0, info=16384}, ) , 16384, 0x0, 0, ... {status=0x0, info=16384}, ) == 0x0
 01999   284   NtUnmapViewOfSection  (-1, 0xe30000, ... ) == 0x0
 02000   284   NtSetInformationFile  (244, 1239044, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02001   284   NtClose  (12, ... ) == 0x0
 02002   284   NtClose  (244, ... ) == 0x0
 02003   284   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 7, 2113568, ... 244, {status=0x0, info=1}, ) }, 7, 2113568, ... 244, {status=0x0, info=1}, ) == 0x0
 02004   284   NtSetInformationFile  (244, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02005   284   NtClose  (244, ... ) == 0x0
 02006   284   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 7, 2113568, ... 244, {status=0x0, info=1}, ) }, 7, 2113568, ... 244, {status=0x0, info=1}, ) == 0x0
 02007   284   NtSetInformationFile  (244, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02008   284   NtClose  (244, ... ) == 0x0
 02009   284   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238948,  (0x80100080, {24, 0, 0x40, 0, 1238948, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 244, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 244, {status=0x0, info=1}, ) == 0x0
 02010   284   NtQueryInformationFile  (244, 1239000, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02011   284   NtClose  (244, ... ) == 0x0
 02012   284   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238948,  (0x40100080, {24, 0, 0x40, 0, 1238948, "\??\C:\WINDOWS\System32\spoolsvc.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 244, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 244, {status=0x0, info=1}, ) == 0x0
 02013   284   NtSetInformationFile  (244, 1239000, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02014   284   NtClose  (244, ... ) == 0x0
 02015   284   NtOpenFile  (0x10080, {24, 248, 0x40, 0, 0,  (0x10080, {24, 248, 0x40, 0, 0, "zbbis.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02016   284   NtCreateFile  (0x40100080, {24, 248, 0x40, 0, 1239196,  (0x40100080, {24, 248, 0x40, 0, 1239196, "zbbis.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 244, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 244, {status=0x0, info=2}, ) == 0x0
 02017   284   NtWriteFile  (244, 0, 0, 0,  (244, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del zbbis.bat\15\12", 121, 0x0, 0, ... {status=0x0, info=121}, ) , 121, 0x0, 0, ... {status=0x0, info=121}, ) == 0x0
 02018   284   NtClose  (244, ... ) == 0x0
 02019   284   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02020   284   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 02021   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232536, ... ) }, 1232536, ... ) == 0x0
 02022   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02023   284   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 244, ... 12, ) == 0x0
 02024   284   NtClose  (244, ... ) == 0x0
 02025   284   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe30000), 0x0, 262144, ) == 0x0
 02026   284   NtClose  (12, ... ) == 0x0
 02027   284   NtUnmapViewOfSection  (-1, 0xe30000, ... ) == 0x0
 02028   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02029   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02030   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02031   284   NtAllocateVirtualMemory  (-1, 1441792, 0, 16384, 4096, 4, ... 1441792, 16384, ) == 0x0
 02032   284   NtUserRegisterClassExWOW  (1234620, 1234700, 1234684, 1234716, 0, 384, 0, ... ) == 0x810ec038
 02033   284   NtUserGetAtomName  (49208, 1233384, ... ) == 0x15
 02034   284   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 02035   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230908, ... ) }, 1230908, ... ) == 0x0
 02036   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 02037   284   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 244, ) == 0x0
 02038   284   NtClose  (12, ... ) == 0x0
 02039   284   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe30000), 0x0, 204800, ) == 0x0
 02040   284   NtClose  (244, ... ) == 0x0
 02041   284   NtUnmapViewOfSection  (-1, 0xe30000, ... ) == 0x0
 02042   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231224, ... ) }, 1231224, ... ) == 0x0
 02043   284   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02044   284   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 12, ) == 0x0
 02045   284   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02046   284   NtClose  (244, ... ) == 0x0
 02047   284   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 02048   284   NtClose  (12, ... ) == 0x0
 02049   284   NtUserGetWindowDC  (0, ... ) == 0x1010053
