Summary:


NtAddAtom(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserCallNoParam(>)  7 
NtQueryDefaultLocale(>)  42 

NtAllocateLocallyUniqueId(>)  1 
NtSetEvent(>)  2 
NtCreateThread(>)  8 
NtContinue(>)  45 

NtCallbackReturn(>)  1 
NtUnlockFile(>)  2 
NtOpenSymbolicLinkObject(>)  8 
NtCreateEvent(>)  46 

NtDuplicateToken(>)  1 
NtUserCloseDesktop(>)  2 
NtQuerySymbolicLinkObject(>)  8 
NtUserUnregisterClass(>)  47 

NtGdiCreateBitmap(>)  1 
NtUserCreateWindowEx(>)  2 
NtRegisterThreadTerminatePort(>)  8 
NtUserFindExistingCursorIcon(>)  49 

NtGdiCreateHalftonePalette(>)  1 
NtUserDestroyWindow(>)  2 
NtResumeThread(>)  8 
NtQueryInformationFile(>)  50 

NtGdiCreatePaletteInternal(>)  1 
NtUserGetObjectInformation(>)  2 
NtQueryVirtualMemory(>)  9 
NtSetInformationFile(>)  50 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserMessageCall(>)  2 
NtReadVirtualMemory(>)  9 
NtQueryDirectoryFile(>)  51 

NtGdiDoPalette(>)  1 
NtUserSetTimer(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtCreateFile(>)  52 

NtGdiInit(>)  1 
NtYieldExecution(>)  2 
NtUserGetWindowDC(>)  10 
NtDelayExecution(>)  59 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenMutant(>)  3 
NtUserCallOneParam(>)  11 
NtQueryInformationProcess(>)  63 

NtGdiSelectBitmap(>)  1 
NtOpenProcess(>)  3 
NtUserSystemParametersInfo(>)  11 
NtUserRegisterClassExWOW(>)  65 

NtOpenKeyedEvent(>)  1 
NtTerminateProcess(>)  3 
NtSetValueKey(>)  13 
NtProtectVirtualMemory(>)  71 

NtQueryFullAttributesFile(>)  1 
NtTerminateThread(>)  3 
NtWriteVirtualMemory(>)  16 
NtUnmapViewOfSection(>)  71 

NtQueryObject(>)  1 
NtUserOpenDesktop(>)  3 
NtNotifyChangeKey(>)  17 
NtCreateSection(>)  73 

NtQueryPerformanceCounter(>)  1 
NtUserRemoveProp(>)  3 
NtOpenProcessToken(>)  17 
NtWaitForSingleObject(>)  74 

NtQuerySystemTime(>)  1 
NtWaitForMultipleObjects(>)  3 
NtCreateKey(>)  18 
NtOpenSection(>)  78 

NtSecureConnectPort(>)  1 
NtConnectPort(>)  4 
NtDeviceIoControlFile(>)  18 
NtReadFile(>)  83 

NtUserBuildNameList(>)  1 
NtCreateProcessEx(>)  4 
NtUserRegisterWindowMessage(>)  19 
NtUserGetClassInfo(>)  91 

NtUserGetAtomName(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtWriteFile(>)  20 
NtQuerySystemInformation(>)  95 

NtUserGetDC(>)  1 
NtOpenEvent(>)  4 
NtQueryVolumeInformationFile(>)  21 
NtOpenProcessTokenEx(>)  112 

NtUserGetForegroundWindow(>)  1 
NtQueryInformationJobObject(>)  4 
NtFsControlFile(>)  22 
NtOpenThreadTokenEx(>)  112 

NtUserGetGUIThreadInfo(>)  1 
NtQueryInformationThread(>)  4 
NtRaiseException(>)  23 
NtAllocateVirtualMemory(>)  119 

NtUserGetThreadDesktop(>)  1 
NtQuerySecurityObject(>)  4 
NtFlushInstructionCache(>)  24 
NtMapViewOfSection(>)  120 

NtUserKillTimer(>)  1 
NtUserWaitForInputIdle(>)  4 
NtFreeVirtualMemory(>)  24 
NtQueryKey(>)  129 

NtUserSetProp(>)  1 
NtCreateMutant(>)  5 
NtQueryDebugFilterState(>)  26 
NtOpenFile(>)  130 

NtUserSetWindowsHookEx(>)  1 
NtGdiGetStockObject(>)  5 
NtReleaseSemaphore(>)  27 
NtQueryInformationToken(>)  133 

NtUserUnhookWindowsHookEx(>)  1 
NtSetInformationObject(>)  5 
NtRequestWaitReplyPort(>)  29 
NtUserQueryWindow(>)  134 

NtAccessCheck(>)  2 
NtUserBuildHwndList(>)  5 
NtEnumerateKey(>)  31 
NtQueryAttributesFile(>)  182 

NtClearEvent(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtSetInformationThread(>)  31 
NtQueryValueKey(>)  371 

NtCreateIoCompletion(>)  2 
NtCreateSemaphore(>)  6 
NtEnumerateValueKey(>)  33 
NtOpenKey(>)  531 

NtGdiCreateSolidBrush(>)  2 
NtGdiDeleteObjectApp(>)  6 
NtOpenThreadToken(>)  36 
NtClose(>)  713 

NtGdiHfontCreate(>)  2 
NtSetEventBoostPriority(>)  6 
NtSetInformationProcess(>)  36 