 02050   284   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 02051   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02052   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 02053   284   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02054   284   NtClose  (12, ... ) == 0x0
 02055   284   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02056   284   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 02057   284   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 244, ) }, ... 244, ) == 0x0
 02058   284   NtQueryValueKey  (244,  (244, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02059   284   NtClose  (244, ... ) == 0x0
 02060   284   NtClose  (12, ... ) == 0x0
 02061   284   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02062   284   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 02063   284   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02064   284   NtClose  (12, ... ) == 0x0
 02065   284   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 02066   284   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 244, ) }, ... 244, ) == 0x0
 02067   284   NtQueryValueKey  (244,  (244, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02068   284   NtClose  (244, ... ) == 0x0
 02069   284   NtClose  (12, ... ) == 0x0
 02070   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02071   284   NtQueryAttributesFile  ({24, 248, 0x40, 0, 0,  ({24, 248, 0x40, 0, 0, "UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02072   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == 0x0
 02073   284   NtUserGetProcessWindowStation  (... ) == 0x28
 02074   284   NtUserGetObjectInformation  (40, 2, 0, 0, 1233020, ... ) == 0x0
 02075   284   NtUserGetObjectInformation  (40, 2, 1389536, 16, 1233020, ... ) == 0x1
 02076   284   NtUserGetGUIThreadInfo  (284, 1232976, ... ) == 0x1
 02077   284   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232796, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232796, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 02078   284   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 280, 284, 2288, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 280, 284, 2288, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 280, 284, 2288, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02079   284   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 280, 284, 2289, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 280, 284, 2289, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 280, 284, 2289, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02080   284   NtUserCallNoParam  (29, ...
 02081   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230268, ... ) }, 1230268, ... ) == 0x0
 02080   284   NtUserCallNoParam  ... ) == 0x0
 02082   284   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 02083   284   NtGdiHfontCreate  (1232348, 356, 0, 0, 1407120, ... ) == 0x90a0311
 02084   284   NtGdiHfontCreate  (1232348, 356, 0, 0, 1407112, ... ) == 0x90a0344
 02085   284   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 280, 284, 2290, 0} "\0\0\0\0\0\0\0\0\364\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 280, 284, 2290, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 280, 284, 2290, 0} "\0\0\0\0\0\0\0\0\364\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02086   284   NtMapViewOfSection  (244, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe30000), {0, 0}, 331776, ) == 0x0
 02087   284   NtUserGetWindowDC  (0, ... ) == 0x1010053
 02088   284   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 02089   284   NtUserGetWindowDC  (0, ... ) == 0x1010053
 02090   284   NtContinue  (1230884, 0, ...
 02091   284   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 256, ) == 0x0
 02092   284   NtYieldExecution  (... ) == STATUS_NO_YIELD_PERFORMED
 02093   284   NtClose  (88, ... ) == 0x0
 02094   284   NtClose  (84, ... ) == 0x0
 02095   284   NtFreeVirtualMemory  (-1, (0xd60000), 0, 32768, ... (0xd60000), 65536, ) == 0x0
 02096   284   NtYieldExecution  (... ) == STATUS_NO_YIELD_PERFORMED
 02097   284   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 02098   284   NtClearEvent  (212, ... ) == 0x0
 02099   284   NtClose  (212, ... ) == 0x0
 02100   284   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 02101   284   NtUnmapViewOfSection  (-1, 0x76fb0000, ... ) == 0x0
 02102   284   NtUnmapViewOfSection  (-1, 0x76f60000, ... ) == 0x0
 02103   284   NtUnmapViewOfSection  (-1, 0x71a50000, ... ) == 0x0
 02104   284   NtClose  (96, ... ) == 0x0
 02105   284   NtClose  (92, ... ) == 0x0
 02106   284   NtTerminateProcess  (0, 0, ...