NtLockFile(>)  2 
NtDuplicateObject(>)  7 
NtQuerySection(>)  37 

NtOpenDirectoryObject(>)  2 

Trace:
 00001   416   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   416   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   416   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   416   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   416   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   416   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   416   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   416   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   416   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   416   NtClose  (12, ... ) == 0x0
 00014   416   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   416   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   416   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   416   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   416   NtClose  (16, ... ) == 0x0
 00021   416   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   416   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   416   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   416   NtClose  (16, ... ) == 0x0
 00026   416   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   416   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   416   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   416   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 412, 416, 1496, 0} "\3700\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 412, 416, 1496, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 412, 416, 1496, 0} "\3700\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   416   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   416   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   416   NtClose  (16, ... ) == 0x0
 00036   416   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   416   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   416   NtClose  (28, ... ) == 0x0
 00041   416   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   416   NtClose  (28, ... ) == 0x0
 00045   416   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   416   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   416   NtClose  (28, ... ) == 0x0
 00049   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   416   NtClose  (28, ... ) == 0x0
 00052   416   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 412, 416, 1498, 0} "8\244\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 412, 416, 1498, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 412, 416, 1498, 0} "8\244\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   416   NtProtectVirtualMemory  (-1, (0x42a000), 36864, 4, ... (0x42a000), 36864, 128, ) == 0x0
 00057   416   NtProtectVirtualMemory  (-1, (0x42a000), 36864, 128, ... (0x42a000), 36864, 4, ) == 0x0
 00058   416   NtFlushInstructionCache  (-1, 4366336, 36864, ... ) == 0x0
 00059   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   416   NtClose  (28, ... ) == 0x0
 00062   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   416   NtClose  (28, ... ) == 0x0
 00065   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   416   NtClose  (28, ... ) == 0x0
 00068   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   416   NtClose  (28, ... ) == 0x0
 00071   416   NtProtectVirtualMemory  (-1, (0x42a000), 36864, 4, ... (0x42a000), 36864, 64, ) == 0x0
 00072   416   NtProtectVirtualMemory  (-1, (0x42a000), 36864, 64, ... (0x42a000), 36864, 4, ) == 0x0
 00073   416   NtFlushInstructionCache  (-1, 4366336, 36864, ... ) == 0x0
 00074   416   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   416   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   416   NtClose  (28, ... ) == 0x0
 00077   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   416   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   416   NtClose  (28, ... ) == 0x0
 00080   416   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00081   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   416   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   416   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   416   NtClose  (28, ... ) == 0x0
 00085   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   416   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   416   NtClose  (28, ... ) == 0x0
 00088   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   416   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 412, 416, 1501, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 412, 416, 1501, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 412, 416, 1501, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00093   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   416   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x450000), 0x0, 1060864, ) == 0x0
 00095   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   416   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   416   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482032, ) == 0x0
 00098   416   NtQueryInformationToken  (-2147482032, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   416   NtQueryInformationToken  (-2147482032, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   416   NtClose  (-2147482032, ... ) == 0x0
 00101   416   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00102   416   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00103   416   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   416   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00105   416   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   416   NtClose  (-2147482032, ... ) == 0x0
 00107   416   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00108   416   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   416   NtClose  (-2147482032, ... ) == 0x0
 00110   416   NtQueryDefaultLocale  (0, -136508916, ... ) == 0x0
 00111   416   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   416   NtUserCallNoParam  (24, ... ) == 0x0
 00113   416   NtGdiCreateCompatibleDC  (0, ...
 00114   416   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00113   416   NtGdiCreateCompatibleDC  ... ) == 0x16010321
 00115   416   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   416   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   416   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x3c050409
 00118   416   NtGdiCreateSolidBrush  (0, 0, ...
 00119   416   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8781824, 4096, ) == 0x0
 00118   416   NtGdiCreateSolidBrush  ... ) == 0x1d10031e
 00120   416   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   416   NtGdiCreateCompatibleDC  (0, ... ) == 0x4401031a
 00122   416   NtGdiSelectBitmap  (1140917018, 1006961673, ... ) == 0x185000f
 00123   416   NtUserGetThreadDesktop  (416, 0, ... ) == 0x2c
 00124   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   416   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   416   NtClose  (52, ... ) == 0x0
 00127   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ...
 00141   416   NtAllocateVirtualMemory  (-1, 5730304, 0, 4096, 4096, 32, ... 5730304, 4096, ) == 0x0
 00140   416   NtUserRegisterClassExWOW  ... ) == 0x810dc01d
 00142   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00143   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00144   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   416   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   416   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   416   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   416   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   416   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   416   NtCallbackReturn  (0, 0, 0, ...
 00152   416   NtGdiInit  (... ) == 0x1
 00153   416   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   416   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   416   NtAllocateVirtualMemory  (-1, 0, 0, 13650, 4096, 4, ... 8847360, 16384, ) == 0x0
 00156   416   NtFreeVirtualMemory  (-1, (0x870000), 0, 32768, ... (0x870000), 16384, ) == 0x0
 00157   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00158   416   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00159   416   NtClose  (52, ... ) == 0x0
 00160   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00161   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00162   416   NtClose  (52, ... ) == 0x0
 00163   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00164   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0
 00165   416   NtAllocateVirtualMemory  (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0
 00166   416   NtAllocateVirtualMemory  (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0
 00167   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00168   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 12288, ) == 0x0
 00169   416   NtClose  (52, ... ) == 0x0
 00170   416   NtAllocateVirtualMemory  (-1, 8859648, 0, 4096, 4096, 4, ... 8859648, 4096, ) == 0x0
 00171   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00172   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00173   416   NtClose  (52, ... ) == 0x0
 00174   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 52, ) }, ... 52, ) == 0x0
 00175   416   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00176   416   NtClose  (52, ... ) == 0x0
 00177   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00178   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00179   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00180   416   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00181   416   NtClose  (52, ... ) == 0x0
 00182   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00183   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00184   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00185   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00186   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00187   416   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   416   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   416   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   416   NtClose  (52, ... ) == 0x0
 00191   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00192   416   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   416   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194   416   NtClose  (52, ... ) == 0x0
 00195   416   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00196   416   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   416   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00198   416   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00199   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00200   416   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00201   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00202   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00203   416   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00204   416   NtClose  (56, ... ) == 0x0
 00205   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00206   416   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00207   416   NtClose  (56, ... ) == 0x0
 00208   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00210   416   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00211   416   NtClose  (56, ... ) == 0x0
 00212   416   NtQueryDefaultUILanguage  (1239892, ...
 00213   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00214   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00215   416   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00216   416   NtClose  (-2147482032, ... ) == 0x0
 00217   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00218   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00219   416   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00220   416   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00221   416   NtClose  (-2147482036, ... ) == 0x0
 00222   416   NtClose  (-2147482032, ... ) == 0x0
 00212   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00223   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00224   416   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00225   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00226   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00227   416   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x890000), 0x0, 8323072, ) == 0x0
 00228   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   416   NtQueryDefaultUILanguage  (2013024600, ...
 00230   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00231   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00232   416   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00233   416   NtClose  (-2147482032, ... ) == 0x0
 00234   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00235   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00236   416   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00237   416   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   416   NtClose  (-2147482036, ... ) == 0x0
 00239   416   NtClose  (-2147482032, ... ) == 0x0
 00229   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00240   416   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00241   416   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00242   416   NtQueryDefaultLocale  (1, 1237928, ... ) == 0x0
 00243   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00244   416   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238784, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238784, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1510, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\356\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 416, 1510, 0}  (24, {128, 156, new_msg, 0, 1238784, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1510, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\356\22\0\0\0\0\0" )  ) == 0x0
 00245   416   NtClose  (56, ... ) == 0x0
 00246   416   NtClose  (60, ... ) == 0x0
 00247   416   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00248   416   NtUnmapViewOfSection  (-1, 0x12ee00, ... ) == STATUS_NOT_MAPPED_VIEW
 00249   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00250   416   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00252   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00253   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237012, ... ) }, 1237012, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00255   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00256   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00257   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237604, ... ) }, 1237604, ... ) == 0x0
 00258   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00259   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00260   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00261   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00262   416   NtClose  (56, ... ) == 0x0
 00263   416   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x890000), 0x0, 921600, ) == 0x0
 00264   416   NtClose  (64, ... ) == 0x0
 00265   416   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00266   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00267   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00268   416   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00269   416   NtOpenProcessToken  (-1, 0x8, ... 68, ) == 0x0
 00270   416   NtQueryInformationToken  (68, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00271   416   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 72, ) }, ... 72, ) == 0x0
 00273   416   NtQueryValueKey  (72,  (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00274   416   NtClose  (72, ... ) == 0x0
 00275   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00276   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00277   416   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00278   416   NtClose  (72, ... ) == 0x0
 00279   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280   416   NtClose  (68, ... ) == 0x0
 00281   416   NtClose  (64, ... ) == 0x0
 00282   416   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00283   416   NtClose  (56, ... ) == 0x0
 00284   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00285   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00286   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00287   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00288   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00289   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00290   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00291   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00292   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00293   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00294   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00295   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00296   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00297   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00298   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00299   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00300   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00301   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00302   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00303   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00304   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00305   416   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238788, ... ) , 42, 1238788, ... ) == 0x0
 00306   416   NtQueryDefaultUILanguage  (1237504, ...
 00307   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00308   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00309   416   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00310   416   NtClose  (-2147482032, ... ) == 0x0
 00311   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00312   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313   416   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00314   416   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   416   NtClose  (-2147482044, ... ) == 0x0
 00316   416   NtClose  (-2147482032, ... ) == 0x0
 00306   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00317   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236356, ... ) }, 1236356, ... ) == 0x0
 00319   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00320   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00321   416   NtClose  (56, ... ) == 0x0
 00322   416   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x890000), 0x0, 4096, ) == 0x0
 00323   416   NtClose  (64, ... ) == 0x0
 00324   416   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00325   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235996, ... ) }, 1235996, ... ) == 0x0
 00326   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236696,  (0x80100080, {24, 0, 0x40, 0, 1236696, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00327   416   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00328   416   NtClose  (64, ... ) == 0x0
 00329   416   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x890000), {0, 0}, 4096, ) == 0x0
 00330   416   NtClose  (56, ... ) == 0x0
 00331   416   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00332   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00333   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00334   416   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x890000), 0x0, 4096, ) == 0x0
 00335   416   NtQueryInformationFile  (56, 1236316, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00336   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00337   416   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236396, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236396, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\254\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1513, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\254\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 416, 1513, 0}  (24, {128, 156, new_msg, 0, 1236396, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\254\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1513, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\254\344\22\0\0\0\0\0" )  ) == 0x0
 00338   416   NtClose  (56, ... ) == 0x0
 00339   416   NtClose  (64, ... ) == 0x0
 00340   416   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00341   416   NtUnmapViewOfSection  (-1, 0x12e4ac, ... ) == STATUS_NOT_MAPPED_VIEW
 00342   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00343   416   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00344   416   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00345   416   NtUserGetDC  (0, ... ) == 0x1010051
 00346   416   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00347   416   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00348   416   NtUserSystemParametersInfo  (66, 12, 1238808, 0, ... ) == 0x1
 00349   416   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00350   416   NtAccessCheck  (1327064, 64, 0x1, 1238212, 1238156, 56, 1238240, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00351   416   NtClose  (64, ... ) == 0x0
 00352   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00353   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00354   416   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00355   416   NtClose  (64, ... ) == 0x0
 00356   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00357   416   NtSetInformationObject  (64, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00358   416   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00359   416   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00360   416   NtClose  (56, ... ) == 0x0
 00361   416   NtUserSystemParametersInfo  (41, 500, 1238308, 0, ... ) == 0x1
 00362   416   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00363   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00364   416   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00365   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00366   416   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00367   416   NtClose  (68, ... ) == 0x0
 00368   416   NtClose  (56, ... ) == 0x0
 00369   416   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00370   416   NtUserSystemParametersInfo  (4130, 0, 1238832, 0, ... ) == 0x1
 00371   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 56, ) }, ... 56, ) == 0x0
 00372   416   NtEnumerateValueKey  (56, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00373   416   NtClose  (56, ... ) == 0x0
 00374   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00375   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc03b
 00376   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc03d
 00377   416   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00378   416   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc03f
 00379   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00380   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc041
 00381   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00382   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc043
 00383   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc045
 00384   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00385   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc047
 00386   416   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00387   416   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc049
 00388   416   NtUserGetClassInfo  (1905590272, 1238728, 1238680, 1238756, 0, ... ) == 0xc049
 00389   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00390   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc04b
 00391   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00392   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc04d
 00393   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00394   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc04f
 00395   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc051
 00396   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00397   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc053
 00398   416   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00399   416   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc055
 00400   416   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc057
 00401   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00402   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc059
 00403   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10013
 00404   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc05b
 00405   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00406   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc05d
 00407   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00408   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc05f
 00409   416   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00410   416   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc017
 00411   416   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00412   416   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc019
 00413   416   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10013
 00414   416   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc018
 00415   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00416   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc01a
 00417   416   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00418   416   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ...
 00419   416   NtAllocateVirtualMemory  (-1, 5734400, 0, 4096, 4096, 32, ... 5734400, 4096, ) == 0x0
 00418   416   NtUserRegisterClassExWOW  ... ) == 0x810dc01c
 00420   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00421   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc01e
 00422   416   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00423   416   NtUserRegisterClassExWOW  (1238624, 1238704, 1238688, 1238720, 0, 384, 0, ... ) == 0x810dc01b
 00424   416   NtUserFindExistingCursorIcon  (1238108, 1238124, 1238692, ... ) == 0x10011
 00425   416   NtUserRegisterClassExWOW  (1238620, 1238700, 1238684, 1238716, 0, 384, 0, ... ) == 0x810dc068
 00426   416   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00427   416   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc06a
 00428   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00429   416   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00430   416   NtClose  (56, ... ) == 0x0
 00431   416   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 56, ) == 0x0
 00432   416   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00433   416   NtClose  (56, ... ) == 0x0
 00434   416   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00435   416   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00436   416   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00437   416   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00438   416   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   416   NtClose  (56, ... ) == 0x0
 00440   416   NtUserSystemParametersInfo  (41, 500, 1239468, 0, ... ) == 0x1
 00441   416   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00442   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00443   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00444   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc03b
 00445   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00446   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc03d
 00447   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00448   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00449   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc03f
 00450   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00451   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00452   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc041
 00453   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00454   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00455   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc043
 00456   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00457   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc045
 00458   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00459   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00460   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc047
 00461   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00462   416   NtUserFindExistingCursorIcon  (1239256, 1239272, 1239840, ... ) == 0x10011
 00463   416   NtUserRegisterClassExWOW  (1239708, 1239788, 1239772, 1239804, 0, 384, 0, ... ) == 0x810dc049
 00464   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00465   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00466   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc04b
 00467   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00468   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00469   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc04d
 00470   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00471   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00472   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc04f
 00473   416   NtUserGetClassInfo  (1999896576, 1239880, 1239832, 1239908, 0, ... ) == 0x0
 00474   416   NtUserRegisterClassExWOW  (1239716, 1239796, 1239780, 1239812, 0, 384, 0, ... ) == 0x810dc051
 00475   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00476   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00477   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc053
 00478   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00479   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00480   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc055
 00481   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc057
 00482   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00483   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00484   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc059
 00485   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00486   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10013
 00487   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc05b
 00488   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00489   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00490   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc05d
 00491   416   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00492   416   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00493   416   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc05f
 00494   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc03b
 00495   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc03d
 00496   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc03f
 00497   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc041
 00498   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc043
 00499   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc045
 00500   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc047
 00501   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc049
 00502   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc04b
 00503   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc04d
 00504   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc04f
 00505   416   NtUserGetClassInfo  (1999896576, 1241632, 1241584, 1241660, 0, ... ) == 0xc051
 00506   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc053
 00507   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc055
 00508   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc059
 00509   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc05b
 00510   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc05d
 00511   416   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc05f
 00512   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241536, ... ) }, 1241536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00514   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241536, ... ) }, 1241536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241536, ... ) }, 1241536, ... ) == 0x0
 00516   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00517   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 68, ) == 0x0
 00518   416   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00519   416   NtClose  (56, ... ) == 0x0
 00520   416   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00521   416   NtClose  (68, ... ) == 0x0
 00522   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240732, ... ) }, 1240732, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00524   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240732, ... ) }, 1240732, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00525   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240732, ... ) }, 1240732, ... ) == 0x0
 00526   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00527   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 56, ) == 0x0
 00528   416   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00529   416   NtClose  (68, ... ) == 0x0
 00530   416   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00531   416   NtClose  (56, ... ) == 0x0
 00532   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00533   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00534   416   NtQueryVirtualMemory  (-1, 0x425080, Basic, 28, ... {BaseAddress=0x425000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x5000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00535   416   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00536   416   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00537   416   NtProtectVirtualMemory  (-1, (0x400220), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00538   416   NtProtectVirtualMemory  (-1, (0x400220), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00539   416   NtProtectVirtualMemory  (-1, (0x400248), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00540   416   NtProtectVirtualMemory  (-1, (0x400248), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00541   416   NtProtectVirtualMemory  (-1, (0x400270), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00542   416   NtProtectVirtualMemory  (-1, (0x400270), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00543   416   NtProtectVirtualMemory  (-1, (0x400298), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00544   416   NtProtectVirtualMemory  (-1, (0x400298), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00545   416   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00546   416   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00547   416   NtTestAlert  (... ) == 0x0
 00548   416   NtContinue  (1244464, 1, ...
 00549   416   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x444000,}, 4, ... ) == 0x0
 00550   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243656, ... ) }, 1243656, ... ) == 0x0
 00551   416   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1310720, 1329472, 1, 1311176}  (24, {20, 48, new_msg, 0, 1310720, 1329472, 1, 1311176} "\0\0\0\0\2\0\1\0\31\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 412, 416, 1514, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 412, 416, 1514, 0}  (24, {20, 48, new_msg, 0, 1310720, 1329472, 1, 1311176} "\0\0\0\0\2\0\1\0\31\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 412, 416, 1514, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00552   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243664,  (0x80100080, {24, 0, 0x40, 0, 1243664, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00553   416   NtQueryDirectoryFile  (-2147482032, 0, 0, 0, -519741440, 4096, Names, 1,  (-2147482032, 0, 0, 0, -519741440, 4096, Names, 1, "~1.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00554   416   NtClose  (-2147482032, ... ) == 0x0
 00552   416   NtCreateFile  ... 56, {status=0x0, info=2}, ) == 0x0
 00555   416   NtClose  (56, ... ) == 0x0
 00556   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1242912, ... ) }, 1242912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00557   416   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243644,  (0xc0100080, {24, 0, 0x40, 0, 1243644, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00558   416   NtClose  (-2147482032, ... ) == 0x0
 00559   416   NtQueryDirectoryFile  (-2147482032, 0, 0, 0, -519741440, 4096, Names, 1,  (-2147482032, 0, 0, 0, -519741440, 4096, Names, 1, "~1.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 00560   416   NtClose  (-2147482032, ... ) == 0x0
 00557   416   NtCreateFile  ... 56, {status=0x0, info=2}, ) == 0x0
 00561   416   NtQueryVolumeInformationFile  (56, 1243804, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00562   416   NtQueryInformationFile  (56, 1243696, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00563   416   NtWriteFile  (56, 0, 0, 0,  (56, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 43520, 0x0, 0, ... {status=0x0, info=43520}, ) , 43520, 0x0, 0, ... {status=0x0, info=43520}, ) == 0x0
 00564   416   NtClose  (56, ... ) == 0x0
 00565   416   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00566   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1240368, ... ) }, 1240368, ... ) == 0x0
 00567   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00568   416   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00569   416   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 56, ... 68, ) == 0x0
 00570   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 72, ) }, ... 72, ) == 0x0
 00572   416   NtQueryValueKey  (72,  (72, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   416   NtClose  (72, ... ) == 0x0
 00574   416   NtQueryVolumeInformationFile  (56, 1240368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00575   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238352, ... ) }, 1238352, ... ) == 0x0
 00576   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00577   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 72, ... 76, ) == 0x0
 00578   416   NtClose  (72, ... ) == 0x0
 00579   416   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8b0000), 0x0, 106496, ) == 0x0
 00580   416   NtClose  (76, ... ) == 0x0
 00581   416   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 00582   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238668, ... ) }, 1238668, ... ) == 0x0
 00583   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00584   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 72, ) == 0x0
 00585   416   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00586   416   NtClose  (76, ... ) == 0x0
 00587   416   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00588   416   NtClose  (72, ... ) == 0x0
 00589   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00590   416   NtQueryInformationFile  (72, 1238956, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00591   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00592   416   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8b0000), 0x0, 1028096, ) == 0x0
 00593   416   NtQueryInformationFile  (72, 1239052, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00594   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00596   416   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00597   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00598   416   NtQueryDirectoryFile  (80, 0, 0, 0, 1236616, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236616, 616, BothDirectory, 1, "~1.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00599   416   NtClose  (80, ... ) == 0x0
 00600   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00601   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00602   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1236004, ... ) }, 1236004, ... ) == 0x0
 00603   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00604   416   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00605   416   NtClose  (80, ... ) == 0x0
 00606   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00607   416   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00608   416   NtClose  (80, ... ) == 0x0
 00609   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00610   416   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00611   416   NtClose  (80, ... ) == 0x0
 00612   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00613   416   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00614   416   NtClose  (80, ... ) == 0x0
 00615   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00616   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00617   416   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00618   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00619   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00620   416   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00621   416   NtClose  (80, ... ) == 0x0
 00622   416   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00623   416   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00624   416   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 00625   416   NtClose  (76, ... ) == 0x0
 00626   416   NtClose  (72, ... ) == 0x0
 00627   416   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00628   416   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00629   416   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00630   416   NtOpenProcessToken  (-1, 0xa, ... 72, ) == 0x0
 00631   416   NtQueryInformationToken  (72, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00632   416   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00633   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00634   416   NtQueryValueKey  (76,  (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00635   416   NtQueryValueKey  (76,  (76, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00636   416   NtClose  (76, ... ) == 0x0
 00637   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00638   416   NtQueryValueKey  (76,  (76, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00639   416   NtQueryValueKey  (76,  (76, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (76, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00640   416   NtClose  (76, ... ) == 0x0
 00641   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00643   416   NtQueryValueKey  (76,  (76, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   416   NtClose  (76, ... ) == 0x0
 00645   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00646   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00647   416   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00648   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00649   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00650   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00651   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00652   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00653   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00654   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00655   416   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00656   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 76, ) }, ... 76, ) == 0x0
 00657   416   NtEnumerateKey  (76, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (76, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00658   416   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 80, ) }, ... 80, ) == 0x0
 00659   416   NtQueryValueKey  (80,  (80, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (80, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00660   416   NtQueryValueKey  (80,  (80, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (80, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00661   416   NtClose  (80, ... ) == 0x0
 00662   416   NtEnumerateKey  (76, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00663   416   NtClose  (76, ... ) == 0x0
 00664   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00666   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00669   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00670   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00671   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00679   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00680   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00681   416   NtClose  (76, ... ) == 0x0
 00682   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00683   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00684   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00685   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00686   416   NtClose  (76, ... ) == 0x0
 00687   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00688   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00689   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00690   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00691   416   NtClose  (76, ... ) == 0x0
 00692   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00693   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00694   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00695   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00696   416   NtClose  (76, ... ) == 0x0
 00697   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00698   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00699   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00700   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00701   416   NtClose  (76, ... ) == 0x0
 00702   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00703   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00704   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00705   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00706   416   NtClose  (76, ... ) == 0x0
 00707   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00708   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00709   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00710   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00711   416   NtClose  (76, ... ) == 0x0
 00712   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00713   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00714   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00715   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00716   416   NtClose  (76, ... ) == 0x0
 00717   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00719   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00720   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00721   416   NtClose  (76, ... ) == 0x0
 00722   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00724   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00725   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00726   416   NtClose  (76, ... ) == 0x0
 00727   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00729   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00730   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00731   416   NtClose  (76, ... ) == 0x0
 00732   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00733   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00734   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00735   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00736   416   NtClose  (76, ... ) == 0x0
 00737   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00738   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00739   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00740   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00741   416   NtClose  (76, ... ) == 0x0
 00742   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00743   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00744   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00745   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00746   416   NtClose  (76, ... ) == 0x0
 00747   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00748   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00749   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00750   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00751   416   NtClose  (76, ... ) == 0x0
 00752   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00753   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00754   416   NtQueryValueKey  (76,  (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00755   416   NtClose  (76, ... ) == 0x0
 00756   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00757   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00758   416   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00759   416   NtClose  (76, ... ) == 0x0
 00760   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   416   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00762   416   NtOpenProcessToken  (-1, 0xa, ... 76, ) == 0x0
 00763   416   NtDuplicateToken  (76, 0xc, {24, 0, 0x0, 0, 1240260, 0x0}, 0, 2, ... 80, ) == 0x0
 00764   416   NtClose  (76, ... ) == 0x0
 00765   416   NtAccessCheck  (1337824, 80, 0x1, 1240388, 1240332, 56, 1240416, ... (0x1), ) == 0x0
 00766   416   NtClose  (80, ... ) == 0x0
 00767   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 80, ) }, ... 80, ) == 0x0
 00768   416   NtQueryValueKey  (80,  (80, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (80, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00769   416   NtClose  (80, ... ) == 0x0
 00770   416   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 80, ) }, ... 80, ) == 0x0
 00771   416   NtQuerySymbolicLinkObject  (80, ...  (80, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00772   416   NtClose  (80, ... ) == 0x0
 00773   416   NtQueryInformationFile  (56, 1238720, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 00774   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00775   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00776   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~1.tmp.exe"}, 1237400, ... ) }, 1237400, ... ) == 0x0
 00777   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00778   416   NtQueryDirectoryFile  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00779   416   NtClose  (80, ... ) == 0x0
 00780   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00781   416   NtQueryDirectoryFile  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00782   416   NtClose  (80, ... ) == 0x0
 00783   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00784   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00785   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00786   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00787   416   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00788   416   NtClose  (80, ... ) == 0x0
 00789   416   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00790   416   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 76, ) }, ... 76, ) == 0x0
 00791   416   NtClose  (80, ... ) == 0x0
 00792   416   NtQueryValueKey  (76,  (76, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00793   416   NtQueryValueKey  (76,  (76, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (76, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 00794   416   NtClose  (76, ... ) == 0x0
 00795   416   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 8978432, 4096, ) == 0x0
 00796   416   NtAllocateVirtualMemory  (-1, 8978432, 0, 4096, 4096, 4, ... 8978432, 4096, ) == 0x0
 00797   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00798   416   NtQueryValueKey  (76,  (76, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00799   416   NtClose  (76, ... ) == 0x0
 00800   416   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00801   416   NtQueryInformationToken  (72, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00802   416   NtQueryInformationToken  (72, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00803   416   NtClose  (72, ... ) == 0x0
 00804   416   NtCreateProcessEx  (1242996, 2035711, 0, -1, 0, 68, 0, 0, 0, ... ) == 0x0
 00805   416   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=380,ParentPid=412,}, 0x0, ) == 0x0
 00806   416   NtReadVirtualMemory  (72, 0x7ffdf008, 4, ...  (72, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 00807   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   416   NtAllocateVirtualMemory  (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0
 00809   416   NtReadVirtualMemory  (72, 0x9800000, 4096, ...  (72, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 00810   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00811   416   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=380,ParentPid=412,}, 0x0, ) == 0x0
 00812   416   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 9109504, 4096, ) == 0x0
 00813   416   NtAllocateVirtualMemory  (72, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 00814   416   NtWriteVirtualMemory  (72, 0x10000,  (72, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 00815   416   NtAllocateVirtualMemory  (72, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 00816   416   NtWriteVirtualMemory  (72, 0x20000,  (72, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 00817   416   NtWriteVirtualMemory  (72, 0x7ffdf010,  (72, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00818   416   NtWriteVirtualMemory  (72, 0x7ffdf1e8,  (72, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00819   416   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 4096, ) == 0x0
 00820   416   NtAllocateVirtualMemory  (72, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 00821   416   NtAllocateVirtualMemory  (72, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 00822   416   NtProtectVirtualMemory  (72, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 00823   416   NtCreateThread  (0x1f03ff, 0x0, 72, 1241260, 1241980, 1, ... 76, {380, 568}, ) == 0x0
 00824   416   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329480, 1243080}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329480, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367wK\0\0\0L\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 412, 416, 1515, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wH\0\0\0L\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 412, 416, 1515, 0}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329480, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367wK\0\0\0L\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 412, 416, 1515, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wH\0\0\0L\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00825   416   NtResumeThread  (76, ... 1, ) == 0x0
 00826   416   NtClose  (56, ... ) == 0x0
 00827   416   NtClose  (68, ... ) == 0x0
 00828   416   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=380,ParentPid=412,}, 0x0, ) == 0x0
 00829   416   NtUserWaitForInputIdle  (380, 30000, 0, ...
 00830   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00831   416   NtClose  (68, ... ) == 0x0
 00829   416   NtUserWaitForInputIdle  ... ) == 0x102
 00832   416   NtClose  (72, ... ) == 0x0
 00833   416   NtClose  (76, ... ) == 0x0
 00834   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00835   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00836   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "LZ32.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00837   416   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73dc0000), 0x0, 12288, ) == 0x0
 00838   416   NtClose  (76, ... ) == 0x0
 00839   416   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244956,  (0x40100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 2, 1, 5, 96, 0, 0, ... }, 0x0, 2, 1, 5, 96, 0, 0, ...
 00840   416   NtClose  (-2147482216, ... ) == 0x0
 00839   416   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00841   416   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "SZDD\210\360'3A\0\0\220\0\0\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217", 17878, 0x0, 0, ... {status=0x0, info=17878}, ) , 17878, 0x0, 0, ... {status=0x0, info=17878}, ) == 0x0
 00842   416   NtClose  (76, ... ) == 0x0
 00843   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 1243636, ... ) }, 1243636, ... ) == 0x0
 00844   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244368,  (0x80100080, {24, 0, 0x40, 0, 1244368, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 0, 3, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00845   416   NtQueryVolumeInformationFile  (76, 1244528, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00846   416   NtQueryInformationFile  (76, 1244420, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00847   416   NtQueryInformationFile  (76, 1244628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00848   416   NtSetInformationFile  (76, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00849   416   NtSetInformationFile  (76, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00850   416   NtReadFile  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00851   416   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 9109504, 524288, ) == 0x0
 00852   416   NtAllocateVirtualMemory  (-1, 9109504, 0, 4096, 4096, 4, ... 9109504, 4096, ) == 0x0
 00853   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243640, ... ) }, 1243640, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   416   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244372,  (0xc0100080, {24, 0, 0x40, 0, 1244372, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00855   416   NtClose  (-2147482216, ... ) == 0x0
 00854   416   NtCreateFile  ... 72, {status=0x0, info=2}, ) == 0x0
 00856   416   NtQueryVolumeInformationFile  (72, 1244532, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00857   416   NtQueryInformationFile  (72, 1244424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00858   416   NtAllocateVirtualMemory  (-1, 1347584, 0, 36864, 4096, 4, ... 1347584, 36864, ) == 0x0
 00859   416   NtAllocateVirtualMemory  (-1, 1384448, 0, 36864, 4096, 4, ... 1384448, 36864, ) == 0x0
 00860   416   NtQueryInformationFile  (76, 1244892, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00861   416   NtSetInformationFile  (76, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00862   416   NtSetInformationFile  (76, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00863   416   NtReadFile  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00864   416   NtSetInformationFile  (76, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00865   416   NtSetInformationFile  (72, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00866   416   NtReadFile  (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864},  (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864}, "\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217m\237m\257m\277m\0\317m\337m\357m", ) , ) == 0x0
 00867   416   NtWriteFile  (72, 0, 0, 0,  (72, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0ei\350\341!\10\206\262!\10\206\262!\10\206\262\242\24\210\262$\10\206\262C\27\225\262(\10\206\262!\10\207\262h\10\206\262\311\27\220\262 \10\206\262\311\27\202\262 \10\206\262Rich!\10\206\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0R\344\315D\0\0\0\0\0\0\0\0\340\0\16!\13\1\6\0\0P\0\0\0\260\0\0\0\0\0\00D\0\0\0\20\0\0\0`\0\0\0\0\0\20\0\20\0\0\0\20\0\0\4\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\0\20\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\220Q\0\0F\0\0\0\30K\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\04\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\326A\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 00868   416   NtWriteFile  (72, 0, 0, 0,  (72, 0, 0, 0, "\0\20\0\0D\1\0\0<1@1L1P1\1`1l1p1|1\2001\2141\2201\2341\2401\2541\2601Z2\3262\3532\33\263>3E3Y3a3\2123\2243\2733\3013\3243\3343\3473\3543\3623\3773\104\234\304\36454=4\1774\2204\376475a5n5\2055\2145\2355\3245\3465\3535\226\3456\3636\3716\3776\77(7-7\2477\3127\3277\3557\18\148\268D8Y8_8f8s8\2018\3148\3318\3428\3578\3668\3758\119\179$999N9d9j9\2029\2159\2239\2359\2519\3249\3369\3609\3729\27:$:/:;:V:[:\225:\317:\344:\10;\25;6;O;n;\255;\272;\341;\15\16>\25>@>M>U>c>i>p>\202>\217>\227>\245>\253>\262>\37?&?+?1?L?e?\236?\250?\257?\267?\302?\325?\334?\366?\0\0\0 \0\0,\2\0\0&0+0\2640\3150\3320\3520\3570\3670!101l1\2011\3151\3541\3611\3671\132\222\272\352*2H2_2k2y2\2142\2362\2532\3372\3702\173\313/343:3@3F3N3T3Z3b3k3s3\1773\2133\2213\2273\2623\2723\3253\3353\3743\204\324(4.444F4P4Z4h4m4\2044\2114\2174\2244\2324\2404\2604\3134\3264\3344\3564\3644\65\145"5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) 5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00869   416   NtQueryInformationFile  (76, 1244896, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00870   416   NtSetInformationFile  (72, 1244896, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00871   416   NtFreeVirtualMemory  (-1, (0x147000), 81920, 16384, ... (0x147000), 81920, ) == 0x0
 00872   416   NtClose  (72, ... ) == 0x0
 00873   416   NtClose  (76, ... ) == 0x0
 00874   416   NtUnmapViewOfSection  (-1, 0x73dc0000, ... ) == 0x0
 00875   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1242748, ... ) }, 1242748, ... ) == 0x0
 00876   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00877   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 76, ... 72, ) == 0x0
 00878   416   NtClose  (76, ... ) == 0x0
 00879   416   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x930000), 0x0, 36864, ) == 0x0
 00880   416   NtClose  (72, ... ) == 0x0
 00881   416   NtUnmapViewOfSection  (-1, 0x930000, ... ) == 0x0
 00882   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243064, ... ) }, 1243064, ... ) == 0x0
 00883   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00884   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 76, ) == 0x0
 00885   416   NtQuerySection  (76, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00886   416   NtClose  (72, ... ) == 0x0
 00887   416   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 69632, ) == 0x0
 00888   416   NtClose  (76, ... ) == 0x0
 00889   416   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 128, ) == 0x0
 00890   416   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 128, ... (0x10001000), 4096, 4, ) == 0x0
 00891   416   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00892   416   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00893   416   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00894   416   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00895   416   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00896   416   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00897   416   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00898   416   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00899   416   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00900   416   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00901   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00902   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00903   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1240980, ... ) }, 1240980, ... ) == 0x0
 00904   416   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "_kuku_joker_v3.09_"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00905   416   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00906   416   NtUserSetWindowsHookEx  (268435456, 1242684, 0, 3, 268446576, 2, ... ) == 0x3003b
 00907   416   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9633792, 1048576, ) == 0x0
 00908   416   NtAllocateVirtualMemory  (-1, 10674176, 0, 8192, 4096, 4, ... 10674176, 8192, ) == 0x0
 00909   416   NtProtectVirtualMemory  (-1, (0xa2e000), 4096, 260, ... (0xa2e000), 4096, 4, ) == 0x0
 00910   416   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 72, {412, 1352}, ) == 0x0
 00911   416   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=412,Tid=1352,}, 0x0, ) == 0x0
 00912   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0}  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0} "\0\0\0\0\1\0\1\0E\0R\03\02\0H\0\0\0\234\1\0\0H\5\0\0" ... {28, 56, reply, 0, 412, 416, 2268, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0\234\1\0\0H\5\0\0" )  ... {28, 56, reply, 0, 412, 416, 2268, 0}  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0} "\0\0\0\0\1\0\1\0E\0R\03\02\0H\0\0\0\234\1\0\0H\5\0\0" ... {28, 56, reply, 0, 412, 416, 2268, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0\234\1\0\0H\5\0\0" )  ) == 0x0
 00913   416   NtResumeThread  (72, ... 1, ) == 0x0
 00914   416   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10682368, 1048576, ) == 0x0
 00915   416   NtAllocateVirtualMemory  (-1, 11722752, 0, 8192, 4096, 4, ... 11722752, 8192, ) == 0x0
 00916  1352   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 68, ) == 0x0
 00917  1352   NtWaitForSingleObject  (68, 0, 0x0, ...
 00918   416   NtProtectVirtualMemory  (-1, (0xb2e000), 4096, 260, ... (0xb2e000), 4096, 4, ) == 0x0
 00919   416   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 56, {412, 1488}, ) == 0x0
 00920   416   NtQueryInformationThread  (56, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=412,Tid=1488,}, 0x0, ) == 0x0
 00921   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 416, 2268, 0}  (24, {28, 56, new_msg, 0, 412, 416, 2268, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0\234\1\0\0\320\5\0\0" ... {28, 56, reply, 0, 412, 416, 2269, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0\234\1\0\0\320\5\0\0" )  ... {28, 56, reply, 0, 412, 416, 2269, 0}  (24, {28, 56, new_msg, 0, 412, 416, 2268, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0\234\1\0\0\320\5\0\0" ... {28, 56, reply, 0, 412, 416, 2269, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0\234\1\0\0\320\5\0\0" )  ) == 0x0
 00922   416   NtResumeThread  (56, ... 1, ) == 0x0
 00923   416   NtUserSetTimer  (0, 0, 4096, 268451664, ...
 00924  1488   NtWaitForSingleObject  (68, 0, 0x0, ...
 00923   416   NtUserSetTimer  ... ) == 0x7ff9
 00925   416   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11730944, 1048576, ) == 0x0
 00926   416   NtAllocateVirtualMemory  (-1, 12771328, 0, 8192, 4096, 4, ... 12771328, 8192, ) == 0x0
 00927   416   NtProtectVirtualMemory  (-1, (0xc2e000), 4096, 260, ... (0xc2e000), 4096, 4, ) == 0x0
 00928   416   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 80, {412, 780}, ) == 0x0
 00929   416   NtQueryInformationThread  (80, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=412,Tid=780,}, 0x0, ) == 0x0
 00930   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 416, 2269, 0}  (24, {28, 56, new_msg, 0, 412, 416, 2269, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\234\1\0\0\14\3\0\0" ... {28, 56, reply, 0, 412, 416, 2270, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\234\1\0\0\14\3\0\0" )  ... {28, 56, reply, 0, 412, 416, 2270, 0}  (24, {28, 56, new_msg, 0, 412, 416, 2269, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\234\1\0\0\14\3\0\0" ... {28, 56, reply, 0, 412, 416, 2270, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\234\1\0\0\14\3\0\0" )  ) == 0x0
 00931   416   NtResumeThread  (80, ... 1, ) == 0x0
 00932   416   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "m_Tem_v3.06"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   780   NtWaitForSingleObject  (68, 0, 0x0, ...
 00934   416   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "m_Tem_v3.06"}, {20480, 0}, 4, 134217728, 0, ... 84, ) }, {20480, 0}, 4, 134217728, 0, ... 84, ) == 0x0
 00935   416   NtSetEventBoostPriority  (68, ...
 00917  1352   NtWaitForSingleObject  ... ) == 0x0
 00936  1352   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00937  1352   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00938  1352   NtSetEventBoostPriority  (68, ...
 00924  1488   NtWaitForSingleObject  ... ) == 0x0
 00939  1488   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00940  1488   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00941  1488   NtSetEventBoostPriority  (68, ...
 00933   780   NtWaitForSingleObject  ... ) == 0x0
 00942   780   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00943   780   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00944   780   NtTestAlert  (... ) == 0x0
 00945   780   NtContinue  (12778800, 1, ...
 00946   780   NtRegisterThreadTerminatePort  (24, ...
 00941  1488   NtSetEventBoostPriority  ... ) == 0x0
 00938  1352   NtSetEventBoostPriority  ... ) == 0x0
 00935   416   NtSetEventBoostPriority  ... ) == 0x0
 00947  1488   NtTestAlert  (...
 00948  1352   NtTestAlert  (...
 00949   416   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ...
 00947  1488   NtTestAlert  ... ) == 0x0
 00948  1352   NtTestAlert  ... ) == 0x0
 00949   416   NtMapViewOfSection  ... (0xc30000), {0, 0}, 20480, ) == 0x0
 00946   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 00950  1488   NtContinue  (11730224, 1, ...
 00951  1352   NtContinue  (10681648, 1, ...
 00952   780   NtDelayExecution  (0, {-20480000, -1}, ...
 00953  1488   NtRegisterThreadTerminatePort  (24, ...
 00954  1352   NtRegisterThreadTerminatePort  (24, ...
 00953  1488   NtRegisterThreadTerminatePort  ... ) == 0x0
 00954  1352   NtRegisterThreadTerminatePort  ... ) == 0x0
 00955  1488   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... }, ...
 00956  1352   NtDelayExecution  (0, {-40960000, -1}, ...
 00955  1488   NtOpenKey  ... 88, ) == 0x0
 00957  1488   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00958  1488   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00959  1488   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00960  1488   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Protocol_Catalog9"}, ... }, ...
 00961   416   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 00962   416   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00963   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243652, ... ) }, 1243652, ... ) == 0x0