 01481   536   NtDelayExecution  ... ) == 0xc0
 01433   540   NtDelayExecution  ... ) == 0xc0
 01626   544   NtDelayExecution  ... ) == 0xc0
 02106   284   NtTerminateProcess  ... ) == 0x0
 02107   284   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 02108   284   NtUserGetProcessWindowStation  (... ) == 0x28
 02109   284   NtUserBuildNameList  (40, 256, 1385256, 1239636, ... ) == 0x0
 02110   284   NtUserGetProcessWindowStation  (... ) == 0x28
 02111   284   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0xb8
 02112   284   NtUserBuildHwndList  (184, 0, 0, 0, 64, ... (0x10066, 0x100de, 0x100ac, 0x100aa, 0x100a8, 0x60036, 0x20060, 0x10080, 0x10076, 0x1006a, 0x3004c, 0x10068, 0x3003e, 0x1009e, 0x10092, 0x1007e, 0x10026, 0x100da, 0x100d4, 0x100c2, 0x100c0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b2, 0x100b0, 0x20064, 0x100e4, 0x200e2, 0x100d2, 0x400b4, 0x300c6, 0x100ae, 0x20062, 0x1006e, 0x50050, 0x40054, 0x5004e, 0x10084, 0x10078, 0x1, ), 42, ) == 0x0
 02113   284   NtUserQueryWindow  (65638, 0, ... ) == 0x7cc
 02114   284   NtUserQueryWindow  (65638, 1, ... ) == 0x7d8
 02115   284   NtUserQueryWindow  (65758, 0, ... ) == 0x7cc
 02116   284   NtUserQueryWindow  (65758, 1, ... ) == 0x7d8
 02117   284   NtUserQueryWindow  (65708, 0, ... ) == 0xc4
 02118   284   NtUserQueryWindow  (65708, 1, ... ) == 0xc8
 02119   284   NtUserQueryWindow  (65706, 0, ... ) == 0xc4
 02120   284   NtUserQueryWindow  (65706, 1, ... ) == 0xc8
 02121   284   NtUserQueryWindow  (65704, 0, ... ) == 0xc4
 02122   284   NtUserQueryWindow  (65704, 1, ... ) == 0xc8
 02123   284   NtUserQueryWindow  (393270, 0, ... ) == 0xc4
 02124   284   NtUserQueryWindow  (393270, 1, ... ) == 0xc8
 02125   284   NtUserQueryWindow  (131168, 0, ... ) == 0x7cc
 02126   284   NtUserQueryWindow  (131168, 1, ... ) == 0x7d8
 02127   284   NtUserQueryWindow  (65664, 0, ... ) == 0x7cc
 02128   284   NtUserQueryWindow  (65664, 1, ... ) == 0x7d8
 02129   284   NtUserBuildHwndList  (0, 65664, 1, 0, 64, ... (0x10082, 0x10088, 0x1008a, 0x1008c, 0x10094, 0x10096, 0x10098, 0x1009a, 0x1009c, 0x100a0, 0x100a2, 0x100a4, 0x1, ), 13, ) == 0x0
 02130   284   NtUserQueryWindow  (65666, 0, ... ) == 0x7cc
 02131   284   NtUserQueryWindow  (65666, 1, ... ) == 0x7d8
 02132   284   NtUserQueryWindow  (65672, 0, ... ) == 0x7cc
 02133   284   NtUserQueryWindow  (65672, 1, ... ) == 0x7d8
 02134   284   NtUserQueryWindow  (65674, 0, ... ) == 0x7cc
 02135   284   NtUserQueryWindow  (65674, 1, ... ) == 0x7d8
 02136   284   NtUserQueryWindow  (65676, 0, ... ) == 0x7cc
 02137   284   NtUserQueryWindow  (65676, 1, ... ) == 0x7d8
 02138   284   NtUserQueryWindow  (65684, 0, ... ) == 0x7cc
 02139   284   NtUserQueryWindow  (65684, 1, ... ) == 0x7d8
 02140   284   NtUserQueryWindow  (65686, 0, ... ) == 0x7cc
 02141   284   NtUserQueryWindow  (65686, 1, ... ) == 0x7d8
 02142   284   NtUserQueryWindow  (65688, 0, ... ) == 0x7cc
 02143   284   NtUserQueryWindow  (65688, 1, ... ) == 0x7d8
 02144   284   NtUserQueryWindow  (65690, 0, ... ) == 0x7cc
 02145   284   NtUserQueryWindow  (65690, 1, ... ) == 0x7d8
 02146   284   NtUserQueryWindow  (65692, 0, ... ) == 0x7cc
 02147   284   NtUserQueryWindow  (65692, 1, ... ) == 0x7d8
 02148   284   NtUserQueryWindow  (65696, 0, ... ) == 0x7cc
 02149   284   NtUserQueryWindow  (65696, 1, ... ) == 0x7d8
 02150   284   NtUserQueryWindow  (65698, 0, ... ) == 0x7cc
 02151   284   NtUserQueryWindow  (65698, 1, ... ) == 0x7d8
 02152   284   NtUserQueryWindow  (65700, 0, ... ) == 0x7cc
 02153   284   NtUserQueryWindow  (65700, 1, ... ) == 0x7d8
 02154   284   NtUserQueryWindow  (65654, 0, ... ) == 0x7cc
 02155   284   NtUserQueryWindow  (65654, 1, ... ) == 0x7d8
 02156   284   NtUserQueryWindow  (65642, 0, ... ) == 0x7cc
 02157   284   NtUserQueryWindow  (65642, 1, ... ) == 0x7d8
 02158   284   NtUserQueryWindow  (196684, 0, ... ) == 0x7cc
 02159   284   NtUserQueryWindow  (196684, 1, ... ) == 0x7d8
 02160   284   NtUserQueryWindow  (65640, 0, ... ) == 0x7cc
 02161   284   NtUserQueryWindow  (65640, 1, ... ) == 0x7d8
 02162   284   NtUserQueryWindow  (196670, 0, ... ) == 0x7cc
 02163   284   NtUserQueryWindow  (196670, 1, ... ) == 0x7d8
 02164   284   NtUserBuildHwndList  (0, 196670, 1, 0, 64, ... (0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x3004a, 0x1006c, 0x10070, 0x10074, 0x1, ), 10, ) == 0x0
 02165   284   NtUserQueryWindow  (196674, 0, ... ) == 0x7cc
 02166   284   NtUserQueryWindow  (196674, 1, ... ) == 0x7d8
 02167   284   NtUserQueryWindow  (196672, 0, ... ) == 0x7cc
 02168   284   NtUserQueryWindow  (196672, 1, ... ) == 0x7d8
 02169   284   NtUserQueryWindow  (196676, 0, ... ) == 0x7cc
 02170   284   NtUserQueryWindow  (196676, 1, ... ) == 0x7d8
 02171   284   NtUserQueryWindow  (196678, 0, ... ) == 0x7cc
 02172   284   NtUserQueryWindow  (196678, 1, ... ) == 0x7d8
 02173   284   NtUserQueryWindow  (196680, 0, ... ) == 0x7cc
 02174   284   NtUserQueryWindow  (196680, 1, ... ) == 0x7d8
 02175   284   NtUserQueryWindow  (196682, 0, ... ) == 0x7cc
 02176   284   NtUserQueryWindow  (196682, 1, ... ) == 0x7d8
 02177   284   NtUserQueryWindow  (65644, 0, ... ) == 0x7cc
 02178   284   NtUserQueryWindow  (65644, 1, ... ) == 0x7d8
 02179   284   NtUserQueryWindow  (65648, 0, ... ) == 0x7cc
 02180   284   NtUserQueryWindow  (65648, 1, ... ) == 0x7d8
 02181   284   NtUserQueryWindow  (65652, 0, ... ) == 0x7cc
 02182   284   NtUserQueryWindow  (65652, 1, ... ) == 0x7d8
 02183   284   NtUserQueryWindow  (65694, 0, ... ) == 0x7cc
 02184   284   NtUserQueryWindow  (65694, 1, ... ) == 0x7d8
 02185   284   NtUserQueryWindow  (65682, 0, ... ) == 0x7cc
 02186   284   NtUserQueryWindow  (65682, 1, ... ) == 0x7d8
 02187   284   NtUserQueryWindow  (65662, 0, ... ) == 0x7cc
 02188   284   NtUserQueryWindow  (65662, 1, ... ) == 0x7d0
 02189   284   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 02190   284   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 02191   284   NtUserQueryWindow  (65754, 0, ... ) == 0x2c4
 02192   284   NtUserQueryWindow  (65754, 1, ... ) == 0x4f0
 02193   284   NtUserQueryWindow  (65748, 0, ... ) == 0x2c4
 02194   284   NtUserQueryWindow  (65748, 1, ... ) == 0x4f0
 02195   284   NtUserQueryWindow  (65730, 0, ... ) == 0xcc
 02196   284   NtUserQueryWindow  (65730, 1, ... ) == 0x9c
 02197   284   NtUserQueryWindow  (65728, 0, ... ) == 0xcc
 02198   284   NtUserQueryWindow  (65728, 1, ... ) == 0x9c
 02199   284   NtUserQueryWindow  (65726, 0, ... ) == 0xcc
 02200   284   NtUserQueryWindow  (65726, 1, ... ) == 0x9c
 02201   284   NtUserQueryWindow  (65724, 0, ... ) == 0xcc
 02202   284   NtUserQueryWindow  (65724, 1, ... ) == 0x9c
 02203   284   NtUserQueryWindow  (65722, 0, ... ) == 0xcc
 02204   284   NtUserQueryWindow  (65722, 1, ... ) == 0x9c
 02205   284   NtUserQueryWindow  (65720, 0, ... ) == 0xcc
 02206   284   NtUserQueryWindow  (65720, 1, ... ) == 0x9c
 02207   284   NtUserQueryWindow  (65714, 0, ... ) == 0xcc
 02208   284   NtUserQueryWindow  (65714, 1, ... ) == 0x9c
 02209   284   NtUserQueryWindow  (65712, 0, ... ) == 0xcc
 02210   284   NtUserQueryWindow  (65712, 1, ... ) == 0x9c
 02211   284   NtUserQueryWindow  (131172, 0, ... ) == 0xd4
 02212   284   NtUserQueryWindow  (131172, 1, ... ) == 0xb4
 02213   284   NtUserQueryWindow  (65764, 0, ... ) == 0x7cc
 02214   284   NtUserQueryWindow  (65764, 1, ... ) == 0x69c