 00964   416   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1310720, 1339136, 0, 1243992}  (24, {20, 48, new_msg, 0, 1310720, 1339136, 0, 1243992} "\0\0\0\0\2\0\1\0\203 \365w\10\6\24\0\215\26\365w" ... {20, 48, reply, 0, 412, 416, 2271, 0} "\0\0\0\0\2\0\1\0\3\0\0\0\10\6\24\0\3\0\0\0" )  ... {20, 48, reply, 0, 412, 416, 2271, 0}  (24, {20, 48, new_msg, 0, 1310720, 1339136, 0, 1243992} "\0\0\0\0\2\0\1\0\203 \365w\10\6\24\0\215\26\365w" ... {20, 48, reply, 0, 412, 416, 2271, 0} "\0\0\0\0\2\0\1\0\3\0\0\0\10\6\24\0\3\0\0\0" )  ) == 0x0
 00965   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243660,  (0x80100080, {24, 0, 0x40, 0, 1243660, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00960  1488   NtOpenKey  ... 96, ) == 0x0
 00966  1488   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00967  1488   NtNotifyChangeKey  (96, 92, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00968  1488   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... , Partial, 144, ...
 00969   416   NtQueryDirectoryFile  (-2147482216, 0, 0, 0, -519823360, 4096, Names, 1,  (-2147482216, 0, 0, 0, -519823360, 4096, Names, 1, "~3.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00970   416   NtClose  (-2147482216, ... ) == 0x0
 00965   416   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00971   416   NtClose  (100, ... ) == 0x0
 00972   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   416   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243640,  (0xc0100080, {24, 0, 0x40, 0, 1243640, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00968  1488   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00974  1488   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975  1488   NtQueryValueKey  (96,  (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00976  1488   NtQueryValueKey  (96,  (96, "Num_Catalog_Entries", Partial, 144, ... , Partial, 144, ...
 00977   416   NtClose  (-2147482216, ... ) == 0x0
 00978   416   NtQueryDirectoryFile  (-2147482216, 0, 0, 0, -519823360, 4096, Names, 1,  (-2147482216, 0, 0, 0, -519823360, 4096, Names, 1, "~3.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 00979   416   NtClose  (-2147482216, ... ) == 0x0
 00973   416   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00980   416   NtQueryVolumeInformationFile  (100, 1243800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00981   416   NtQueryInformationFile  (100, 1243692, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00976  1488   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00982  1488   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Catalog_Entries"}, ... 104, ) }, ... 104, ) == 0x0
 00983  1488   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000001"}, ... 108, ) }, ... 108, ) == 0x0
 00984  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00985  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00986  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\333\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\334\3\0\0\234\1\0\0\240\1\0\0\310\0\0\0\0\0\1\0\0\0\0\0\34\2\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\333\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\334\3\0\0\234\1\0\0\240\1\0\0\310\0\0\0\0\0\1\0\0\0\0\0\34\2\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0"}, 900, ) }, 900, ) == 0x0
 00987  1488   NtClose  (108, ...
 00988   416   NtWriteFile  (100, 0, 0, 0,  (100, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 43520, 0x0, 0, ... {status=0x0, info=43520}, ) , 43520, 0x0, 0, ... {status=0x0, info=43520}, ) == 0x0
 00989   416   NtClose  (100, ... ) == 0x0
 00990   416   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00991   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1240364, ... ) }, 1240364, ... ) == 0x0
 00992   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1241056, ... ) }, 1241056, ... ) == 0x0
 00993   416   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00987  1488   NtClose  ... ) == 0x0
 00994  1488   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000002"}, ... 108, ) }, ... 108, ) == 0x0
 00995  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00996  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00997  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\346\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\346\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\350\3\0\0\234\1\0\0\240\1\0\0!\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\37\0\17\0\377\377\377\377\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0\0\0\0\1d\0\0\0\347\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\351\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\351\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\346\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\346\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\350\3\0\0\234\1\0\0\240\1\0\0!\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\37\0\17\0\377\377\377\377\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0\0\0\0\1d\0\0\0\347\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\351\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\351\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\351\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0"}, 900, ) == 0x0
 00998  1488   NtClose  (108, ... ) == 0x0
 00999  1488   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000003"}, ... }, ...
 01000   416   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 100, ...
 00999  1488   NtOpenKey  ... 108, ) == 0x0
 01001  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01002  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01003  1488   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 01004  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\355\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\355\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\356\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\356\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\357\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\357\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\355\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\355\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\356\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\356\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\357\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\357\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\357\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\355\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\355\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\356\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\356\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\357\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\357\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01005  1488   NtClose  (108, ... ) == 0x0
 01006  1488   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000004"}, ... 108, ) }, ... 108, ) == 0x0
 01007  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01008  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01009  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\362\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\362\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\363\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\364\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\362\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\362\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\363\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\364\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\362\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\362\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\363\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\364\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01010  1488   NtClose  (108, ... ) == 0x0
 01011  1488   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000005"}, ... 108, ) }, ... 108, ) == 0x0
 01012  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01013  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01014  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\367\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\367\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\370\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\371\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\371\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\367\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\367\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\370\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\371\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\371\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\371\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\367\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\367\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\370\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\371\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\371\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01015  1488   NtClose  (108, ... ) == 0x0
 01016  1488   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000006"}, ... 108, ) }, ... 108, ) == 0x0
 01017  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01018  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01019  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\374\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\374\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\375\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\376\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\376\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\374\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\374\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\375\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\376\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\376\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\376\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\374\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\374\3\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\375\3\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\376\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\376\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\3\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01020  1488   NtClose  (108, ... ) == 0x0
 01021  1488   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000007"}, ... 108, ) }, ... 108, ) == 0x0
 01022  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01023  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01024  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\1\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\1\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\2\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\3\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\3\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\1\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\1\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\2\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\3\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\3\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\3\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\1\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\1\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\2\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\3\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\3\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01025  1488   NtClose  (108, ... ) == 0x0
 01026  1488   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000008"}, ... 108, ) }, ... 108, ) == 0x0
 01027  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01028  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01029  1488   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01030  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\7\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\7\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\10\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\11\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\11\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\7\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\7\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\10\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\11\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\11\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\11\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\7\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\7\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\10\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\11\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\11\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01031  1488   NtClose  (108, ... ) == 0x0
 01032  1488   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000009"}, ... 108, ) }, ... 108, ) == 0x0
 01033  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01034  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01035  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\14\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\14\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\15\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\16\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\16\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\14\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\14\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\15\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\16\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\16\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\16\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\14\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\14\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\15\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\16\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\16\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01036  1488   NtClose  (108, ... ) == 0x0
 01037  1488   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000010"}, ... 108, ) }, ... 108, ) == 0x0
 01038  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01039  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01040  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\21\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\21\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\22\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\23\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\23\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\21\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\21\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\22\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\23\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\23\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\23\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\21\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\21\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0@o\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\22\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\23\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\23\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\4\0\0\234\1\0\0\320\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01041  1488   NtClose  (108, ... ) == 0x0
 01042  1488   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000011"}, ... 108, ) }, ... 108, ) == 0x0
 01043  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01044  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01045  1488   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\26\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\26\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\27\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\4\0\0\234\1\0\0\320\5\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\4\0\0\234\1\0\0\320\5\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\31\4\0\0\234\1\0\0\320\5\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\31\4\0\0\234\1\0\0\320\5\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\32\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\240\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250m\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\26\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\26\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\27\4\0\0\234\1\0\0\320\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\4\0\0\234\1\0\0\320\5\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\4\0\0\234\1\0\0\320\5\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\31\4\0\0\234\1\0\0\320\5\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\31\4\0\0\234\1\0\0\320\5\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\32\4\0\0\234\1\0\0\320\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\240\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250m\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01046  1488   NtClose  (108, ... ) == 0x0
 01047  1488   NtClose  (104, ... ) == 0x0
 01048  1488   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 01049  1488   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 01050  1488   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 108, ) }, ... 108, ) == 0x0
 01051  1488   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01052  1488   NtNotifyChangeKey  (108, 104, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01053  1488   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01054  1488   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055  1488   NtQueryValueKey  (108,  (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01056  1488   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 01057  1488   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01058  1488   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 01059  1488   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01060  1488   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01061  1488   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01062  1488   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01063  1488   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01064  1488   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01065  1488   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01066  1488   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01067  1488   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01068  1488   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01069  1488   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01070  1488   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01071  1488   NtClose  (116, ... ) == 0x0
 01072  1488   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 01073  1488   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01074  1488   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01075  1488   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01076  1488   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01077  1488   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01078  1488   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01079  1488   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01080  1488   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01081  1488   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01082  1488   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01083  1488   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01084  1488   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01085  1488   NtClose  (116, ... ) == 0x0
 01086  1488   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 01087  1488   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01088  1488   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01089  1488   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01090  1488   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01091  1488   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01092  1488   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01093  1488   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01094  1488   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095  1488   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01096  1488   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01097  1488   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01098  1488   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01099  1488   NtClose  (116, ... ) == 0x0
 01100  1488   NtClose  (112, ... ) == 0x0
 01101  1488   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 01102  1488   NtClose  (88, ... ) == 0x0
 01103  1488   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01104  1488   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01105  1488   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 01106  1488   NtQueryValueKey  (88,  (88, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107  1488   NtClose  (88, ... ) == 0x0
 01108  1488   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 88, ) == 0x0
 01109  1488   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 7, 96, ... 112, {status=0x0, info=1}, ) }, 7, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01110  1488   NtLockFile  (112, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01111  1488   NtQueryInformationFile  (112, 1354616, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01112  1488   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 12779520, 1052672, ) == 0x0
 01113  1488   NtAllocateVirtualMemory  (-1, 12779520, 0, 235, 4096, 4, ... 12779520, 4096, ) == 0x0
 01114  1488   NtReadFile  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 01115  1488   NtFreeVirtualMemory  (-1, (0xc30000), 1052672, 32768, ... (0xc30000), 1052672, ) == 0x0
 01116  1488   NtUnlockFile  (112, {0, 0}, {-1, -1}, 1488, ... ) == STATUS_RANGE_NOT_LOCKED
 01117  1488   NtClose  (112, ... ) == 0x0
 01118  1488   NtOpenProcessToken  (-1, 0x8, ... 112, ) == 0x0
 01119  1488   NtQueryInformationToken  (112, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01120  1488   NtClose  (112, ... ) == 0x0
 01121  1488   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01122  1488   NtCreateFile  (0xc0100000, {24, 0, 0x40, 0, 0,  (0xc0100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 0x0, 128, 7, 3, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01123  1488   NtLockFile  (112, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 1, ... {status=0x0, info=-2142329745}, ) == 0x0
 01124  1488   NtQueryInformationFile  (112, 1354616, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01125  1488   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 12779520, 1052672, ) == 0x0
 01126  1488   NtAllocateVirtualMemory  (-1, 12779520, 0, 235, 4096, 4, ... 12779520, 4096, ) == 0x0
 01127  1488   NtReadFile  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 01128  1488   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "[MCIDRV_VER]\15\12DEVICE=55718ngmudj36094\15\12", 39, {231, 0}, 2012046884, ... , 39, {231, 0}, 2012046884, ...
 01000   416   NtCreateSection  ... 116, ) == 0x0
 01129   416   NtQueryVolumeInformationFile  (100, 1240364, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01130   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 01131   416   NtQueryInformationFile  (120, 1238952, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01128  1488   NtWriteFile  ... {status=0x0, info=39}, ) == 0x0
 01132  1488   NtSetInformationFile  (112, 11730088, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01133  1488   NtFreeVirtualMemory  (-1, (0xc30000), 1052672, 32768, ... (0xc30000), 1052672, ) == 0x0
 01134  1488   NtUnlockFile  (112, {0, 0}, {-1, -1}, 1488, ... ) == STATUS_RANGE_NOT_LOCKED
 01135  1488   NtClose  (112, ... ) == 0x0
 01136   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 120, ... 112, ) == 0x0
 01137   416   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc30000), 0x0, 1028096, ) == 0x0
 01138   416   NtQueryInformationFile  (120, 1239048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01139   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01140   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01141   416   NtQueryDirectoryFile  (124, 0, 0, 0, 1236612, 616, BothDirectory, 1,  (124, 0, 0, 0, 1236612, 616, BothDirectory, 1, "~3.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01142  1488   NtDelayExecution  (0, {-122880000, -1}, ...
 01143   416   NtClose  (124, ... ) == 0x0
 01144   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01145   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01146   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1236000, ... ) }, 1236000, ... ) == 0x0
 01147   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01148   416   NtQueryDirectoryFile  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01149   416   NtClose  (124, ... ) == 0x0
 01150   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01151   416   NtQueryDirectoryFile  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01152   416   NtClose  (124, ... ) == 0x0
 01153   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01154   416   NtQueryDirectoryFile  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01155   416   NtClose  (124, ... ) == 0x0
 01156   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01157   416   NtQueryDirectoryFile  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 01158   416   NtClose  (124, ... ) == 0x0
 01159   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01160   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01161   416   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01162   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01163   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01164   416   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01165   416   NtClose  (124, ... ) == 0x0
 01166   416   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   416   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~3.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   416   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01169   416   NtClose  (112, ... ) == 0x0
 01170   416   NtClose  (120, ... ) == 0x0
 01171   416   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01172   416   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~3.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   416   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01174   416   NtOpenProcessToken  (-1, 0xa, ... 120, ) == 0x0
 01175   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 112, ) }, ... 112, ) == 0x0
 01176   416   NtQueryValueKey  (112,  (112, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01177   416   NtQueryValueKey  (112,  (112, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (112, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01178   416   NtClose  (112, ... ) == 0x0
 01179   416   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 112, ) }, ... 112, ) == 0x0
 01180   416   NtQuerySymbolicLinkObject  (112, ...  (112, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01181   416   NtClose  (112, ... ) == 0x0
 01182   416   NtQueryInformationFile  (100, 1238716, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 01183   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01184   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01185   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~3.tmp.exe"}, 1237396, ... ) }, 1237396, ... ) == 0x0
 01186   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 112, {status=0x0, info=1}, ) }, 3, 16417, ... 112, {status=0x0, info=1}, ) == 0x0
 01187   416   NtQueryDirectoryFile  (112, 0, 0, 0, 1236756, 616, BothDirectory, 1,  (112, 0, 0, 0, 1236756, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01188   416   NtClose  (112, ... ) == 0x0
 01189   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 112, {status=0x0, info=1}, ) }, 3, 16417, ... 112, {status=0x0, info=1}, ) == 0x0
 01190   416   NtQueryDirectoryFile  (112, 0, 0, 0, 1236756, 616, BothDirectory, 1,  (112, 0, 0, 0, 1236756, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 01191   416   NtClose  (112, ... ) == 0x0
 01192   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01193   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01194   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 112, ) }, ... 112, ) == 0x0
 01195   416   NtQueryValueKey  (112,  (112, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01196   416   NtClose  (112, ... ) == 0x0
 01197   416   NtQueryInformationToken  (120, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01198   416   NtQueryInformationToken  (120, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01199   416   NtClose  (120, ... ) == 0x0
 01200   416   NtCreateProcessEx  (1242992, 2035711, 0, -1, 0, 116, 0, 0, 0, ... ) == 0x0
 01201   416   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1496,ParentPid=412,}, 0x0, ) == 0x0
 01202   416   NtReadVirtualMemory  (120, 0x7ffdf008, 4, ...  (120, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 01203   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   416   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 01205   416   NtReadVirtualMemory  (120, 0x9800000, 4096, ...  (120, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 01206   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01207   416   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1496,ParentPid=412,}, 0x0, ) == 0x0
 01208   416   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 12779520, 4096, ) == 0x0
 01209   416   NtAllocateVirtualMemory  (120, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01210   416   NtWriteVirtualMemory  (120, 0x10000,  (120, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01211   416   NtAllocateVirtualMemory  (120, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 01212   416   NtWriteVirtualMemory  (120, 0x20000,  (120, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 01213   416   NtWriteVirtualMemory  (120, 0x7ffdf010,  (120, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01214   416   NtWriteVirtualMemory  (120, 0x7ffdf1e8,  (120, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01215   416   NtFreeVirtualMemory  (-1, (0xc30000), 0, 32768, ... (0xc30000), 4096, ) == 0x0
 01216   416   NtAllocateVirtualMemory  (120, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01217   416   NtAllocateVirtualMemory  (120, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01218   416   NtProtectVirtualMemory  (120, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01219   416   NtCreateThread  (0x1f03ff, 0x0, 120, 1241256, 1241976, 1, ... 112, {1496, 1500}, ) == 0x0
 01220   416   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329480, 1243076}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329480, 1243076} "\0\0\0\0\0\0\1\0\2$\370w U\367w{\0\0\0p\0\0\0\330\5\0\0\334\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 412, 416, 2272, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wx\0\0\0p\0\0\0\330\5\0\0\334\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 412, 416, 2272, 0}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329480, 1243076} "\0\0\0\0\0\0\1\0\2$\370w U\367w{\0\0\0p\0\0\0\330\5\0\0\334\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 412, 416, 2272, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wx\0\0\0p\0\0\0\330\5\0\0\334\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01221   416   NtResumeThread  (112, ... 1, ) == 0x0
 01222   416   NtClose  (100, ... ) == 0x0
 01223   416   NtClose  (116, ... ) == 0x0
 01224   416   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1496,ParentPid=412,}, 0x0, ) == 0x0
 01225   416   NtUserWaitForInputIdle  (1496, 30000, 0, ...
 01226   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 01227   416   NtClose  (116, ... ) == 0x0
 00952   780   NtDelayExecution  ... ) == 0x0
 01228   780   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 12779520, 65536, ) == 0x0
 01229   780   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 01230   780   NtCreateSection  (0xf0007, 0x0, {13396, 0}, 4, 134217728, 0, ... 116, ) == 0x0
 01231   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc40000), {0, 0}, 16384, ) == 0x0
 01232   780   NtUnmapViewOfSection  (-1, 0xc40000, ... ) == 0x0
 01233   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc40000), {0, 0}, 16384, ) == 0x0
 01234   780   NtFreeVirtualMemory  (-1, (0xc30000), 0, 32768, ... (0xc30000), 65536, ) == 0x0
 01235   780   NtUnmapViewOfSection  (-1, 0xc40000, ... ) == 0x0
 01236   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01237   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01238   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01239   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01240   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01241   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01242   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01243   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01244   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01245   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01246   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01247   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01248   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01249   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01250   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01251   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01252   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01253   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01254   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01255   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01256   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01257   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01258   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01259   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01260   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01261   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01262   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01263   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01264   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01265   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01266   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01267   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01268   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01269   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01270   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01271   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01272   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01273   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01274   780   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01275   780   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01276   780   NtContinue  (12776104, 0, ...
 01277   780   NtDelayExecution  (0, {-20480000, -1}, ...
 00956  1352   NtDelayExecution  ... ) == 0x0
 01278  1352   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ... (0xc30000), {0, 0}, 20480, ) == 0x0
 01279  1352   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01280  1352   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281  1352   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc.dll"}, 10680252, ... ) }, 10680252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282  1352   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc.dll"}, 10680252, ... ) }, 10680252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283  1352   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 10680252, ... ) }, 10680252, ... ) == 0x0
 01284  1352   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 01285  1352   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 124, ) == 0x0
 01286  1352   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01287  1352   NtClose  (100, ... ) == 0x0
 01288  1352   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bb0000), 0x0, 16384, ) == 0x0
 01289  1352   NtClose  (124, ... ) == 0x0
 01290  1352   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291  1352   NtAllocateVirtualMemory  (-1, 10670080, 0, 4096, 4096, 260, ... 10670080, 4096, ) == 0x0
 01292  1352   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc_os.dll"}, 10679448, ... ) }, 10679448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293  1352   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc_os.dll"}, 10679448, ... ) }, 10679448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01294  1352   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 10679448, ... ) }, 10679448, ... ) == 0x0
 01295  1352   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 01296  1352   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 124, ... 100, ) == 0x0
 01297  1352   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01298  1352   NtClose  (124, ... ) == 0x0
 01299  1352   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c60000), 0x0, 167936, ) == 0x0
 01300  1352   NtClose  (100, ... ) == 0x0
 01301  1352   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302  1352   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 10678644, ... ) }, 10678644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303  1352   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINTRUST.dll"}, 10678644, ... ) }, 10678644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304  1352   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 10678644, ... ) }, 10678644, ... ) == 0x0
 01305  1352   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 01306  1352   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 124, ) == 0x0
 01307  1352   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01308  1352   NtClose  (100, ... ) == 0x0
 01309  1352   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 01310  1352   NtClose  (124, ... ) == 0x0
 01311  1352   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01312  1352   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 01313  1352   NtClose  (124, ... ) == 0x0
 01314  1352   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01315  1352   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 01316  1352   NtClose  (124, ... ) == 0x0
 01317  1352   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01318  1352   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 01319  1352   NtClose  (124, ... ) == 0x0
 01320  1352   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321  1352   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01322  1352   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 10680384, 0,  (0x1f0003, {24, 52, 0x80, 10680384, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01323  1352   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 124, ) }, ... 124, ) == 0x0
 01324  1352   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01325  1352   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01326  1352   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 12779520, 262144, ) == 0x0
 01327  1352   NtAllocateVirtualMemory  (-1, 12779520, 0, 4096, 4096, 4, ... 12779520, 4096, ) == 0x0
 01328  1352   NtAllocateVirtualMemory  (-1, 12783616, 0, 8192, 4096, 4, ... 12783616, 8192, ) == 0x0
 01329  1352   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01330  1352   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13041664, 1048576, ) == 0x0
 01331  1352   NtAllocateVirtualMemory  (-1, 13041664, 0, 1048576, 4096, 4, ... 13041664, 1048576, ) == 0x0
 01332  1352   NtCreateMutant  (0x1f0001, 0x0, 0, ... 100, ) == 0x0
 01333  1352   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 128, ) == 0x0
 01334  1352   NtCreateMutant  (0x1f0001, 0x0, 0, ... 132, ) == 0x0
 01335  1352   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 136, ) == 0x0
 01336  1352   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 140, ) == 0x0
 01337  1352   NtSetEvent  (140, ... 0x0, ) == 0x0
 01338  1352   NtDelayExecution  (0, {-40960000, -1}, ...
 01277   780   NtDelayExecution  ... ) == 0x0
 01339   780   NtContinue  (12776104, 0, ...
 01340   780   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01341   780   NtContinue  (12776104, 0, ...
 01342   780   NtDelayExecution  (0, {-20480000, -1}, ...
 01338  1352   NtDelayExecution  ... ) == 0x0
 01343  1352   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01344  1352   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 10682096,  (0x40100080, {24, 0, 0x40, 0, 10682096, "\??\C:\KUKU300a"}, 0x0, 32, 2, 5, 96, 0, 0, ... }, 0x0, 32, 2, 5, 96, 0, 0, ...
 01345  1352   NtClose  (-2147482040, ... ) == 0x0
 01344  1352   NtCreateFile  ... 144, {status=0x0, info=2}, ) == 0x0
 01346  1352   NtClose  (144, ... ) == 0x0
 01347  1352   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\KUKU300a"}, 7, 2113600, ... 144, {status=0x0, info=1}, ) }, 7, 2113600, ... 144, {status=0x0, info=1}, ) == 0x0
 01348  1352   NtQueryInformationFile  (144, 10682160, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 01349  1352   NtSetInformationFile  (144, 10682211, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 01350  1352   NtClose  (144, ... ) == 0x0
 01351  1352   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01352  1352   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) , Data=" (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) \0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) == 0x0
 01353  1352   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) , Data=" (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) \0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) == 0x0
 01354  1352   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 148, ) }, ... 148, ) == 0x0
 01355  1352   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "ActiveComputerName"}, ... 152, ) }, ... 152, ) == 0x0
 01356  1352   NtQueryValueKey  (152,  (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01357  1352   NtClose  (152, ... ) == 0x0
 01358  1352   NtClose  (148, ... ) == 0x0
 01359  1352   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01360  1352   NtQueryValueKey  (148,  (148, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (148, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (148, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01361  1352   NtClose  (148, ... ) == 0x0
 01362  1352   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01363  1352   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01364  1352   NtQueryValueKey  (148,  (148, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (148, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (148, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01365  1352   NtClose  (148, ... ) == 0x0
 01366  1352   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01367  1352   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368  1352   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 148, ) }, ... 148, ) == 0x0
 01369  1352   NtQueryValueKey  (148,  (148, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370  1352   NtClose  (148, ... ) == 0x0
 01371  1352   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372  1352   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01373  1352   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01374  1352   NtQuerySystemTime  (... {729802262, 29883853}, ) == 0x0
 01375  1352   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 156, ) == 0x0
 01376  1352   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377  1352   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01378  1352   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01379  1352   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01380  1352   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01381  1352   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 164, ) == 0x0
 01382  1352   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 168, ) }, ... 168, ) == 0x0
 01383  1352   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "ActiveComputerName"}, ... 172, ) }, ... 172, ) == 0x0
 01384  1352   NtQueryValueKey  (172,  (172, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (172, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (172, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01385  1352   NtClose  (172, ... ) == 0x0
 01386  1352   NtClose  (168, ... ) == 0x0
 01387  1352   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 168, ) == 0x0
 01388  1352   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 172, ) == 0x0
 01389  1352   NtDuplicateObject  (-1, 168, -1, 0x0, 0, 2, ... 176, ) == 0x0
 01390  1352   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01391  1352   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01392  1352   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 180, ) == 0x0
 01393  1352   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01394  1352   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01395  1352   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10679196,  (0xc0100080, {24, 0, 0x40, 0, 10679196, "\??\PIPE\SfcApi"}, 0x0, 0, 3, 1, 64, 0, 0, ... 184, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 184, {status=0x0, info=1}, ) == 0x0
 01396  1352   NtSetInformationFile  (184, 10679252, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01397  1352   NtSetInformationFile  (184, 10679244, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01398  1352   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01399  1352   NtWriteFile  (184, 161, 0, 0,  (184, 161, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\0|\332\203O\350\322\21\230\7\0\300O\216\310P\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01400  1352   NtReadFile  (184, 161, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (184, 161, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\244\31\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01401  1352   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\1\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0M\0E\0S\0S\0E\0N\0G\0E\0R\0\\0M\0S\0M\0S\0G\0S\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\244\31\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 116, 1024, ... {status=0x103, info=68},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\1\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0M\0E\0S\0S\0E\0N\0G\0E\0R\0\\0M\0S\0M\0S\0G\0S\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\244\31\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01402  1352   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 10681264, ... ) }, 10681264, ... ) == 0x0
 01403  1352   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01404  1352   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01405  1352   NtClose  (188, ... ) == 0x0
 01406  1352   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10681244,  (0xc0100080, {24, 0, 0x40, 0, 10681244, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01407  1352   NtQueryInformationFile  (-1, 10681296, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01408  1352   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01409  1352   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01410  1352   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01411  1352   NtClose  (188, ... ) == 0x0
 01412  1352   NtDelayExecution  (0, {-10240000, -1}, ...
 01342   780   NtDelayExecution  ... ) == 0x0
 01413   780   NtContinue  (12776104, 0, ...
 01414   780   NtDelayExecution  (0, {-20480000, -1}, ...
 01412  1352   NtDelayExecution  ... ) == 0x0
 01415  1352   NtEnumerateValueKey  (144, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01416  1352   NtClose  (144, ... ) == 0x0
 01417  1352   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01418  1352   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) , Data= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01419  1352   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) , Data= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01420  1352   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\2\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0T\0R\0A\0Y\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 144, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\2\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0T\0R\0A\0Y\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01421  1352   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 10681264, ... ) }, 10681264, ... ) == 0x0
 01422  1352   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01423  1352   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01424  1352   NtClose  (188, ... ) == 0x0
 01425  1352   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10681244,  (0xc0100080, {24, 0, 0x40, 0, 10681244, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01426  1352   NtQueryInformationFile  (-1, 10681296, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01427  1352   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01428  1352   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01429  1352   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01430  1352   NtClose  (188, ... ) == 0x0
 01431  1352   NtDelayExecution  (0, {-10240000, -1}, ... ) == 0x0
 01432  1352   NtEnumerateValueKey  (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) , Data= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) }, 164, ) == 0x0
 01433  1352   NtEnumerateValueKey  (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) , Data= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) }, 164, ) == 0x0
 01434  1352   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\3\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0U\0S\0E\0R\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 144, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\3\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0U\0S\0E\0R\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01435  1352   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 10681264, ... ) }, 10681264, ... ) == 0x0
 01436  1352   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01437  1352   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01438  1352   NtClose  (188, ... ) == 0x0
 01439  1352   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10681244,  (0xc0100080, {24, 0, 0x40, 0, 10681244, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01440  1352   NtQueryInformationFile  (-1, 10681296, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01441  1352   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01442  1352   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01443  1352   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01444  1352   NtClose  (188, ... ) == 0x0
 01445  1352   NtDelayExecution  (0, {-10240000, -1}, ...
 01414   780   NtDelayExecution  ... ) == 0x0
 01446   780   NtContinue  (12776104, 0, ...
 01447   780   NtDelayExecution  (0, {-20480000, -1}, ...
 01445  1352   NtDelayExecution  ... ) == 0x0
 01448  1352   NtEnumerateValueKey  (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0y\0k\0t\0r\0u\0.\0e\0x\0e\0\0\0"}, 88, ) , Data= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0y\0k\0t\0r\0u\0.\0e\0x\0e\0\0\0"}, 88, ) }, 88, ) == 0x0
 01449  1352   NtEnumerateValueKey  (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0y\0k\0t\0r\0u\0.\0e\0x\0e\0\0\0"}, 88, ) , Data= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0y\0k\0t\0r\0u\0.\0e\0x\0e\0\0\0"}, 88, ) }, 88, ) == 0x0
 01450  1352   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0d\0\0\0\4\0\0\0L\0\0\0\0\0\1\0p\342\0\20\36\0\0\0\0\0\0\0\36\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0Y\0S\0T\0E\0M\03\02\0\\0Y\0K\0T\0R\0U\0.\0E\0X\0E\0\0\0", 100, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 100, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0d\0\0\0\4\0\0\0L\0\0\0\0\0\1\0p\342\0\20\36\0\0\0\0\0\0\0\36\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0Y\0S\0T\0E\0M\03\02\0\\0Y\0K\0T\0R\0U\0.\0E\0X\0E\0\0\0", 100, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01451  1352   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\YKTRU.EXE"}, 10681264, ... ) }, 10681264, ... ) == 0x0
 01452  1352   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\YKTRU.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01453  1352   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01454  1352   NtClose  (188, ... ) == 0x0
 01455  1352   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10681244,  (0xc0100080, {24, 0, 0x40, 0, 10681244, "\??\C:\WINDOWS\SYSTEM32\YKTRU.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01456  1352   NtQueryInformationFile  (-1, 10681296, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01457  1352   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01458  1352   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\YKTRU.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01459  1352   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01460  1352   NtClose  (188, ... ) == 0x0
 01461  1352   NtDelayExecution  (0, {-10240000, -1}, ...
 01142  1488   NtDelayExecution  ... ) == 0x0
 01462  1488   NtOpenKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 188, ) }, ... 188, ) == 0x0
 01463  1488   NtSetValueKey  (188,  (188, "GlobalUserOffline", 0, 4, "\0\0\0\0", 4, ... , 0, 4,  (188, "GlobalUserOffline", 0, 4, "\0\0\0\0", 4, ... , 4, ...
 01464  1488   NtSetInformationFile  (-2147482700, -131217612, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01465  1488   NtSetInformationFile  (-2147482700, -131217648, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01466  1488   NtSetInformationFile  (-2147482700, -131217704, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01467  1488   NtSetInformationFile  (-2147482700, -131218012, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01463  1488   NtSetValueKey  ... ) == 0x0
 01468  1488   NtClose  (188, ... ) == 0x0
 01469  1488   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 188, ) }, ... 188, ) == 0x0
 01470  1488   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 01471  1488   NtClose  (188, ... ) == 0x0
 01472  1488   NtAllocateVirtualMemory  (-1, 11718656, 0, 4096, 4096, 260, ... 11718656, 4096, ) == 0x0
 01473  1488   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01474  1488   NtCreateKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 188, 2, ) }, 0, 0x0, 0, ... 188, 2, ) == 0x0
 01475  1488   NtQueryDefaultUILanguage  (11727188, ...
 01476  1488   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01477  1488   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482040, ) == 0x0
 01478  1488   NtQueryInformationToken  (-2147482040, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01479  1488   NtClose  (-2147482040, ... ) == 0x0
 01480  1488   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0
 01481  1488   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482  1488   NtOpenKey  (0x80000000, {24, -2147482040, 0x640, 0, 0,  (0x80000000, {24, -2147482040, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 01483  1488   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484  1488   NtClose  (-2147482036, ... ) == 0x0
 01485  1488   NtClose  (-2147482040, ... ) == 0x0
 01475  1488   NtQueryDefaultUILanguage  ... ) == 0x0
 01486  1488   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487  1488   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 192, {status=0x0, info=1}, ) }, 1, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01488  1488   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 192, ... 196, ) == 0x0
 01489  1488   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xd70000), 0x0, 593920, ) == 0x0
 01490  1488   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491  1488   NtAllocateVirtualMemory  (-1, 11714560, 0, 4096, 4096, 260, ... 11714560, 4096, ) == 0x0
 01492  1488   NtQueryDefaultLocale  (1, 11725224, ... ) == 0x0
 01493  1488   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494  1488   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 11726080, 1, 96, 0}  (24, {128, 156, new_msg, 0, 11726080, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\262\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\336\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\262\0\0\0\0\0" ... {128, 156, reply, 0, 412, 1488, 2422, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\262\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\336\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\262\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 1488, 2422, 0}  (24, {128, 156, new_msg, 0, 11726080, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\262\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\336\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\262\0\0\0\0\0" ... {128, 156, reply, 0, 412, 1488, 2422, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\262\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\336\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\262\0\0\0\0\0" )  ) == 0x0
 01495  1488   NtClose  (192, ... ) == 0x0
 01496  1488   NtClose  (196, ... ) == 0x0
 01497  1488   NtUnmapViewOfSection  (-1, 0xd70000, ... ) == 0x0
 01498  1488   NtUnmapViewOfSection  (-1, 0xb2f400, ... ) == STATUS_NOT_MAPPED_VIEW
 01499  1488   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01500  1488   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01501  1488   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01502  1488   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01503  1488   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 11723764, ... ) }, 11723764, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504  1488   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01505  1488   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01506  1488   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01507  1488   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 11724356, ... ) }, 11724356, ... ) == 0x0
 01508  1488   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 196, {status=0x0, info=1}, ) }, 3, 33, ... 196, {status=0x0, info=1}, ) == 0x0
 01509  1488   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01510  1488   NtCreateKey  (0x2001f, {24, 64, 0x40, 0, 0,  (0x2001f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 192, 2, ) }, 0, 0x0, 0, ... 192, 2, ) == 0x0
 01511  1488   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 4096, 4, ... 14090240, 262144, ) == 0x0
 01512  1488   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 01513  1488   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 11727048, ... ) }, 11727048, ... ) == 0x0
 01514  1488   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01515  1488   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 200, ... 204, ) == 0x0
 01516  1488   NtClose  (200, ... ) == 0x0
 01517  1488   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdb0000), 0x0, 229376, ) == 0x0
 01518  1488   NtClose  (204, ... ) == 0x0
 01519  1488   NtUnmapViewOfSection  (-1, 0xdb0000, ... ) == 0x0
 01520  1488   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 11727364, ... ) }, 11727364, ... ) == 0x0
 01521  1488   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01522  1488   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01523  1488   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01524  1488   NtClose  (204, ... ) == 0x0
 01525  1488   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 01526  1488   NtClose  (200, ... ) == 0x0
 01527  1488   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01528  1488   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01529  1488   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01530  1488   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01531  1488   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532  1488   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 11727164, ... ) }, 11727164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533  1488   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 11727164, ... ) }, 11727164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534  1488   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 11727164, ... ) }, 11727164, ... ) == 0x0
 01535  1488   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01536  1488   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01537  1488   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01538  1488   NtClose  (204, ... ) == 0x0
 01539  1488   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01540  1488   NtClose  (208, ... ) == 0x0
 01541  1488   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 01542  1488   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01543  1488   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544  1488   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545  1488   NtQueryValueKey  (204,  (204, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01546  1488   NtQueryValueKey  (208,  (208, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547  1488   NtQueryValueKey  (204,  (204, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548  1488   NtQueryValueKey  (208,  (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01549  1488   NtQueryValueKey  (204,  (204, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550  1488   NtQueryValueKey  (208,  (208, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551  1488   NtQueryValueKey  (204,  (204, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01552  1488   NtQueryValueKey  (208,  (208, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01553  1488   NtQueryValueKey  (204,  (204, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01554  1488   NtQueryValueKey  (204,  (204, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555  1488   NtQueryValueKey  (204,  (204, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01556  1488   NtQueryValueKey  (204,  (204, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557  1488   NtQueryValueKey  (204,  (204, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01558  1488   NtQueryValueKey  (204,  (204, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01559  1488   NtQueryValueKey  (204,  (204, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560  1488   NtQueryValueKey  (208,  (208, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561  1488   NtQueryValueKey  (204,  (204, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01562  1488   NtQueryValueKey  (204,  (204, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01563  1488   NtQueryValueKey  (208,  (208, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564  1488   NtQueryValueKey  (204,  (204, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565  1488   NtQueryValueKey  (208,  (208, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01566  1488   NtQueryValueKey  (204,  (204, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567  1488   NtQueryValueKey  (208,  (208, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568  1488   NtQueryValueKey  (204,  (204, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569  1488   NtQueryValueKey  (208,  (208, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570  1488   NtQueryValueKey  (204,  (204, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01571  1488   NtQueryValueKey  (208,  (208, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572  1488   NtQueryValueKey  (204,  (204, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573  1488   NtQueryValueKey  (208,  (208, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574  1488   NtQueryValueKey  (204,  (204, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01575  1488   NtQueryValueKey  (208,  (208, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01576  1488   NtQueryValueKey  (204,  (204, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01577  1488   NtQueryValueKey  (208,  (208, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01578  1488   NtQueryValueKey  (204,  (204, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579  1488   NtQueryValueKey  (204,  (204, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01580  1488   NtQueryValueKey  (204,  (204, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581  1488   NtQueryValueKey  (204,  (204, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01582  1488   NtQueryValueKey  (204,  (204, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583  1488   NtQueryValueKey  (204,  (204, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584  1488   NtQueryValueKey  (204,  (204, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585  1488   NtQueryValueKey  (204,  (204, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586  1488   NtQueryValueKey  (204,  (204, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01587  1488   NtQueryValueKey  (204,  (204, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588  1488   NtQueryValueKey  (204,  (204, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589  1488   NtQueryValueKey  (204,  (204, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590  1488   NtQueryValueKey  (204,  (204, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591  1488   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 01592  1488   NtQueryValueKey  (212,  (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01593  1488   NtClose  (212, ... ) == 0x0
 01594  1488   NtClose  (208, ... ) == 0x0
 01595  1488   NtClose  (204, ... ) == 0x0
 01596  1488   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01597  1488   NtQueryValueKey  (204,  (204, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598  1488   NtQueryValueKey  (204,  (204, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599  1488   NtQueryValueKey  (204,  (204, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600  1488   NtClose  (204, ... ) == 0x0
 01601  1488   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01602  1488   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 208, ) == 0x0
 01603  1488   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01604  1488   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 11727640, 112, ... 216, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 11727640, 112, ... 216, 0x0, 0x0, 0x0, 112, ) == 0x0
 01605  1488   NtRequestWaitReplyPort  (216, {128, 152, new_msg, 0, 127212, 1310720, 11727404, 2012750850}  (216, {128, 152, new_msg, 0, 127212, 1310720, 11727404, 2012750850} "\0\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\330*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0X*\25\0\200*\25\0\250*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\2\24\0\0\0\0\0\301\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 1488, 2424, 0} "\7\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0X*\25\0\200*\25\0\250*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\2\24\0\0\0\0\0\301\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 1488, 2424, 0}  (216, {128, 152, new_msg, 0, 127212, 1310720, 11727404, 2012750850} "\0\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\330*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0X*\25\0\200*\25\0\250*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\2\24\0\0\0\0\0\301\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 1488, 2424, 0} "\7\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0X*\25\0\200*\25\0\250*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\2\24\0\0\0\0\0\301\0\0\0\5\0\0\0" )  ) == 0x0
 01606  1488   NtRequestWaitReplyPort  (216, {64, 88, new_msg, 0, 0, 0, 0, 0}  (216, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 412, 1488, 2425, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2504\11\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 412, 1488, 2425, 0}  (216, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 412, 1488, 2425, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2504\11\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 01607  1488   NtClose  (212, ... ) == 0x0
 01608  1488   NtClose  (216, ... ) == 0x0
 01609  1488   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) , 0, ... 216, 2, ) == 0x0
 01610  1488   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01611  1488   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01612  1488   NtQueryValueKey  (216,  (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01613  1488   NtQueryValueKey  (216,  (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01614  1488   NtClose  (216, ... ) == 0x0
 01615  1488   NtClose  (212, ... ) == 0x0
 01616  1488   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01617  1488   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 11727504, 112, ... 216, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 11727504, 112, ... 216, 0x0, 0x0, 0x0, 112, ) == 0x0