 02215   284   NtUserQueryWindow  (131298, 0, ... ) == 0x7cc
 02216   284   NtUserQueryWindow  (131298, 1, ... ) == 0x688
 02217   284   NtUserQueryWindow  (65746, 0, ... ) == 0x7cc
 02218   284   NtUserQueryWindow  (65746, 1, ... ) == 0x514
 02219   284   NtUserQueryWindow  (262324, 0, ... ) == 0x7cc
 02220   284   NtUserQueryWindow  (262324, 1, ... ) == 0x514
 02221   284   NtUserBuildHwndList  (0, 262324, 1, 0, 64, ... (0x100ca, 0x100cc, 0x100ce, 0x100d0, 0x1, ), 5, ) == 0x0
 02222   284   NtUserQueryWindow  (65738, 0, ... ) == 0x7cc
 02223   284   NtUserQueryWindow  (65738, 1, ... ) == 0x514
 02224   284   NtUserQueryWindow  (65740, 0, ... ) == 0x7cc
 02225   284   NtUserQueryWindow  (65740, 1, ... ) == 0x514
 02226   284   NtUserQueryWindow  (65742, 0, ... ) == 0x7cc
 02227   284   NtUserQueryWindow  (65742, 1, ... ) == 0x514
 02228   284   NtUserQueryWindow  (65744, 0, ... ) == 0x7cc
 02229   284   NtUserQueryWindow  (65744, 1, ... ) == 0x514
 02230   284   NtUserQueryWindow  (196806, 0, ... ) == 0x7cc
 02231   284   NtUserQueryWindow  (196806, 1, ... ) == 0x7d8
 02232   284   NtUserQueryWindow  (65710, 0, ... ) == 0xc4
 02233   284   NtUserQueryWindow  (65710, 1, ... ) == 0xc8
 02234   284   NtUserQueryWindow  (131170, 0, ... ) == 0xbc
 02235   284   NtUserQueryWindow  (131170, 1, ... ) == 0xc0
 02236   284   NtUserQueryWindow  (65646, 0, ... ) == 0x7cc
 02237   284   NtUserQueryWindow  (65646, 1, ... ) == 0x78
 02238   284   NtUserQueryWindow  (327760, 0, ... ) == 0x7cc
 02239   284   NtUserQueryWindow  (327760, 1, ... ) == 0x7d0
 02240   284   NtUserQueryWindow  (262228, 0, ... ) == 0x7cc
 02241   284   NtUserQueryWindow  (262228, 1, ... ) == 0x7d0
 02242   284   NtUserQueryWindow  (327758, 0, ... ) == 0x7cc
 02243   284   NtUserQueryWindow  (327758, 1, ... ) == 0x7d0
 02244   284   NtUserQueryWindow  (65668, 0, ... ) == 0x7cc
 02245   284   NtUserQueryWindow  (65668, 1, ... ) == 0x7d0
 02246   284   NtUserQueryWindow  (65656, 0, ... ) == 0x7cc
 02247   284   NtUserQueryWindow  (65656, 1, ... ) == 0x7d0
 02248   284   NtUserBuildHwndList  (0, 65656, 1, 0, 64, ... (0x1007a, 0x1007c, 0x1, ), 3, ) == 0x0
 02249   284   NtUserQueryWindow  (65658, 0, ... ) == 0x7cc
 02250   284   NtUserQueryWindow  (65658, 1, ... ) == 0x7d0
 02251   284   NtUserQueryWindow  (65660, 0, ... ) == 0x7cc
 02252   284   NtUserQueryWindow  (65660, 1, ... ) == 0x7d0
 02253   284   NtUserCloseDesktop  (184, ...
 02254   284   NtClose  (184, ... ) == 0x0
 02253   284   NtUserCloseDesktop  ... ) == 0x1
 02255   284   NtUserGetProcessWindowStation  (... ) == 0x28
 02256   284   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02257   284   NtUserGetProcessWindowStation  (... ) == 0x28
 02258   284   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02259   284   NtGdiDeleteObjectApp  (151651089, ... ) == 0x1
 02260   284   NtGdiDeleteObjectApp  (151651140, ... ) == 0x1
 02261   284   NtUnmapViewOfSection  (-1, 0xe30000, ... ) == 0x0
 02262   284   NtClose  (244, ... ) == 0x0
 02263   284   NtClose  (12, ... ) == 0x0
 02264   284   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 02265   284   NtFreeVirtualMemory  (-1, (0xdf0000), 0, 32768, ... (0xdf0000), 262144, ) == 0x0
 02266   284   NtUserUnregisterClass  (1239596, 1991376896, 1239584, ... ) == 0x0
 02267   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc03b
 02268   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02269   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc03d
 02270   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02271   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc03f
 02272   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02273   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc041
 02274   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02275   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc043
 02276   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02277   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc045
 02278   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02279   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc047
 02280   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02281   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc049
 02282   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02283   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc04b
 02284   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02285   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc04d
 02286   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02287   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc04f
 02288   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02289   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc051
 02290   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02291   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc053
 02292   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02293   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc057
 02294   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02295   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc059
 02296   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02297   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc05b
 02298   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02299   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc05d
 02300   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02301   284   NtUserGetClassInfo  (1999896576, 1239684, 1239636, 1239712, 0, ... ) == 0xc05f
 02302   284   NtUserUnregisterClass  (1239688, 1999896576, 1239676, ... ) == 0x1
 02303   284   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02304   284   NtUnmapViewOfSection  (-1, 0x15e0000, ... ) == 0x0
 02305   284   NtClose  (108, ... ) == 0x0
 02306   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc03b
 02307   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02308   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc03d
 02309   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02310   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc03f
 02311   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02312   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc041
 02313   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02314   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc043
 02315   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02316   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc045
 02317   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02318   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc047
 02319   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02320   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc049
 02321   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02322   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc04b
 02323   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02324   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc04d
 02325   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02326   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc04f
 02327   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02328   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc051
 02329   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02330   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc053
 02331   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02332   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc057
 02333   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02334   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc059
 02335   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02336   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc05b
 02337   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02338   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc05d
 02339   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02340   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc05f
 02341   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02342   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc017
 02343   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02344   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc019
 02345   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02346   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc018
 02347   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02348   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc01a
 02349   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02350   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc01c
 02351   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02352   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc01e
 02353   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02354   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc01b
 02355   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02356   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc068
 02357   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02358   284   NtUserGetClassInfo  (1905590272, 1239684, 1239636, 1239712, 0, ... ) == 0xc06a
 02359   284   NtUserUnregisterClass  (1239688, 1905590272, 1239676, ... ) == 0x1
 02360   284   NtUnmapViewOfSection  (-1, 0xd70000, ... ) == 0x0
 02361   284   NtClose  (200, ... ) == 0x0
 02362   284   NtClose  (188, ... ) == 0x0
 02363   284   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 02364   284   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02365   284   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02366   284   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02367   284   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02368   284   NtFreeVirtualMemory  (-1, (0xc20000), 0, 32768, ... (0xc20000), 262144, ) == 0x0
 02369   284   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02370   284   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02371   284   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 02372   284   NtUserUnhookWindowsHookEx  (196753, ... ) == 0x1
 02373   284   NtTerminateThread  (72, 0, ... ) == 0x0
 02374   284   NtTerminateThread  (68, 0, ... ) == 0x0
 02375   284   NtTerminateThread  (60, 0, ... ) == 0x0
 02376   284   NtUserKillTimer  (0, 32761, ... ) == 0x1
 02377   284   NtClose  (76, ... ) == 0x0
 02378   284   NtClose  (252, ... ) == 0x0
 02379   284   NtFreeVirtualMemory  (-1, (0x3e0000), 4096, 32768, ... (0x3e0000), 4096, ) == 0x0
 02380   284   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1240188, 0, 2012550835, 1327504}  (24, {20, 48, new_msg, 0, 1240188, 0, 2012550835, 1327504} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 280, 284, 2295, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 280, 284, 2295, 0}  (24, {20, 48, new_msg, 0, 1240188, 0, 2012550835, 1327504} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 280, 284, 2295, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02381   284   NtTerminateProcess  (-1, 0, ...