 01618  1488   NtRequestWaitReplyPort  (216, {128, 152, new_msg, 0, 127076, 1310720, 11727268, 2012750850}  (216, {128, 152, new_msg, 0, 127076, 1310720, 11727268, 2012750850} "\0\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\330*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\350)\25\0\210*\25\0\0\0\0\0\310\1\24\00+\25\0\4\0\0\0\0\0\0\0\0\0\24\0x+\25\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 1488, 2428, 0} "\7\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\350)\25\0\210*\25\0\0\0\0\0\310\1\24\00+\25\0\4\0\0\0\0\0\0\0\0\0\24\0x+\25\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 1488, 2428, 0}  (216, {128, 152, new_msg, 0, 127076, 1310720, 11727268, 2012750850} "\0\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\330*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\350)\25\0\210*\25\0\0\0\0\0\310\1\24\00+\25\0\4\0\0\0\0\0\0\0\0\0\24\0x+\25\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 1488, 2428, 0} "\7\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\350)\25\0\210*\25\0\0\0\0\0\310\1\24\00+\25\0\4\0\0\0\0\0\0\0\0\0\24\0x+\25\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 01619  1488   NtRequestWaitReplyPort  (216, {44, 68, new_msg, 0, 412, 1488, 2425, 0}  (216, {44, 68, new_msg, 0, 412, 1488, 2425, 0} "\1\240\0\0A\2\4\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 412, 1488, 2429, 0} "\2\240\372\177\4\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 412, 1488, 2429, 0}  (216, {44, 68, new_msg, 0, 412, 1488, 2425, 0} "\1\240\0\0A\2\4\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 412, 1488, 2429, 0} "\2\240\372\177\4\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 01620  1488   NtRequestWaitReplyPort  (216, {64, 88, new_msg, 56, 0, 1, 0, 0}  (216, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\262\0@\0\314w\200)\25\0X\364\262\0\300\364\262\0\0\267\362v\300\364\262\0\200)\25\0\1\0\0\0\20;\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 412, 1488, 2430, 0} "\10\364\262\0@\0\314w\200)\25\0X\364\262\0\300\364\262\0\0\267\362v\300\364\262\0\200)\25\0\1\0\0\0\20;\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 412, 1488, 2430, 0}  (216, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\262\0@\0\314w\200)\25\0X\364\262\0\300\364\262\0\0\267\362v\300\364\262\0\200)\25\0\1\0\0\0\20;\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 412, 1488, 2430, 0} "\10\364\262\0@\0\314w\200)\25\0X\364\262\0\300\364\262\0\0\267\362v\300\364\262\0\200)\25\0\1\0\0\0\20;\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01621  1488   NtClose  (212, ... ) == 0x0
 01622  1488   NtClose  (216, ... ) == 0x0
 01623  1488   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) , 0, ... 216, 2, ) == 0x0
 01624  1488   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01625  1488   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01626  1488   NtQueryValueKey  (216,  (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01627  1488   NtQueryValueKey  (216,  (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01628  1488   NtClose  (216, ... ) == 0x0
 01629  1488   NtClose  (212, ... ) == 0x0
 01630  1488   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01631  1488   NtQueryValueKey  (212,  (212, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01632  1488   NtClose  (212, ... ) == 0x0
 01633  1488   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 11727048, ... ) }, 11727048, ... ) == 0x0
 01634  1488   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01635  1488   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 212, ... 216, ) == 0x0
 01636  1488   NtClose  (212, ... ) == 0x0
 01637  1488   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdb0000), 0x0, 16384, ) == 0x0
 01638  1488   NtClose  (216, ... ) == 0x0
 01639  1488   NtUnmapViewOfSection  (-1, 0xdb0000, ... ) == 0x0
 01640  1488   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 11727364, ... ) }, 11727364, ... ) == 0x0
 01641  1488   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01642  1488   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01643  1488   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01644  1488   NtClose  (216, ... ) == 0x0
 01645  1488   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 01646  1488   NtClose  (212, ... ) == 0x0
 01647  1488   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 212, ) }, ... 212, ) == 0x0
 01648  1488   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01649  1488   NtClose  (212, ... ) == 0x0
 01650  1488   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 01651  1488   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01652  1488   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 216, ) }, ... 216, ) == 0x0
 01653  1488   NtQueryValueKey  (216,  (216, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (216, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01654  1488   NtClose  (216, ... ) == 0x0
 01655  1488   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 11727048, ... ) }, 11727048, ... ) == 0x0
 01656  1488   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01657  1488   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14352384, 65536, ) == 0x0
 01658  1488   NtAllocateVirtualMemory  (-1, 14352384, 0, 4096, 4096, 4, ... 14352384, 4096, ) == 0x0
 01659  1488   NtAllocateVirtualMemory  (-1, 14356480, 0, 8192, 4096, 4, ... 14356480, 8192, ) == 0x0
 01660  1488   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 216, ) == 0x0
 01661  1488   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 11727324, 112, ... 220, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 11727324, 112, ... 220, 0x0, 0x0, 0x0, 112, ) == 0x0
 01662  1488   NtRequestWaitReplyPort  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 11727088}  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 11727088} "\0$\370w\240\367\262\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\330*\25\0\4\0\0\0\330*\25\0\20\344\314w\330*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0\370K\25\0`J\25\0\320K\25\0\0\0\0\0\0\0\0\0\0\0\0\0\370K\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 412, 1488, 2433, 0} "\7$\370w\240\367\262\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\330*\25\0\377\377\377\377\330*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0\370K\25\0`J\25\0\320K\25\0\0\0\0\0\0\0\0\0\0\0\0\0\370K\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {128, 152, reply, 0, 412, 1488, 2433, 0}  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 11727088} "\0$\370w\240\367\262\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\330*\25\0\4\0\0\0\330*\25\0\20\344\314w\330*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0\370K\25\0`J\25\0\320K\25\0\0\0\0\0\0\0\0\0\0\0\0\0\370K\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 412, 1488, 2433, 0} "\7$\370w\240\367\262\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\330*\25\0\377\377\377\377\330*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0\370K\25\0`J\25\0\320K\25\0\0\0\0\0\0\0\0\0\0\0\0\0\370K\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01663  1488   NtRequestWaitReplyPort  (220, {104, 128, new_msg, 0, 412, 1488, 2429, 0}  (220, {104, 128, new_msg, 0, 412, 1488, 2429, 0} "\1\240\0\0A\2\11\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\344I\25\0\22\0\0\0\0\0\0\0\22\0\0\0w\0w\0w\0.\0m\0i\0c\0r\0o\0s\0o\0f\0t\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01461  1352   NtDelayExecution  ... ) == 0x0
 01664  1352   NtEnumerateValueKey  (144, 3, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01665  1352   NtClose  (144, ... ) == 0x0
 01666  1352   NtDelayExecution  (0, {-10240000, -1}, ...
 01447   780   NtDelayExecution  ... ) == 0x0
 01667   780   NtContinue  (12776104, 0, ...
 01668   780   NtDelayExecution  (0, {-20480000, -1}, ...
 01666  1352   NtDelayExecution  ... ) == 0x0
 01669  1352   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 144, {status=0x0, info=1}, ) }, 3, 16417, ... 144, {status=0x0, info=1}, ) == 0x0
 01670  1352   NtQueryDirectoryFile  (144, 0, 0, 0, 10680804, 616, BothDirectory, 1,  (144, 0, 0, 0, 10680804, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01671  1352   NtAllocateVirtualMemory  (-1, 1396736, 0, 8192, 4096, 4, ... 1396736, 8192, ) == 0x0
 01672  1352   NtQueryDirectoryFile  (144, 0, 0, 0, 1395832, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4018}, ) == 0x0
 01673  1352   NtDelayExecution  (0, {-10240000, -1}, ... ) == 0x0
 01674  1352   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 224, {status=0x0, info=1}, ) }, 3, 16417, ... 224, {status=0x0, info=1}, ) == 0x0
 01675  1352   NtQueryDirectoryFile  (224, 0, 0, 0, 10680744, 616, BothDirectory, 1,  (224, 0, 0, 0, 10680744, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01676  1352   NtQueryDirectoryFile  (224, 0, 0, 0, 1399936, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3982}, ) == 0x0
 01677  1352   NtDelayExecution  (0, {-10240000, -1}, ...
 01668   780   NtDelayExecution  ... ) == 0x0
 01678   780   NtContinue  (12776104, 0, ...
 01679   780   NtDelayExecution  (0, {-20480000, -1}, ...
 01677  1352   NtDelayExecution  ... ) == 0x0
 01680  1352   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\REPAIR\"}, 3, 16417, ... 228, {status=0x0, info=1}, ) }, 3, 16417, ... 228, {status=0x0, info=1}, ) == 0x0
 01681  1352   NtQueryDirectoryFile  (228, 0, 0, 0, 10680684, 616, BothDirectory, 1,  (228, 0, 0, 0, 10680684, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01682  1352   NtAllocateVirtualMemory  (-1, 1404928, 0, 8192, 4096, 4, ... 1404928, 8192, ) == 0x0
 01683  1352   NtQueryDirectoryFile  (228, 0, 0, 0, 1404136, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1240}, ) == 0x0
 01684  1352   NtQueryDirectoryFile  (228, 0, 0, 0, 1404136, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01685  1352   NtClose  (228, ... ) == 0x0
 01686  1352   NtDelayExecution  (0, {-5120000, -1}, ... ) == 0x0
 01687  1352   NtDelayExecution  (0, {-10240000, -1}, ...
 01679   780   NtDelayExecution  ... ) == 0x0
 01688   780   NtContinue  (12776104, 0, ...
 01689   780   NtDelayExecution  (0, {-20480000, -1}, ...
 01687  1352   NtDelayExecution  ... ) == 0x0
 01690  1352   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\INF\"}, 3, 16417, ... 228, {status=0x0, info=1}, ) }, 3, 16417, ... 228, {status=0x0, info=1}, ) == 0x0
 01691  1352   NtQueryDirectoryFile  (228, 0, 0, 0, 10680684, 616, BothDirectory, 1,  (228, 0, 0, 0, 10680684, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01692  1352   NtQueryDirectoryFile  (228, 0, 0, 0, 1404136, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3990}, ) == 0x0
 01693  1352   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\5\0\0\0H\0\0\0\0\0\1\0p\342\0\20\34\0\0\0\0\0\0\0\34\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0I\0N\0F\0\\0u\0n\0r\0e\0g\0m\0p\02\0.\0e\0x\0e\0\0\0", 96, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 96, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\5\0\0\0H\0\0\0\0\0\1\0p\342\0\20\34\0\0\0\0\0\0\0\34\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0I\0N\0F\0\\0u\0n\0r\0e\0g\0m\0p\02\0.\0e\0x\0e\0\0\0", 96, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01694  1352   NtDelayExecution  (0, {-20480000, -1}, ...
 01689   780   NtDelayExecution  ... ) == 0x0
 01695   780   NtContinue  (12776104, 0, ...
 01696   780   NtDelayExecution  (0, {-20480000, -1}, ...
 01694  1352   NtDelayExecution  ... ) == 0x0
 01697  1352   NtQueryDirectoryFile  (228, 0, 0, 0, 1404136, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4014}, ) == 0x0
 01698  1352   NtQueryDirectoryFile  (228, 0, 0, 0, 1404136, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3986}, ) == 0x0
 01699  1352   NtDelayExecution  (0, {-81920000, -1}, ...
 01663  1488   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 412, 1488, 2434, 0}  ... {44, 68, reply, 0, 412, 1488, 2434, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0F'\0\0\1\0\0\0" )  ) == 0x0
 01700  1488   NtClose  (216, ... ) == 0x0
 01701  1488   NtClose  (220, ... ) == 0x0
 01702  1488   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 220, ) }, ... 220, ) == 0x0
 01703  1488   NtQueryValueKey  (220,  (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01704  1488   NtQueryValueKey  (220,  (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01705  1488   NtQueryValueKey  (220,  (220, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01706  1488   NtClose  (220, ... ) == 0x0
 01707  1488   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01708  1488   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 11728084, ... ) }, 11728084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01709  1488   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasadhlp.dll"}, 11728084, ... ) }, 11728084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01710  1488   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 11728084, ... ) }, 11728084, ... ) == 0x0
 01711  1488   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 220, {status=0x0, info=1}, ) }, 5, 96, ... 220, {status=0x0, info=1}, ) == 0x0
 01712  1488   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 220, ... 216, ) == 0x0
 01713  1488   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01714  1488   NtClose  (220, ... ) == 0x0
 01715  1488   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 01716  1488   NtClose  (216, ... ) == 0x0
 01717  1488   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 216, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 216, {status=0x0, info=0}, ) == 0x0
 01718  1488   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 220, ) == 0x0
 01719  1488   NtDeviceIoControlFile  (216, 220, 0x0, 0x0, 0xf14014,  (216, 220, 0x0, 0x0, 0xf14014, "\3\0\0\0www.microsoft.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 01720  1488   NtClose  (220, ... ) == 0x0
 01721  1488   NtClose  (216, ... ) == 0x0
 01722  1488   NtDelayExecution  (0, {1770094592, -2}, ...
 01696   780   NtDelayExecution  ... ) == 0x0
 01723   780   NtContinue  (12776104, 0, ...
 01724   780   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01725   780   NtContinue  (12776104, 0, ...
 01726   780   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01727   780   NtContinue  (12776104, 0, ...
 01728   780   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01729   780   NtContinue  (12776104, 0, ...
 01730   780   NtDelayExecution  (0, {-20480000, -1}, ...
 01699  1352   NtDelayExecution  ... ) == 0x0
 01731  1352   NtQueryDirectoryFile  (228, 0, 0, 0, 1404136, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4044}, ) == 0x0
 01732  1352   NtQueryDirectoryFile  (228, 0, 0, 0, 1404136, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4078}, ) == 0x0
 01733  1352   NtQueryDirectoryFile  (228, 0, 0, 0, 1404136, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4066}, ) == 0x0
 01734  1352   NtDelayExecution  (0, {-81920000, -1}, ...
 01730   780   NtDelayExecution  ... ) == 0x0
 01735   780   NtContinue  (12776104, 0, ...
 01736   780   NtDelayExecution  (0, {-20480000, -1}, ...
 01225   416   NtUserWaitForInputIdle  ... ) == 0x102
 01737   416   NtClose  (120, ... ) == 0x0
 01738   416   NtClose  (112, ... ) == 0x0
 01739   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01740   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01741   416   NtDelayExecution  (0, {-10000000, -1}, ...
 01736   780   NtDelayExecution  ... ) == 0x0
 01742   780   NtContinue  (12776104, 0, ...
 01743   780   NtDelayExecution  (0, {-20480000, -1}, ...
 01741   416   NtDelayExecution  ... ) == 0x0
 01744   416   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "b1790f4c06f035c083b712e3f4f6a1a8c30c"}, 0, ... 112, ) }, 0, ... 112, ) == 0x0
 01745   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01746   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01747   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01748   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == 0x0
 01749   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 01750   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 120, ... 216, ) == 0x0
 01751   416   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01752   416   NtClose  (120, ... ) == 0x0
 01753   416   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01754   416   NtClose  (216, ... ) == 0x0
 01755   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 216, ) }, ... 216, ) == 0x0
 01756   416   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 01757   416   NtClose  (216, ... ) == 0x0
 01758   416   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 216, ) == 0x0
 01759   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 01760   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 220, ) }, ... 220, ) == 0x0
 01761   416   NtNotifyChangeKey  (220, 120, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 01762   416   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01763   416   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 232, ) == 0x0
 01764   416   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 236, ) == 0x0
 01765   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01767   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01768   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == 0x0
 01769   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 01770   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 01771   416   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01772   416   NtClose  (240, ... ) == 0x0
 01773   416   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 01774   416   NtClose  (244, ... ) == 0x0
 01775   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01776   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01777   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01778   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == 0x0
 01779   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01780   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 01781   416   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01782   416   NtClose  (244, ... ) == 0x0
 01783   416   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01784   416   NtClose  (240, ... ) == 0x0
 01785   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01786   416   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14417920, 262144, ) == 0x0
 01787   416   NtAllocateVirtualMemory  (-1, 14417920, 0, 4096, 4096, 4, ... 14417920, 4096, ) == 0x0
 01788   416   NtAllocateVirtualMemory  (-1, 14422016, 0, 8192, 4096, 4, ... 14422016, 8192, ) == 0x0
 01789   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01790   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01791   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01792   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01794   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == 0x0
 01795   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 01796   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 01797   416   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01798   416   NtClose  (240, ... ) == 0x0
 01799   416   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01800   416   NtClose  (244, ... ) == 0x0
 01801   416   NtAllocateVirtualMemory  (-1, 8863744, 0, 8192, 4096, 4, ... 8863744, 8192, ) == 0x0
 01802   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01803   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 01804   416   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01805   416   NtClose  (244, ... ) == 0x0
 01806   416   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 244, ) }, ... 244, ) == 0x0
 01807   416   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   416   NtClose  (244, ... ) == 0x0
 01809   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 244, ) }, ... 244, ) == 0x0
 01810   416   NtQueryValueKey  (244,  (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01811   416   NtQueryValueKey  (244,  (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01812   416   NtQueryValueKey  (244,  (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01813   416   NtQueryValueKey  (244,  (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01814   416   NtClose  (244, ... ) == 0x0
 01815   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 244, ) }, ... 244, ) == 0x0
 01816   416   NtQueryValueKey  (244,  (244, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01817   416   NtQueryValueKey  (244,  (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01818   416   NtQueryValueKey  (244,  (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01819   416   NtQueryValueKey  (244,  (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01820   416   NtQueryValueKey  (244,  (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01821   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 01822   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 01823   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 240, ... 248, ) == 0x0
 01824   416   NtClose  (240, ... ) == 0x0
 01825   416   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe20000), 0x0, 135168, ) == 0x0
 01826   416   NtClose  (248, ... ) == 0x0
 01827   416   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 01828   416   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 01829   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238660, ... ) }, 1238660, ... ) == 0x0
 01830   416   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 01831   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239184,  (0x80100080, {24, 0, 0x40, 0, 1239184, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 01832   416   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 248, ... 240, ) == 0x0
 01833   416   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe20000), {0, 0}, 135168, ) == 0x0
 01834   416   NtQueryDefaultLocale  (1, 1238992, ... ) == 0x0
 01835   416   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01836   416   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01837   416   NtReadFile  (248, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (248, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01838   416   NtQueryInformationFile  (248, 1239236, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01839   416   NtSetInformationFile  (248, 1239236, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01840   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01841   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01842   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01843   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01844   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01845   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01846   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01847   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01848   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01849   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01850   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01851   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01852   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01853   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01854   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01855   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01856   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01857   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01858   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01859   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01860   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01861   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01862   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01863   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01864   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01865   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01866   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01867   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01868   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01869   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01870   416   NtReadFile  (248, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (248, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01871   416   NtQueryInformationFile  (248, 1239236, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01872   416   NtSetInformationFile  (248, 1239236, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01873   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01874   416   NtReadFile  (248, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (248, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 01875   416   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 01876   416   NtClose  (240, ... ) == 0x0
 01877   416   NtClose  (248, ... ) == 0x0
 01878   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237716, ... ) }, 1237716, ... ) == 0x0
 01879   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 248, {status=0x0, info=1}, ) }, 5, 96, ... 248, {status=0x0, info=1}, ) == 0x0
 01880   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 248, ... 240, ) == 0x0
 01881   416   NtClose  (248, ... ) == 0x0
 01882   416   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe20000), 0x0, 135168, ) == 0x0
 01883   416   NtClose  (240, ... ) == 0x0
 01884   416   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 01885   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238032, ... ) }, 1238032, ... ) == 0x0
 01886   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 01887   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 248, ) == 0x0
 01888   416   NtQuerySection  (248, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01889   416   NtClose  (240, ... ) == 0x0
 01890   416   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 01891   416   NtClose  (248, ... ) == 0x0
 01892   416   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01893   416   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01894   416   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01895   416   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01896   416   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01897   416   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01898   416   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01899   416   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01900   416   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01901   416   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01902   416   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01903   416   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01904   416   NtAllocateVirtualMemory  (-1, 1413120, 0, 20480, 4096, 4, ... 1413120, 20480, ) == 0x0
 01905   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01906   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01907   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01908   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01909   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01910   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01911   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01912   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01913   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01914   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01915   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01916   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01917   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01918   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01919   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01920   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01921   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01922   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01923   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01924   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01925   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01926   416   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01927   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236984, ... ) }, 1236984, ... ) == 0x0
 01928   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237716,  (0x80100080, {24, 0, 0x40, 0, 1237716, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 01929   416   NtQueryVolumeInformationFile  (248, 1237876, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01930   416   NtQueryInformationFile  (248, 1237768, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01931   416   NtQueryInformationFile  (248, 1238060, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01932   416   NtClose  (248, ... ) == 0x0
 01933   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236476, ... ) }, 1236476, ... ) == 0x0
 01934   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237208,  (0x80100080, {24, 0, 0x40, 0, 1237208, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 01935   416   NtQueryVolumeInformationFile  (248, 1237368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01936   416   NtQueryInformationFile  (248, 1237260, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01937   416   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 248, ... 240, ) == 0x0
 01938   416   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe20000), {0, 0}, 135168, ) == 0x0
 01939   416   NtQueryDefaultLocale  (1, 1237348, ... ) == 0x0
 01940   416   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01941   416   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01942   416   NtQueryDefaultLocale  (1, 1237348, ... ) == 0x0
 01943   416   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01944   416   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01945   416   NtReadFile  (248, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (248, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01946   416   NtQueryInformationFile  (248, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01947   416   NtSetInformationFile  (248, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01948   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01949   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01950   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01951   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01952   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01953   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01954   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01955   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01956   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01957   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01958   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01959   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01960   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01961   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01962   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01963   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01964   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01965   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01966   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01967   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01968   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01969   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01970   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01971   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01972   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01973   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01974   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01975   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01976   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01977   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01978   416   NtReadFile  (248, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (248, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01979   416   NtQueryInformationFile  (248, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01980   416   NtSetInformationFile  (248, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01981   416   NtQueryInformationFile  (248, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01982   416   NtSetInformationFile  (248, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01983   416   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01984   416   NtReadFile  (248, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (248, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01985   416   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 01986   416   NtClose  (240, ... ) == 0x0
 01987   416   NtClose  (248, ... ) == 0x0
 01988   416   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 248, ) }, ... 248, ) == 0x0
 01989   416   NtQueryValueKey  (248,  (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01990   416   NtQueryValueKey  (248,  (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01991   416   NtQueryValueKey  (248,  (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01992   416   NtQueryValueKey  (248,  (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01993   416   NtClose  (248, ... ) == 0x0
 01994   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01995   416   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01996   416   NtOpenProcessToken  (-1, 0x8, ... 248, ) == 0x0
 01997   416   NtQueryInformationToken  (248, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01998   416   NtClose  (248, ... ) == 0x0
 01999   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 248, {status=0x0, info=0}, ) }, 7, 16, ... 248, {status=0x0, info=0}, ) == 0x0
 02000   416   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\351-8\374\13&\305:\237\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02001   416   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02002   416   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02003   416   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02004   416   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02005   416   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02006   416   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02007   416   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02008   416   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482212, 2, ) }, 0, 0x0, 0, ... -2147482212, 2, ) == 0x0
 02009   416   NtSetValueKey  (-2147482212,  (-2147482212, "Seed", 0, 3, "\35\201\32Rg\322\341 e\232\330\321y\307/\213\247v\1P\300H\24\257\13Q\17\261\304U\363=\256\5\212\350\243\333\23\325\241o:mG\37'\32t\210h\242\345\17v\1g\211xda\217!\27\352\242\276\6\245Nn\262\26W6.\215\242\356\275", 80, ... , 0, 3,  (-2147482212, "Seed", 0, 3, "\35\201\32Rg\322\341 e\232\330\321y\307/\213\247v\1P\300H\24\257\13Q\17\261\304U\363=\256\5\212\350\243\333\23\325\241o:mG\37'\32t\210h\242\345\17v\1g\211xda\217!\27\352\242\276\6\245Nn\262\26W6.\215\242\356\275", 80, ... , 80, ...
 02010   416   NtSetInformationFile  (-2147482808, -136511876, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02011   416   NtSetInformationFile  (-2147482808, -136511912, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02009   416   NtSetValueKey  ... ) == 0x0
 02012   416   NtClose  (-2147482212, ... ) == 0x0
 02000   416   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\231$\235\307\301\370\17\335\322m\257`\243\220\303_Eii>\37\222\371\274\12\351\255\345D\221\36v\272\2628\202\267\247\366\27\7\351\27\206\352\360\22\0\270\372\261c@\17p\240\260\32\3304\320M\245\35?\322H\277\350\267I\204\224\12\30i\244\250H \330+?U\342\264\350\31\205\224\27nK\346\356\206\247\314&\200\317\253\234\274\311\206\330\272\353v\212\118\253n\352y\252\263\376V\357\302\227\220\275\255\2400-\350J\242\256;\317w\357\332M1K\204\303\213\376\242:\13\\226\222\357\202;\223\332k\251\30z\26J\330\363\6\225\217\231\22\373\243p\37\211\301\213qTR\203p\372z\247yW\34\264\10r]K\4Q\260\245\247\276\312\257\360\221O\237U\4\230GT.Ji\216\236\305\240$v\231A]H\370\277IZ\374\205\305\14\33$\2\313\\374\226\16\375\\375\215\335Lj\30\277\352\336\245Y\16Dx", ) , ) == 0x0
 02013   416   NtClose  (244, ... ) == 0x0
 02014   416   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214kG\322d^jQ\226\225\230\353\15\321\255\366\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02015   416   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02016   416   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02017   416   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02018   416   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02019   416   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02020   416   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02021   416   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02022   416   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482212, 2, ) }, 0, 0x0, 0, ... -2147482212, 2, ) == 0x0
 02023   416   NtSetValueKey  (-2147482212,  (-2147482212, "Seed", 0, 3, "\367\360\320m\35\267\306BMv6\4\244\227m;\374\7\16A\323\253\252\365\22\362d\342\11k\356\224\345.\363\306F\231\367\3CC\302\340/\204\340%H"\360'\274\245\364Jd]\273\360o\307\220\324{s\347Jb6\3559\376\3158\21\325\276\341b", 80, ... ) , 0, 3,  (-2147482212, "Seed", 0, 3, "\367\360\320m\35\267\306BMv6\4\244\227m;\374\7\16A\323\253\252\365\22\362d\342\11k\356\224\345.\363\306F\231\367\3CC\302\340/\204\340%H"\360'\274\245\364Jd]\273\360o\307\220\324{s\347Jb6\3559\376\3158\21\325\276\341b", 80, ... ) \360'\274\245\364Jd]\273\360o\307\220\324{s\347Jb6\3559\376\3158\21\325\276\341b", 80, ... ) == 0x0
 02024   416   NtClose  (-2147482212, ... ) == 0x0
 02014   416   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\264z2Z\303<\366\210=\\363\325\231k\20\222\363\227\361:\363\305\5z\241\262\323f\7g\236)\252\274\301\301\267\2412M@:\266\6N\24\365\310\270b\241K\364nZv\367\265_I\241\331\251a\240\200_\336\35\271\227\320\365\2\253P\52\17\206\273\317^ \302r`Q7\264\354(\21\260X{_\2737\333I\33\362%\275\2335\336\374\273c!\361\305c^\236\347\334\213\24\2717\230:\3019\23\23\377\266\206\30ub\0\357Y\311C\24\232(\361d\31\266\274\226>\307?i\262\246\346x*\3\353\236w>\325\12;\317\211\270\344\240_\271\346\230p\235]\351\245\330\370\207\325\267\331\217241\331\251a\240\200_\336\35\271\227\320\365\2\253P\52\17\206\273\317^ \302r`Q7\264\354(\21\260X{_\2737\333I\33\362%\275\2335\336\374\273c!\361\305c^\236\347\334\213\24\2717\230:\3019\23\23\377\266\206\30ub\0\357Y\311C\24\232(\361d\31\266\274\226>\307?i\262\246\346x*\3\353\236w>\325\12;\317\211\270\344\240_\271\346\230p\235]\351\245\330\370\207\325\267\331\21716\376\304\24\270\204h\367\222\350=\221\3525\257\27OV\220\331\246\376(\2O\27\336o\246", ) == 0x0
 02025   416   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214kG\322d^jQ\24\377rsX\2359Z\300\230\353\15\321\255\366\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02026   416   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02027   416   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02028   416   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02029   416   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02030   416   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02031   416   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02032   416   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02033   416   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482212, 2, ) }, 0, 0x0, 0, ... -2147482212, 2, ) == 0x0
 02034   416   NtSetValueKey  (-2147482212,  (-2147482212, "Seed", 0, 3, "\375r\316\240?\322\245GI\231\250q\252\326\374\226l\331\25\307$B\220EF\355\205V2\322S\202\210\337w\2271\30\370M\304\31\23\305\232q\366\337\14W\252Q\223\30\315\257\177\360\351\32\22\25z\241\246@\366s\330\2123\11x\367M\3221\354\262E", 80, ... ) , 0, 3,  (-2147482212, "Seed", 0, 3, "\375r\316\240?\322\245GI\231\250q\252\326\374\226l\331\25\307$B\220EF\355\205V2\322S\202\210\337w\2271\30\370M\304\31\23\305\232q\366\337\14W\252Q\223\30\315\257\177\360\351\32\22\25z\241\246@\366s\330\2123\11x\367M\3221\354\262E", 80, ... ) , 80, ... ) == 0x0
 02035   416   NtClose  (-2147482212, ... ) == 0x0
 02025   416   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "g5\265\374%\206f\236\237\244\331\301\15\315\217L\27Xg\214\307e\275\\202^\11\210\222\245\343J\37\272\210\205\215\221\333\34r~\336\5\26\376\4\245\3362Y\300\224\254\327\350\255Fp\350\246+\234\337\206\315\375\3512\254\372c)x\10z\334#a|\36\263\305m2\370|K!#rf\13\366\30P\23\345\244\376\341\334f\7,\311W^l\221\265\344'b\222I\13\334z\277\3443\221}\223\235\245\377p\247\343\205\262*\240\7\7\376\357\260WfU\272~\207\203\13@N\305l\354\332,[\23R\326\203\3709N\11\244\331v\317j\211 \266E\334iWP\12b\326\333>\371g\250=tF<\254\232m]44\276\226\247\373\37\263\351\2763\1\36\237\216goS\222\317\2\231!\276\222\212\377r\355\22G$'\\347V\244E\262/RT4\202\34N\235\344\220Z\207\32Z\253:V\205\237\34\310e\15", ) , ) == 0x0
 02036   416   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214kG\322d^jQ\24\377rsX\2359\330\252rsX\2359Z\300\230\353\15\321\255\366\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02037   416   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02038   416   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02039   416   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02040   416   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02041   416   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02042   416   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02043   416   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02044   416   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482212, 2, ) }, 0, 0x0, 0, ... -2147482212, 2, ) == 0x0
 02045   416   NtSetValueKey  (-2147482212,  (-2147482212, "Seed", 0, 3, "\334\34\337\363\237`E\79\243\376\3176|bL\366\200\236\271{\364\277\35\\4\319\241\333\244\234R\355T\211O^\311n\250\370m\374\254~\334\3\343+n\227\362S\234`\223S#\266&%\30?qM\251\300K\205\371?\321\3538T[Gk\304", 80, ... ) , 0, 3,  (-2147482212, "Seed", 0, 3, "\334\34\337\363\237`E\79\243\376\3176|bL\366\200\236\271{\364\277\35\\4\319\241\333\244\234R\355T\211O^\311n\250\370m\374\254~\334\3\343+n\227\362S\234`\223S#\266&%\30?qM\251\300K\205\371?\321\3538T[Gk\304", 80, ... ) , 80, ... ) == 0x0
 02046   416   NtClose  (-2147482212, ... ) == 0x0
 02036   416   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\245\252%)\16D\223\227V\352\370\2504\317\365m\354\305\345d\27016">f\210\6\21088\2241\226_\6\214sz\240\230I.:[\201\35K\11\4s\275%z\337\235\0Uj?Bw\262\356>\216\302\362\372\313*z\30\2\3332/.\363\216\340\232s\11\226q\255y\362\330\205~\310\31\306\317\266@q(;9\313#\211\\22\232\232\214,r"\323\357=\327fX1l\3568?\32\237B$$t\21\316}\306\223\275\373d\332\364\246&P\363\12\300\1y\324QH\2736\376\264\277h\211 \247{\333\26V^\307\357J\302\361\227+l\307\22\17}e\223\237.o\327+nf\20\221k\225\352\34\14b\322\14Ms\210\320\346c!\177\227\305Y\236\335\350\234\213X\267Q\\313\242\254\177\327\15#?\341-\271\274\225\376\334D\360\254\363\333\314\200r\362\270\210\336:3!\27\2\335\205\357[E\334", ) >f\210\6\21088\2241\226_\6\214sz\240\230I.:[\201\35K\11\4s\275%z\337\235\0Uj?Bw\262\356>\216\302\362\372\313*z\30\2\3332/.\363\216\340\232s\11\226q\255y\362\330\205~\310\31\306\317\266@q(;9\313#\211\\22\232\232\214,r ... {status=0x0, info=256}, "\245\252%)\16D\223\227V\352\370\2504\317\365m\354\305\345d\27016">f\210\6\21088\2241\226_\6\214sz\240\230I.:[\201\35K\11\4s\275%z\337\235\0Uj?Bw\262\356>\216\302\362\372\313*z\30\2\3332/.\363\216\340\232s\11\226q\255y\362\330\205~\310\31\306\317\266@q(;9\313#\211\\22\232\232\214,r"\323\357=\327fX1l\3568?\32\237B$$t\21\316}\306\223\275\373d\332\364\246&P\363\12\300\1y\324QH\2736\376\264\277h\211 \247{\333\26V^\307\357J\302\361\227+l\307\22\17}e\223\237.o\327+nf\20\221k\225\352\34\14b\322\14Ms\210\320\346c!\177\227\305Y\236\335\350\234\213X\267Q\\313\242\254\177\327\15#?\341-\271\274\225\376\334D\360\254\363\333\314\200r\362\270\210\336:3!\27\2\335\205\357[E\334", ) , ) == 0x0
 02047   416   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214kG\322d^jQ\24\377rsX\2359\330\252rsX\2359\330\252rsX\2359Z\300\230\353\15\321\255\366\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02048   416   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02049   416   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02050   416   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02051   416   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02052   416   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02053   416   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02054   416   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02055   416   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482212, 2, ) }, 0, 0x0, 0, ... -2147482212, 2, ) == 0x0
 02056   416   NtSetValueKey  (-2147482212,  (-2147482212, "Seed", 0, 3, "\26i\3164\379uv\205\265\367\311o\3040\374U\4\322d\247\352U\265h\336:\2207+\224\376K\245\6?\307\232P\255\6\321\331t\314\376\225\17@H\327\371\54WgFP\26\343[W\302\311X\242(V\243\275\255\362\26\337G\363\334\340K", 80, ... ) , 0, 3,  (-2147482212, "Seed", 0, 3, "\26i\3164\379uv\205\265\367\311o\3040\374U\4\322d\247\352U\265h\336:\2207+\224\376K\245\6?\307\232P\255\6\321\331t\314\376\225\17@H\327\371\54WgFP\26\343[W\302\311X\242(V\243\275\255\362\26\337G\363\334\340K", 80, ... ) , 80, ... ) == 0x0
 02057   416   NtClose  (-2147482212, ... ) == 0x0
 02047   416   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\2425\200{IP\206\3031t\32\375i5|\345\256\247^\313"6$\65\7\344\376\2+\346v\354<\241\331\303p\240\24\23\25\252\256\360-\355\351`\205gP\235%\236pD\3178\225\227\222q\305\316R\35\3"\206\245\223\210Q\233%_\341\361\231\306zCxN\375\330\27\271\337\351\267@\264\1\320\322`4\203R\23\205\332\277\205S{I5@Le\230{\360\337\273X\217\332r\314Cs\256\333\330nqG\307\236\256\21\271\365\22y\362\177\254Qb\355\314/\230]:Z\342\231W\214\320I.\303\366\200\247\304\27$\14\246W\252PH\311!q\363u8\245\2'1\273\224\17\247J\244\34\237C`\303j\256\360\304\265\253\245b\7t\352d\205t\214\342P\342(\336\11\250\205@\27\206\315\313H\232\12#y\212k\263\374)\o\373\341\3500?\233\215_\350\\31\224\\200\311(_\302PV\320\377\222\372", ) 6$\65\7\344\376\2+\346v\354<\241\331\303p\240\24\23\25\252\256\360-\355\351`\205gP\235%\236pD\3178\225\227\222q\305\316R\35\3 ... {status=0x0, info=256}, "\2425\200{IP\206\3031t\32\375i5|\345\256\247^\313"6$\65\7\344\376\2+\346v\354<\241\331\303p\240\24\23\25\252\256\360-\355\351`\205gP\235%\236pD\3178\225\227\222q\305\316R\35\3"\206\245\223\210Q\233%_\341\361\231\306zCxN\375\330\27\271\337\351\267@\264\1\320\322`4\203R\23\205\332\277\205S{I5@Le\230{\360\337\273X\217\332r\314Cs\256\333\330nqG\307\236\256\21\271\365\22y\362\177\254Qb\355\314/\230]:Z\342\231W\214\320I.\303\366\200\247\304\27$\14\246W\252PH\311!q\363u8\245\2'1\273\224\17\247J\244\34\237C`\303j\256\360\304\265\253\245b\7t\352d\205t\214\342P\342(\336\11\250\205@\27\206\315\313H\232\12#y\212k\263\374)\o\373\341\3500?\233\215_\350\\31\224\\200\311(_\302PV\320\377\222\372", ) , ) == 0x0
 02058   416   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214kG\322d^jQ\24\377rsX\2359\330\252rsX\2359\330\252rsX\2359\330\252rsX\2359Z\300\230\353\15\321\255\366\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02059   416   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02060   416   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02061   416   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02062   416   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02063   416   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02064   416   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02065   416   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02066   416   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482212, 2, ) }, 0, 0x0, 0, ... -2147482212, 2, ) == 0x0
 02067   416   NtSetValueKey  (-2147482212,  (-2147482212, "Seed", 0, 3, "\204\356\13`\375q\337\362{\346-\24\372\341w\201\363\372I\214\326\177yi_\230\3621A\312\304\216\2&\342\222\236\306\212\34, 80, ... ) , 0, 3,  (-2147482212, "Seed", 0, 3, "\204\356\13`\375q\337\362{\346-\24\372\341w\201\363\372I\214\326\177yi_\230\3621A\312\304\216\2&\342\222\236\306\212\34, 80, ... ) , 80, ... ) == 0x0
 02068   416   NtClose  (-2147482212, ... ) == 0x0
 02058   416   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\313AA\277(\264NNiS\336\377\37\251\301/\370'\301f\214 \325\320\255\367\25\31Vu\20\266\2315\27\227\256\224\176=\23\256z\244*kNS\33\15F\242\311\327\276pv\%\313\365DQ\211\17\371\242\30\276U\365\276\245\1)\312\322\262\355p\320\346i['a\0\331\16!\201\33*`\206\266:\363\10\2422\257\247\225\3\246R\211X\351~\4"\343[\Z&\326\36q\356Kq\274=\262u!D\17\255_k\2462^\315s\244\01\254\22\14\253\204T\304F\237\343\10>Y'\360\2775F\271@<^\330\306<\356\0\320/\262\3\237\350r-SP\14g9(N\372\237'\333\230\311\252\267,\316\236\332\13~\17=\232\2\324\263\211\12X\220K\32\30\WtI_\307\37\353\360\257\32\266h\254\312\354{\320\30\372\216)\203\302\247o\234y\%\17\305i\364:\5\301m\256+X\356\345", ) \343[\Z&\326\36q\356Kq\274=\262u!D\17\255_k\2462^\315s\244\01\254\22\14\253\204T\304F\237\343\10>Y'\360\2775F\271@<^\330\306<\356\0\320/\262\3\237\350r-SP\14g9(N\372\237'\333\230\311\252\267,\316\236\332\13~\17=\232\2\324\263\211\12X\220K\32\30\WtI_\307\37\353\360\257\32\266h\254\312\354{\320\30\372\216)\203\302\247o\234y\%\17\305i\364:\5\301m\256+X\356\345", ) == 0x0
 02069   416   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214kG\322d^jQ\24\377rsX\2359\330\252rsX\2359\330\252rsX\2359\330\252rsX\2359\330\252rsX\2359Z\300\230\353\15\321\255\366\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02070   416   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02071   416   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02072   416   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02073   416   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02074   416   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02075   416   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02076   416   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02077   416   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482212, 2, ) }, 0, 0x0, 0, ... -2147482212, 2, ) == 0x0
 02078   416   NtSetValueKey  (-2147482212,  (-2147482212, "Seed", 0, 3, "\346\177\3M\310\235\321\204\213\274\261\312\354b\344\364\356R\\271}\7\201\355\312(\244\253I\201\245\33\220\360#~X`U\315TCm\272\351\371@Lp\273p\305\372?p\331GF\275\177$\306\216\351\17\213\333\231\221\275\315\375\360\11\244:\375\224\232", 80, ... ) , 0, 3,  (-2147482212, "Seed", 0, 3, "\346\177\3M\310\235\321\204\213\274\261\312\354b\344\364\356R\\271}\7\201\355\312(\244\253I\201\245\33\220\360#~X`U\315TCm\272\351\371@Lp\273p\305\372?p\331GF\275\177$\306\216\351\17\213\333\231\221\275\315\375\360\11\244:\375\224\232", 80, ... ) , 80, ... ) == 0x0
 02079   416   NtClose  (-2147482212, ... ) == 0x0
 02069   416   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\26\345MZ\202\340\201}\231\267^\347\205\256\210\334|wM:9\375\360v\1\232#1\325\311\275\2&[\265\214\336\343\204v\310**\321\222_\33\250b\357\243\7|\256\247\244\244l\240\27\2323\31\234B\307>ky\355\3av\243Tb\20\316\226\362*\330\251\320[`\3719xk#{\213?\337\356\262\333T}1\351\245\224;\243\13\245\3103\274g|\377\21'\360\15\311}\15\345\376\255\27\303\26\334\225MCK\22&\2r*|;=\230\11)\367\263\202\7\324\243\260'\246\322|+'\216\13\365\270YK\334\305S\315\330\263^\341\14b\303}\363++\22\337\246v\332R(\30,\337\30?\2272t\4\361T\264\345A\220\15\311\257\231\\311\223\10\23\3649\215\240ew\3623\343\a&&.\346\306%\300WL\327=\257\270T<\270\260#\360\31k\302\273\322\2219\11\227\275\33\225\240\374\373\314\222\367", ) , ) == 0x0
 02080   416   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214kG\322d^jQ\24\377rsX\2359\330\252rsX\2359\330\252rsX\2359\330\252rsX\2359\330\252rsX\2359\330\252rsX\2359Z\300\230\353\15\321\255\366\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02081   416   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02082   416   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02083   416   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02084   416   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02085   416   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02086   416   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02087   416   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02088   416   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482212, 2, ) }, 0, 0x0, 0, ... -2147482212, 2, ) == 0x0
 02089   416   NtSetValueKey  (-2147482212,  (-2147482212, "Seed", 0, 3, "\265\203j\240\264|\232\32\264ah\203\203\23\257\231\357\24\310\273\35\237\304(s\305\10\347\354\215\363[E\363\345\226\343\372p\331V\37*u\24296]\374\335\325\303\202\202\201\242\236}&=!\361\371\321i\276j)Jkn\2625\322P\371\324h1\300", 80, ... ) , 0, 3,  (-2147482212, "Seed", 0, 3, "\265\203j\240\264|\232\32\264ah\203\203\23\257\231\357\24\310\273\35\237\304(s\305\10\347\354\215\363[E\363\345\226\343\372p\331V\37*u\24296]\374\335\325\303\202\202\201\242\236}&=!\361\371\321i\276j)Jkn\2625\322P\371\324h1\300", 80, ... ) , 80, ... ) == 0x0
 02090   416   NtClose  (-2147482212, ... ) == 0x0
 02080   416   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "}\365.L\316\16\0K\215E-\236V\302l\300\307\238\207\254:{\37\241F[\27\233\264\225b\7\335\314G\321j \334\207\377\332aHn\237A\352\375\205p\310\361\314\310\214uc\215\7-.}k\356'sy9\19\14g\301T\305/\371\17\24!F\36k\324\334Iz\303\13\30*\257\04:\14\231F\303\251\227\234<\376!\347\210\273\300\212\322y_\366*A\212\332\204\233Pc\272\246\301\206$\14\6\272\257\27\16z\367%\374\300\353"r\371\210\317\302\2162h;nQ\36>\260\335\312k\211\262!\275\267\200\302*4\367\272qn\261\313\325\245\255\234\361k\350\17I\206\370%\227\35\110\17'\305z\371Y\33\354k\215n\307\25\333\322\303\226\263\352H\7\361D\336\331\200\206QS\274\260Y\200\26v\227|V\347Q\360\372\7\375\310x\2\271Q+\331~\3202\302t\310_\347\216\352\277lk\271\212", ) r\371\210\317\302\2162h;nQ\36>\260\335\312k\211\262!\275\267\200\302*4\367\272qn\261\313\325\245\255\234\361k\350\17I\206\370%\227\35\110\17'\305z\371Y\33\354k\215n\307\25\333\322\303\226\263\352H\7\361D\336\331\200\206QS\274\260Y\200\26v\227|V\347Q\360\372\7\375\310x\2\271Q+\331~\3202\302t\310_\347\216\352\277lk\271\212", ) == 0x0
 02091   416   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 244, {status=0x0, info=1}, ) }, 3, 33, ... 244, {status=0x0, info=1}, ) == 0x0
 02092   416   NtQueryVolumeInformationFile  (244, 1238964, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02093   416   NtClose  (12, ... ) == 0x0
 02094   416   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238184,  (0x80100080, {24, 0, 0x40, 0, 1238184, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 02096   416   NtQueryInformationFile  (12, 1239120, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 02097   416   NtQueryInformationFile  (12, 1239092, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02098   416   NtQueryInformationFile  (12, 1239044, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02099   416   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 02100   416   NtQueryInformationFile  (12, 1432288, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 02101   416   NtQueryInformationFile  (12, 1237588, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02102   416   NtQueryInformationFile  (12, 1237432, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 02103   416   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1237440,  (0x40110080, {24, 0, 0x40, 0, 1237440, "\??\C:\WINDOWS\System32\Isass.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 02104   416   NtClose  (-2147482212, ... ) == 0x0
 02103   416   NtCreateFile  ... 240, {status=0x0, info=2}, ) == 0x0
 02105   416   NtQueryVolumeInformationFile  (240, 1236812, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 02106   416   NtQueryInformationFile  (240, 1236772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02107   416   NtQueryVolumeInformationFile  (12, 1236812, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02108   416   NtQueryVolumeInformationFile  (12, 1236496, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02109   416   NtSetInformationFile  (240, 1236600, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02110   416   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 252, ) == 0x0
 02111   416   NtMapViewOfSection  (252, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe20000), {0, 0}, 196608, ) == 0x0
 02112   416   NtClose  (252, ... ) == 0x0
 02113   416   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\371\250E\275\305\303L\34\227(\275\232\202z5\212PE\0\0L\1\6\0\360\19F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\260\0\0\0\20\0\0\0`\1\0\0@\4\0\0\240\2\0\0 \2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\4\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\240\2\0\20\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\241\2\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02114   416   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "be\311\203\300\305\332\364\270?\34\270\347\351&\260\207\332\370!\252\33iq\205[Eq\226\214\13\33U\257\215\233\320\324\26Y\37"f\235\201v\363\10g\327\4r\324\334\375\237l5$\201\325\17\246\351"\302\226\244c\365\331\21\274!\331\311\346\357\245\237\316r\14\177\3572\213O\22\4\311\177\201h\235\267\360\362\16vS\267\24\212o\316\250\26\346\354\212\265z|]\315\220R[\316\222A\373\25[\25U\340e\247\201!\261pU\352ep\231\271\313\25\342\357\265\354\34\305\344\234\370\15bd\335;6A\305\231\16\317\336\6=]\321'\177\370]|\342\347\323\264S=\266\264\311_l\225\363\264\373|\6\264od\364+\214\37\216\374\375\23\263(\327\27\3135nJ\334\273\205\149_}{B_\265hPG\321o\374i\237b\17\13E\376\234\263R_X\265\312/\6e\324vl\36\370\310\3037\26aQI\261;P\374\345T\25\262N\264\374 8\373\3615\374%\240\32\24\275\30\211\366n\256\245\235\371k\300\336\314\304x[\37\361\373f]\313f\236,\346F\243\3050\343\275\300\233\347\340\270\374\315\362\230B\330`\261\273\271*\375\335\245lj\321\320\226\225\3125\271\224\276w+\363\23\2115\262G\202\371\266q\235m\370\327\276\371\257|\217\261\240\220\13\353\232esq\365\233jo\243\227$\366\251W\227\274+\203#\213\317~\27O\274\37b7\34\337\252\352\340\252\330\263\315E\213\220d\233\265w\275\365\373G\305\25\257Gk\267\204\237=", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) f\235\201v\363\10g\327\4r\324\334\375\237l5$\201\325\17\246\351 (240, 0, 0, 0, "be\311\203\300\305\332\364\270?\34\270\347\351&\260\207\332\370!\252\33iq\205[Eq\226\214\13\33U\257\215\233\320\324\26Y\37"f\235\201v\363\10g\327\4r\324\334\375\237l5$\201\325\17\246\351"\302\226\244c\365\331\21\274!\331\311\346\357\245\237\316r\14\177\3572\213O\22\4\311\177\201h\235\267\360\362\16vS\267\24\212o\316\250\26\346\354\212\265z|]\315\220R[\316\222A\373\25[\25U\340e\247\201!\261pU\352ep\231\271\313\25\342\357\265\354\34\305\344\234\370\15bd\335;6A\305\231\16\317\336\6=]\321'\177\370]|\342\347\323\264S=\266\264\311_l\225\363\264\373|\6\264od\364+\214\37\216\374\375\23\263(\327\27\3135nJ\334\273\205\149_}{B_\265hPG\321o\374i\237b\17\13E\376\234\263R_X\265\312/\6e\324vl\36\370\310\3037\26aQI\261;P\374\345T\25\262N\264\374 8\373\3615\374%\240\32\24\275\30\211\366n\256\245\235\371k\300\336\314\304x[\37\361\373f]\313f\236,\346F\243\3050\343\275\300\233\347\340\270\374\315\362\230B\330`\261\273\271*\375\335\245lj\321\320\226\225\3125\271\224\276w+\363\23\2115\262G\202\371\266q\235m\370\327\276\371\257|\217\261\240\220\13\353\232esq\365\233jo\243\227$\366\251W\227\274+\203#\213\317~\27O\274\37b7\34\337\252\352\340\252\330\263\315E\213\220d\233\265w\275\365\373G\305\25\257Gk\267\204\237=", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02115   416   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "\332iB \271\355%+Q\225\244\3220\265-\271\361\260\274\202\332\16\6\2368R\310I\230Buo\6\10\211\325w\256;\322\371QK\274E\351\360\255\254V\17\335\6l\32\13Q.]\242\336\374}\210(\225\300\222w\352y\307A\336}\10\232{q\216b\205\340\374$\316__%\236\15$\377od\372n.\240\22s\262\235\301\245\227\37\3\367\261M\213E\25\3407\310s\356\302\275\354\3774c\243\324\205-\20\210V\260ab\212:\223\366\204\35\314%OV\216^\227\365id\241\36!\302\247\321\271\244\247\25\20dA0pUh\177\304*\3<\35\201\360\313\205"R\267\373lJv_\321\330\315\4\23\332\246\347\356"\277g#\200\273J(\301\13\355]x\3749Z\375k\323;\246X\345R\326\114\324g:\235$V\7\342w\376\14\376\1/\200B\258\213\241b\267h\250\231&q\365&~\367\221\376\231\230\334\353\333\352a\206<*\270\221\317?~u\332r+\245\277\222\331\256&E\304z\243b\325'\343>\3450\361d\314~\366\257x\327\304\227\11<\6Ts}\315Q\24\353s\223\276ghG\4k\205\17\76\272q\324zuY\321("\16b0\2\360z\352\207(a\36]\257\345(\5\31\377\23SU\207\372\263\274!n\202\371@8A,\210\231\230\37\200_\32q\2013\314u\346R\271\2447:I\357v\307l\355O\216\2251\313\17cJu'=\203o\202\371\33l\220\3Y\231\241W\327\36i\20\206h}\232\371g\236\16>cJ\33\224U\263"Y\203}\32i\31\230\333P0\245\37s\313`\264\12\\265\370ScMn\363'r\14x\325y\337\371x\36'\337\36A\374\205b\271\315\37k\205-(_\322-n\202\344y|n\207\314=\260\277\271}\245\32", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) R\267\373lJv_\321\330\315\4\23\332\246\347\356 (240, 0, 0, 0, "\332iB \271\355%+Q\225\244\3220\265-\271\361\260\274\202\332\16\6\2368R\310I\230Buo\6\10\211\325w\256;\322\371QK\274E\351\360\255\254V\17\335\6l\32\13Q.]\242\336\374}\210(\225\300\222w\352y\307A\336}\10\232{q\216b\205\340\374$\316__%\236\15$\377od\372n.\240\22s\262\235\301\245\227\37\3\367\261M\213E\25\3407\310s\356\302\275\354\3774c\243\324\205-\20\210V\260ab\212:\223\366\204\35\314%OV\216^\227\365id\241\36!\302\247\321\271\244\247\25\20dA0pUh\177\304*\3<\35\201\360\313\205"R\267\373lJv_\321\330\315\4\23\332\246\347\356"\277g#\200\273J(\301\13\355]x\3749Z\375k\323;\246X\345R\326\114\324g:\235$V\7\342w\376\14\376\1/\200B\258\213\241b\267h\250\231&q\365&~\367\221\376\231\230\334\353\333\352a\206<*\270\221\317?~u\332r+\245\277\222\331\256&E\304z\243b\325'\343>\3450\361d\314~\366\257x\327\304\227\11<\6Ts}\315Q\24\353s\223\276ghG\4k\205\17\76\272q\324zuY\321("\16b0\2\360z\352\207(a\36]\257\345(\5\31\377\23SU\207\372\263\274!n\202\371@8A,\210\231\230\37\200_\32q\2013\314u\346R\271\2447:I\357v\307l\355O\216\2251\313\17cJu'=\203o\202\371\33l\220\3Y\231\241W\327\36i\20\206h}\232\371g\236\16>cJ\33\224U\263"Y\203}\32i\31\230\333P0\245\37s\313`\264\12\\265\370ScMn\363'r\14x\325y\337\371x\36'\337\36A\374\205b\271\315\37k\205-(_\322-n\202\344y|n\207\314=\260\277\271}\245\32", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \16b0\2\360z\352\207(a\36]\257\345(\5\31\377\23SU\207\372\263\274!n\202\371@8A,\210\231\230\37\200_\32q\2013\314u\346R\271\2447:I\357v\307l\355O\216\2251\313\17cJu'=\203o\202\371\33l\220\3Y\231\241W\327\36i\20\206h}\232\371g\236\16>cJ\33\224U\263 (240, 0, 0, 0, "\332iB \271\355%+Q\225\244\3220\265-\271\361\260\274\202\332\16\6\2368R\310I\230Buo\6\10\211\325w\256;\322\371QK\274E\351\360\255\254V\17\335\6l\32\13Q.]\242\336\374}\210(\225\300\222w\352y\307A\336}\10\232{q\216b\205\340\374$\316__%\236\15$\377od\372n.\240\22s\262\235\301\245\227\37\3\367\261M\213E\25\3407\310s\356\302\275\354\3774c\243\324\205-\20\210V\260ab\212:\223\366\204\35\314%OV\216^\227\365id\241\36!\302\247\321\271\244\247\25\20dA0pUh\177\304*\3<\35\201\360\313\205"R\267\373lJv_\321\330\315\4\23\332\246\347\356"\277g#\200\273J(\301\13\355]x\3749Z\375k\323;\246X\345R\326\114\324g:\235$V\7\342w\376\14\376\1/\200B\258\213\241b\267h\250\231&q\365&~\367\221\376\231\230\334\353\333\352a\206<*\270\221\317?~u\332r+\245\277\222\331\256&E\304z\243b\325'\343>\3450\361d\314~\366\257x\327\304\227\11<\6Ts}\315Q\24\353s\223\276ghG\4k\205\17\76\272q\324zuY\321("\16b0\2\360z\352\207(a\36]\257\345(\5\31\377\23SU\207\372\263\274!n\202\371@8A,\210\231\230\37\200_\32q\2013\314u\346R\271\2447:I\357v\307l\355O\216\2251\313\17cJu'=\203o\202\371\33l\220\3Y\231\241W\327\36i\20\206h}\232\371g\236\16>cJ\33\224U\263"Y\203}\32i\31\230\333P0\245\37s\313`\264\12\\265\370ScMn\363'r\14x\325y\337\371x\36'\337\36A\374\205b\271\315\37k\205-(_\322-n\202\344y|n\207\314=\260\277\271}\245\32", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02116   416   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "\350\207\274Yy\256\216\352\307\243\32\234_?r`9OP\262~\333\33]E\276\254\350\340\251}\267D\337\264\224\240\261\237jD\25zj@\275\210\23K\342X=d\20\351\315\276>\5\24\326\260\6\307\226\2464\263\330s\2118L\366\212}\210\322Z\227\25\246\3041Q"8:\264J\336\341\300\337\273\326\320\35\244\333D\251\31\305\324%\327\300\223rz*\350\201\371\275\3701\143\206\274%\13\301\7\361q\236T\10\316\15\305\1\303d\312M8\204\221\266\203\234@\364\3557\332\355\31\333"c\230R?`\263\1M\226b\3425\245\212\240E\340\362D\213J\307\357\2768\177\4\336c\371A\332q\4\222\303\252\221\34n\212SX\27\316\263\327&\303\4\277\23\326\12\15\346\345!Y\15\351w\212A\300d\252\265*l%\204\341n\244\17\3660\6'\370\312`\244)\253\372\263y\12\377o\241?\212\340D\225X\273\230\203\272-%/6\15\31 6A\330-\252\211\310#\14?\322\20yQ(\266l\231h+\221\42\367(\177\364o\216M\366+\245~\256\375%\32\222\317%\306Yj\322\317\7\31\233\33\304u\367;\10\366$\362S\327\322\310K\224\3511\227u_\236\351\374d\275\202\242\226\355qF\377\21\320\213\240\352\20R\241\2642q~\236\21Zcg\354+\206).\365\144\351`\361\331\322M,.\335\233\10\302@\252KD^5Ia\344V2C'\220cb\364t\206\363\200`b\31\241\242\234m\3508\210D\300\245t\376=\365>%:\274~\30|z\214\255n\370\315W\362?\216,\23\361=\377\0n\251\3267@\362l\350\244\376\1\256\355\325\24\237K\333**|n\323\306\360\357l\377*\312\0\376\245\4\3"\261z\333P\200\235\6f\227\21\266\30\3763*\376\6h\310", 11776, 0x0, 0, ... {status=0x0, info=11776}, ) 8:\264J\336\341\300\337\273\326\320\35\244\333D\251\31\305\324%\327\300\223rz*\350\201\371\275\3701\143\206\274%\13\301\7\361q\236T\10\316\15\305\1\303d\312M8\204\221\266\203\234@\364\3557\332\355\31\333 (240, 0, 0, 0, "\350\207\274Yy\256\216\352\307\243\32\234_?r`9OP\262~\333\33]E\276\254\350\340\251}\267D\337\264\224\240\261\237jD\25zj@\275\210\23K\342X=d\20\351\315\276>\5\24\326\260\6\307\226\2464\263\330s\2118L\366\212}\210\322Z\227\25\246\3041Q"8:\264J\336\341\300\337\273\326\320\35\244\333D\251\31\305\324%\327\300\223rz*\350\201\371\275\3701\143\206\274%\13\301\7\361q\236T\10\316\15\305\1\303d\312M8\204\221\266\203\234@\364\3557\332\355\31\333"c\230R?`\263\1M\226b\3425\245\212\240E\340\362D\213J\307\357\2768\177\4\336c\371A\332q\4\222\303\252\221\34n\212SX\27\316\263\327&\303\4\277\23\326\12\15\346\345!Y\15\351w\212A\300d\252\265*l%\204\341n\244\17\3660\6'\370\312`\244)\253\372\263y\12\377o\241?\212\340D\225X\273\230\203\272-%/6\15\31 6A\330-\252\211\310#\14?\322\20yQ(\266l\231h+\221\42\367(\177\364o\216M\366+\245~\256\375%\32\222\317%\306Yj\322\317\7\31\233\33\304u\367;\10\366$\362S\327\322\310K\224\3511\227u_\236\351\374d\275\202\242\226\355qF\377\21\320\213\240\352\20R\241\2642q~\236\21Zcg\354+\206).\365\144\351`\361\331\322M,.\335\233\10\302@\252KD^5Ia\344V2C'\220cb\364t\206\363\200`b\31\241\242\234m\3508\210D\300\245t\376=\365>%:\274~\30|z\214\255n\370\315W\362?\216,\23\361=\377\0n\251\3267@\362l\350\244\376\1\256\355\325\24\237K\333**|n\323\306\360\357l\377*\312\0\376\245\4\3"\261z\333P\200\235\6f\227\21\266\30\3763*\376\6h\310", 11776, 0x0, 0, ... {status=0x0, info=11776}, ) \261z\333P\200\235\6f\227\21\266\30\3763*\376\6h\310", 11776, 0x0, 0, ... {status=0x0, info=11776}, ) == 0x0
 02117   416   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 02118   416   NtSetInformationFile  (240, 1239044, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02119   416   NtClose  (12, ... ) == 0x0
 02120   416   NtClose  (240, ... ) == 0x0
 02121   416   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 7, 2113568, ... 240, {status=0x0, info=1}, ) }, 7, 2113568, ... 240, {status=0x0, info=1}, ) == 0x0
 02122   416   NtSetInformationFile  (240, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02123   416   NtClose  (240, ... ) == 0x0
 02124   416   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 7, 2113568, ... 240, {status=0x0, info=1}, ) }, 7, 2113568, ... 240, {status=0x0, info=1}, ) == 0x0
 02125   416   NtSetInformationFile  (240, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02126   416   NtClose  (240, ... ) == 0x0
 02127   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238948,  (0x80100080, {24, 0, 0x40, 0, 1238948, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 240, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 240, {status=0x0, info=1}, ) == 0x0
 02128   416   NtQueryInformationFile  (240, 1239000, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02129   416   NtClose  (240, ... ) == 0x0
 02130   416   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238948,  (0x40100080, {24, 0, 0x40, 0, 1238948, "\??\C:\WINDOWS\System32\Isass.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 240, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 240, {status=0x0, info=1}, ) == 0x0
 02131   416   NtSetInformationFile  (240, 1239000, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02132   416   NtClose  (240, ... ) == 0x0
 02133   416   NtOpenFile  (0x10080, {24, 244, 0x40, 0, 0,  (0x10080, {24, 244, 0x40, 0, 0, "wptarxbn.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02134   416   NtCreateFile  (0x40100080, {24, 244, 0x40, 0, 1239196,  (0x40100080, {24, 244, 0x40, 0, 1239196, "wptarxbn.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 240, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 240, {status=0x0, info=2}, ) == 0x0
 02135   416   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del wptarxbn.bat\15\12", 124, 0x0, 0, ... {status=0x0, info=124}, ) , 124, 0x0, 0, ... {status=0x0, info=124}, ) == 0x0
 02136   416   NtClose  (240, ... ) == 0x0
 02137   416   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02138   416   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 02139   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232536, ... ) }, 1232536, ... ) == 0x0
 02140   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02141   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 240, ... 12, ) == 0x0
 02142   416   NtClose  (240, ... ) == 0x0
 02143   416   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe20000), 0x0, 262144, ) == 0x0
 02144   416   NtClose  (12, ... ) == 0x0
 02145   416   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 02146   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02147   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02148   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02149   416   NtAllocateVirtualMemory  (-1, 1441792, 0, 16384, 4096, 4, ... 1441792, 16384, ) == 0x0
 02150   416   NtUserRegisterClassExWOW  (1234620, 1234700, 1234684, 1234716, 0, 384, 0, ... ) == 0x810dc038
 02151   416   NtUserGetAtomName  (49208, 1233384, ... ) == 0x15
 02152   416   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 02153   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230908, ... ) }, 1230908, ... ) == 0x0
 02154   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 02155   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 240, ) == 0x0
 02156   416   NtClose  (12, ... ) == 0x0
 02157   416   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe20000), 0x0, 204800, ) == 0x0
 02158   416   NtClose  (240, ... ) == 0x0