 02382   284   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtEnumerateKey(>)	2	NtResumeThread(>)	4	NtCreateEvent(>)	23
NtClearEvent(>)	1	NtGdiCreateSolidBrush(>)	2	NtWriteVirtualMemory(>)	4	NtQueryDirectoryFile(>)	24
NtCreateProcessEx(>)	1	NtGdiDeleteObjectApp(>)	2	NtGdiGetStockObject(>)	5	NtOpenProcessTokenEx(>)	28
NtDuplicateToken(>)	1	NtGdiHfontCreate(>)	2	NtOpenThreadToken(>)	5	NtOpenThreadTokenEx(>)	28
NtGdiCreateBitmap(>)	1	NtLockFile(>)	2	NtUserBuildHwndList(>)	5	NtCreateFile(>)	30
NtGdiInit(>)	1	NtOpenDirectoryObject(>)	2	NtUserGetProcessWindowStation(>)	5	NtQueryInformationFile(>)	33
NtGdiQueryFontAssocInfo(>)	1	NtOpenEvent(>)	2	NtDuplicateObject(>)	6	NtQueryInformationToken(>)	36
NtGdiSelectBitmap(>)	1	NtOpenSymbolicLinkObject(>)	2	NtFsControlFile(>)	6	NtSetInformationFile(>)	36
NtOpenKeyedEvent(>)	1	NtQueryInstallUILanguage(>)	2	NtSetEventBoostPriority(>)	6	NtOpenSection(>)	37
NtOpenMutant(>)	1	NtQuerySymbolicLinkObject(>)	2	NtTestAlert(>)	6	NtQueryDefaultLocale(>)	39
NtOpenProcess(>)	1	NtReadVirtualMemory(>)	2	NtOpenProcessToken(>)	7	NtProtectVirtualMemory(>)	40
NtQueryFullAttributesFile(>)	1	NtUnlockFile(>)	2	NtRegisterThreadTerminatePort(>)	7	NtCreateSection(>)	41
NtQueryInformationJobObject(>)	1	NtUserCloseDesktop(>)	2	NtQueryDefaultUILanguage(>)	8	NtUserUnregisterClass(>)	46
NtQueryObject(>)	1	NtUserGetObjectInformation(>)	2	NtQueryVirtualMemory(>)	8	NtUserFindExistingCursorIcon(>)	48
NtQuerySystemTime(>)	1	NtUserWaitForInputIdle(>)	2	NtWaitForSingleObject(>)	10	NtUnmapViewOfSection(>)	54
NtReleaseMutant(>)	1	NtYieldExecution(>)	2	NtEnumerateValueKey(>)	11	NtDelayExecution(>)	58
NtSecureConnectPort(>)	1	NtCreateSemaphore(>)	3	NtQueryVolumeInformationFile(>)	11	NtUserRegisterClassExWOW(>)	64
NtSetEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtSetInformationProcess(>)	11	NtOpenFile(>)	68
NtUserBuildNameList(>)	1	NtNotifyChangeKey(>)	3	NtSetValueKey(>)	11	NtReadFile(>)	74
NtUserCreateWindowEx(>)	1	NtQueryInformationThread(>)	3	NtUserSystemParametersInfo(>)	11	NtQueryAttributesFile(>)	76
NtUserGetAtomName(>)	1	NtSetInformationObject(>)	3	NtWriteFile(>)	11	NtUserGetClassInfo(>)	82
NtUserGetDC(>)	1	NtTerminateProcess(>)	3	NtCreateKey(>)	13	NtAllocateVirtualMemory(>)	84
NtUserGetGUIThreadInfo(>)	1	NtTerminateThread(>)	3	NtFreeVirtualMemory(>)	13	NtMapViewOfSection(>)	87
NtUserGetThreadDesktop(>)	1	NtUserCallNoParam(>)	3	NtSetInformationThread(>)	13	NtQuerySystemInformation(>)	89
NtUserKillTimer(>)	1	NtUserCallOneParam(>)	3	NtFlushInstructionCache(>)	16	NtUserQueryWindow(>)	136
NtUserSetTimer(>)	1	NtUserGetWindowDC(>)	3	NtQueryDebugFilterState(>)	16	NtOpenKey(>)	156
NtUserSetWindowsHookEx(>)	1	NtUserOpenDesktop(>)	3	NtDeviceIoControlFile(>)	17	NtQueryValueKey(>)	197
NtUserUnhookWindowsHookEx(>)	1	NtUserRegisterWindowMessage(>)	3	NtQuerySection(>)	20	NtClose(>)	299
NtAccessCheck(>)	2	NtConnectPort(>)	4	NtContinue(>)	21
NtCallbackReturn(>)	2	NtCreateMutant(>)	4	NtQueryInformationProcess(>)	21
NtCreateIoCompletion(>)	2