 02159   416   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 02160   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231224, ... ) }, 1231224, ... ) == 0x0
 02161   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02162   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 12, ) == 0x0
 02163   416   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02164   416   NtClose  (240, ... ) == 0x0
 02165   416   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 02166   416   NtClose  (12, ... ) == 0x0
 02167   416   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02168   416   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02169   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02170   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 02171   416   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02172   416   NtClose  (12, ... ) == 0x0
 02173   416   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02174   416   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 02175   416   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 240, ) }, ... 240, ) == 0x0
 02176   416   NtQueryValueKey  (240,  (240, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02177   416   NtClose  (240, ... ) == 0x0
 02178   416   NtClose  (12, ... ) == 0x0
 02179   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02180   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 02181   416   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02182   416   NtClose  (12, ... ) == 0x0
 02183   416   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 02184   416   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 240, ) }, ... 240, ) == 0x0
 02185   416   NtQueryValueKey  (240,  (240, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02186   416   NtClose  (240, ... ) == 0x0
 02187   416   NtClose  (12, ... ) == 0x0
 02188   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02189   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02190   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == 0x0
 02191   416   NtUserGetProcessWindowStation  (... ) == 0x28
 02192   416   NtUserGetObjectInformation  (40, 2, 0, 0, 1233020, ... ) == 0x0
 02193   416   NtUserGetObjectInformation  (40, 2, 1392448, 16, 1233020, ... ) == 0x1
 02194   416   NtUserGetGUIThreadInfo  (416, 1232976, ... ) == 0x1
 02195   416   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232796, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232796, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 02196   416   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 2645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 412, 416, 2645, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 2645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02197   416   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 2646, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 412, 416, 2646, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 2646, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02198   416   NtUserCallNoParam  (29, ...
 02199   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230268, ... ) }, 1230268, ... ) == 0x0
 02198   416   NtUserCallNoParam  ... ) == 0x0
 02200   416   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 02201   416   NtGdiHfontCreate  (1232348, 356, 0, 0, 1394136, ... ) == 0x30a0347
 02202   416   NtGdiHfontCreate  (1232348, 356, 0, 0, 1394128, ... ) == 0x30a0346
 02203   416   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 2647, 0} "\0\0\0\0\0\0\0\0\360\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 412, 416, 2647, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 2647, 0} "\0\0\0\0\0\0\0\0\360\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02204   416   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe20000), {0, 0}, 331776, ) == 0x0
 02205   416   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02206   416   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02207   416   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02208   416   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02209   416   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02210   416   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02211   416   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02212   416   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02213   416   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02214   416   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02215   416   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02216   416   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02217   416   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02218   416   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02219   416   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02220   416   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02221   416   NtAllocateVirtualMemory  (-1, 8871936, 0, 4096, 4096, 4, ... 8871936, 4096, ) == 0x0
 02222   416   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02223   416   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x2100349
 02224   416   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02225   416   NtUserCallNoParam  (29, ...
 02226   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229712, ... ) }, 1229712, ... ) == 0x0
 02225   416   NtUserCallNoParam  ... ) == 0x0
 02227   416   NtUserCallNoParam  (29, ...
 02228   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229708, ... ) }, 1229708, ... ) == 0x0
 02227   416   NtUserCallNoParam  ... ) == 0x0
 02229   416   NtUserMessageCall  (0x200e4, WM_NCCREATE, 0x0, 0x12d194, 0, 670, 0, ... ) == 0x1
 02230   416   NtUserMessageCall  (0x200e4, WM_NCCALCSIZE, 0x0, 0x12d1bc, 0, 670, 0, ... ) == 0x0
 02231   416   NtUserSetProp  (131300, 43288, -1, ... ) == 0x1
 02152   416   NtUserCreateWindowEx  ... ) == 0x200e4
 02232   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 252, ) }, ... 252, ) == 0x0
 02233   416   NtQueryValueKey  (252,  (252, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02234   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 256, ) }, ... 256, ) == 0x0
 02235   416   NtQueryValueKey  (256,  (256, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02236   416   NtClose  (256, ... ) == 0x0
 02237   416   NtClose  (252, ... ) == 0x0
 02238   416   NtAllocateVirtualMemory  (-1, 1458176, 0, 24576, 4096, 4, ... 1458176, 24576, ) == 0x0
 02239   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 02240   416   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 256, ) == 0x0
 02241   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02242   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 260, ) == 0x0
 02243   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02244   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02245   416   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233148,  (0xc0100080, {24, 0, 0x40, 0, 1233148, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 264, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 264, {status=0x0, info=1}, ) == 0x0
 02246   416   NtSetInformationFile  (264, 1233204, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02247   416   NtSetInformationFile  (264, 1233196, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02248   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02249   416   NtWriteFile  (264, 253, 0, 0,  (264, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02250   416   NtReadFile  (264, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (264, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20K\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02251   416   NtFsControlFile  (264, 253, 0x0, 0x0, 0x11c017,  (264, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20K\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (264, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20K\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02252   416   NtClose  (260, ... ) == 0x0
 02253   416   NtClose  (264, ... ) == 0x0
 02254   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1233192, ... ) }, 1233192, ... ) == 0x0
 02255   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02256   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02257   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "wptarxbn.bat"}, 1233012, ... ) }, 1233012, ... ) == 0x0
 02258   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02259   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02260   416   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1329480, 0,  (0x1f0003, {24, 52, 0x80, 1329480, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 264, ) }, 0, 2147483647, ... 264, ) == STATUS_OBJECT_NAME_EXISTS
 02261   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02262   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02263   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02264   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 260, ) }, ... 260, ) == 0x0
 02265   416   NtQueryValueKey  (260,  (260, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02266   416   NtClose  (260, ... ) == 0x0
 02267   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02268   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02269   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02270   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 260, ) }, ... 260, ) == 0x0
 02271   416   NtQueryValueKey  (260,  (260, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02272   416   NtClose  (260, ... ) == 0x0
 02273   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02274   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02275   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02276   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 260, ) }, ... 260, ) == 0x0
 02277   416   NtQueryValueKey  (260,  (260, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02278   416   NtClose  (260, ... ) == 0x0
 02279   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02280   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02281   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02282   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 260, ) }, ... 260, ) == 0x0
 02283   416   NtQueryValueKey  (260,  (260, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02284   416   NtClose  (260, ... ) == 0x0
 02285   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 260, ) }, ... 260, ) == 0x0
 02286   416   NtEnumerateKey  (260, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (260, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 02287   416   NtOpenKey  (0x20019, {24, 260, 0x40, 0, 0,  (0x20019, {24, 260, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 268, ) }, ... 268, ) == 0x0
 02288   416   NtQueryValueKey  (268,  (268, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02289   416   NtClose  (268, ... ) == 0x0
 02290   416   NtEnumerateKey  (260, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (260, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 02291   416   NtOpenKey  (0x20019, {24, 260, 0x40, 0, 0,  (0x20019, {24, 260, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 268, ) }, ... 268, ) == 0x0
 02292   416   NtQueryValueKey  (268,  (268, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02293   416   NtClose  (268, ... ) == 0x0
 02294   416   NtEnumerateKey  (260, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (260, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 02295   416   NtOpenKey  (0x20019, {24, 260, 0x40, 0, 0,  (0x20019, {24, 260, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 268, ) }, ... 268, ) == 0x0
 02296   416   NtQueryValueKey  (268,  (268, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02297   416   NtClose  (268, ... ) == 0x0
 02298   416   NtEnumerateKey  (260, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (260, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 02299   416   NtOpenKey  (0x20019, {24, 260, 0x40, 0, 0,  (0x20019, {24, 260, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 268, ) }, ... 268, ) == 0x0
 02300   416   NtQueryValueKey  (268,  (268, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02301   416   NtClose  (268, ... ) == 0x0
 02302   416   NtEnumerateKey  (260, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02303   416   NtClose  (260, ... ) == 0x0
 02304   416   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02305   416   NtOpenProcessToken  (-1, 0x8, ... 260, ) == 0x0
 02306   416   NtQueryInformationToken  (260, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02307   416   NtClose  (260, ... ) == 0x0
 02308   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02309   416   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 260, 2, ) }, 0, 0x0, 0, ... 260, 2, ) == 0x0
 02310   416   NtOpenKey  (0x2000000, {24, 260, 0x40, 0, 0, ""}, ... 268, ) == 0x0
 02311   416   NtCreateKey  (0x20019, {24, 268, 0x40, 0, 0,  (0x20019, {24, 268, 0x40, 0, 0, "SessionInfo\000000000000922c"}, 0, 0x0, 1, ... 272, 2, ) }, 0, 0x0, 1, ... 272, 2, ) == 0x0
 02312   416   NtClose  (268, ... ) == 0x0
 02313   416   NtOpenKey  (0x20019, {24, 272, 0x40, 0, 0,  (0x20019, {24, 272, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02314   416   NtClose  (272, ... ) == 0x0
 02315   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02316   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 272, ) == 0x0
 02317   416   NtQueryInformationToken  (272, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02318   416   NtClose  (272, ... ) == 0x0
 02319   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 272, ) }, ... 272, ) == 0x0
 02320   416   NtSetInformationObject  (274, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 02321   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02322   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02323   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 268, ) }, ... 268, ) == 0x0
 02324   416   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02325   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02326   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02327   416   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02328   416   NtClose  (276, ... ) == 0x0
 02329   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02330   416   NtQueryValueKey  (270,  (270, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02331   416   NtClose  (270, ... ) == 0x0
 02332   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02333   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02334   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 268, ) }, ... 268, ) == 0x0
 02335   416   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02336   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02337   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02338   416   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02339   416   NtClose  (276, ... ) == 0x0
 02340   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02341   416   NtQueryValueKey  (270,  (270, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02342   416   NtClose  (270, ... ) == 0x0
 02343   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02344   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02345   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 268, ) }, ... 268, ) == 0x0
 02346   416   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02347   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02348   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02349   416   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02350   416   NtClose  (276, ... ) == 0x0
 02351   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02352   416   NtQueryValueKey  (270,  (270, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (270, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02353   416   NtClose  (270, ... ) == 0x0
 02354   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02355   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 02356   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02357   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 268, ) }, ... 268, ) == 0x0
 02358   416   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02359   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02360   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02361   416   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02362   416   NtClose  (276, ... ) == 0x0
 02363   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02364   416   NtQueryValueKey  (270, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (270, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02365   416   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02366   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02367   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02368   416   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02369   416   NtClose  (276, ... ) == 0x0
 02370   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02371   416   NtQueryValueKey  (270,  (270, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02372   416   NtClose  (270, ... ) == 0x0
 02373   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02374   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02375   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02376   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 268, ) }, ... 268, ) == 0x0
 02377   416   NtQueryValueKey  (268,  (268, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02378   416   NtClose  (268, ... ) == 0x0
 02379   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 268, ) }, ... 268, ) == 0x0
 02380   416   NtQueryValueKey  (268,  (268, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02381   416   NtClose  (268, ... ) == 0x0
 02382   416   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 268, ) }, ... 268, ) == 0x0
 02383   416   NtQueryValueKey  (268, " (268, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (268, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 02384   416   NtClose  (268, ... ) == 0x0
 02385   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) == 0x0
 02386   416   NtQueryVolumeInformationFile  (268, 1233332, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02387   416   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 276, ) }, ... 276, ) == 0x0
 02388   416   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 02389   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 280, ) }, ... 280, ) == 0x0
 02390   416   NtMapViewOfSection  (280, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xe00000), {0, 0}, 57344, ) == 0x0
 02391   416   NtQueryInformationFile  (268, 1233296, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02392   416   NtQueryInformationFile  (268, 1233336, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02393   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02394   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 02395   416   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02396   416   NtClose  (284, ... ) == 0x0
 02397   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02398   416   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 02399   416   NtClose  (268, ... ) == 0x0
 02400   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 268, ) }, ... 268, ) == 0x0
 02401   416   NtQueryValueKey  (268,  (268, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02402   416   NtClose  (268, ... ) == 0x0
 02403   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02404   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1231084, ... ) }, 1231084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02405   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "CLBCATQ.DLL"}, 1231084, ... ) }, 1231084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02406   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1231084, ... ) }, 1231084, ... ) == 0x0
 02407   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 268, {status=0x0, info=1}, ) }, 5, 96, ... 268, {status=0x0, info=1}, ) == 0x0
 02408   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 268, ... 284, ) == 0x0
 02409   416   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02410   416   NtClose  (268, ... ) == 0x0
 02411   416   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 02412   416   NtClose  (284, ... ) == 0x0
 02413   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02414   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1230280, ... ) }, 1230280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02415   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "COMRes.dll"}, 1230280, ... ) }, 1230280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02416   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1230280, ... ) }, 1230280, ... ) == 0x0
 02417   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02418   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 268, ) == 0x0
 02419   416   NtQuerySection  (268, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02420   416   NtClose  (284, ... ) == 0x0
 02421   416   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 02422   416   NtClose  (268, ... ) == 0x0
 02423   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 268, ) }, ... 268, ) == 0x0
 02424   416   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 02425   416   NtClose  (268, ... ) == 0x0
 02426   416   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02427   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 268, ) }, ... 268, ) == 0x0
 02429   416   NtQueryValueKey  (268,  (268, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02430   416   NtQueryValueKey  (268,  (268, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02431   416   NtClose  (268, ... ) == 0x0
 02432   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1231112, ... ) }, 1231112, ... ) == 0x0
 02433   416   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02434   416   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02435   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 268, ) }, ... 268, ) == 0x0
 02436   416   NtQueryValueKey  (268,  (268, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02437   416   NtClose  (268, ... ) == 0x0
 02438   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 268, ) }, ... 268, ) == 0x0
 02439   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 02440   416   NtNotifyChangeKey  (268, 284, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02441   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 288, ) }, ... 288, ) == 0x0
 02442   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 292, ) == 0x0
 02443   416   NtNotifyChangeKey  (288, 292, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02444   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 296, ) == 0x0
 02445   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 300, ) }, ... 300, ) == 0x0
 02446   416   NtSetInformationObject  (300, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 02447   416   NtNotifyChangeKey  (300, 296, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02448   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 304, ) }, ... 304, ) == 0x0
 02449   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 308, ) == 0x0
 02450   416   NtNotifyChangeKey  (304, 308, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02451   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 312, ) == 0x0
 02452   416   NtNotifyChangeKey  (300, 312, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02453   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 316, ) }, ... 316, ) == 0x0
 02454   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 320, ) == 0x0
 02455   416   NtNotifyChangeKey  (316, 320, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02456   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 324, ) }, ... 324, ) == 0x0
 02457   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 328, ) == 0x0
 02458   416   NtNotifyChangeKey  (324, 328, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02459   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 332, ) }, ... 332, ) == 0x0
 02460   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 336, ) == 0x0
 02461   416   NtNotifyChangeKey  (332, 336, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02462   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 340, ) }, ... 340, ) == 0x0
 02463   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 344, ) == 0x0
 02464   416   NtNotifyChangeKey  (340, 344, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02465   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 348, ) }, ... 348, ) == 0x0
 02466   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 352, ) == 0x0
 02467   416   NtNotifyChangeKey  (348, 352, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02468   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 356, ) == 0x0
 02469   416   NtNotifyChangeKey  (300, 356, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02470   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 360, ) }, ... 360, ) == 0x0
 02471   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 364, ) == 0x0
 02472   416   NtNotifyChangeKey  (360, 364, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02473   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 368, ) }, ... 368, ) == 0x0
 02474   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 372, ) == 0x0
 02475   416   NtNotifyChangeKey  (368, 372, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02476   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 376, ) }, ... 376, ) == 0x0
 02477   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 380, ) == 0x0
 02478   416   NtNotifyChangeKey  (376, 380, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02479   416   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02480   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 384, ) }, ... 384, ) == 0x0
 02481   416   NtQueryValueKey  (384,  (384, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (384, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02482   416   NtClose  (384, ... ) == 0x0
 02483   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02484   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02485   416   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 384, ) }, ... 384, ) == 0x0
 02486   416   NtMapViewOfSection  (384, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe80000), {0, 0}, 24576, ) == 0x0
 02487   416   NtAllocateVirtualMemory  (-1, 8876032, 0, 8192, 4096, 4, ... 8876032, 8192, ) == 0x0
 02488   416   NtAllocateVirtualMemory  (-1, 1482752, 0, 4096, 4096, 4, ... 1482752, 4096, ) == 0x0
 02489   416   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02490   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 388, ) }, ... 388, ) == 0x0
 02491   416   NtQueryValueKey  (388,  (388, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (388, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02492   416   NtClose  (388, ... ) == 0x0
 02493   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02494   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02495   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 15269888, 65536, ) == 0x0
 02496   416   NtAllocateVirtualMemory  (-1, 15269888, 0, 4096, 4096, 4, ... 15269888, 4096, ) == 0x0
 02497   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02498   416   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02499   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02500   416   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02501   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02502   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02503   416   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02504   416   NtClose  (392, ... ) == 0x0
 02505   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02506   416   NtOpenKey  (0x1, {24, 390, 0x40, 0, 0,  (0x1, {24, 390, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02507   416   NtClose  (390, ... ) == 0x0
 02508   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02509   416   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02510   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02511   416   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02512   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02513   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02514   416   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02515   416   NtClose  (392, ... ) == 0x0
 02516   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02517   416   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocServer32"}, ... 392, ) }, ... 392, ) == 0x0
 02518   416   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02519   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02520   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02521   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02522   416   NtClose  (396, ... ) == 0x0
 02523   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02524   416   NtQueryValueKey  (394,  (394, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02525   416   NtClose  (394, ... ) == 0x0
 02526   416   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02527   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02528   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02529   416   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02530   416   NtClose  (392, ... ) == 0x0
 02531   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02532   416   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02533   416   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02534   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02535   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02536   416   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02537   416   NtClose  (392, ... ) == 0x0
 02538   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02539   416   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02540   416   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02541   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02542   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02543   416   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02544   416   NtClose  (392, ... ) == 0x0
 02545   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02546   416   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocServer32"}, ... 392, ) }, ... 392, ) == 0x0
 02547   416   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02548   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02549   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02550   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02551   416   NtClose  (396, ... ) == 0x0
 02552   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02553   416   NtQueryValueKey  (394, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (394, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02554   416   NtClose  (394, ... ) == 0x0
 02555   416   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02556   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02557   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02558   416   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02559   416   NtClose  (392, ... ) == 0x0
 02560   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02561   416   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02562   416   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02563   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02564   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02565   416   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02566   416   NtClose  (392, ... ) == 0x0
 02567   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02568   416   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02569   416   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02570   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02571   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02572   416   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02573   416   NtClose  (392, ... ) == 0x0
 02574   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02575   416   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02576   416   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02577   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02578   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02579   416   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02580   416   NtClose  (392, ... ) == 0x0
 02581   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02582   416   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02583   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02584   416   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02585   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 392, ) }, ... 392, ) == 0x0
 02586   416   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02587   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02588   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02589   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02590   416   NtClose  (396, ... ) == 0x0
 02591   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02592   416   NtQueryValueKey  (394,  (394, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02593   416   NtClose  (394, ... ) == 0x0
 02594   416   NtClose  (390, ... ) == 0x0
 02595   416   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 388, ) == 0x0
 02596   416   NtQueryInformationProcess  (388, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02597   416   NtClose  (388, ... ) == 0x0
 02598   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02599   416   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02600   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02601   416   NtClose  (390, ... ) == 0x0
 02602   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 02603   416   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02604   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02605   416   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02606   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02607   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02608   416   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02609   416   NtClose  (392, ... ) == 0x0
 02610   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02611   416   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocServer32"}, ... 392, ) }, ... 392, ) == 0x0
 02612   416   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02613   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02614   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02615   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02616   416   NtClose  (396, ... ) == 0x0
 02617   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02618   416   NtQueryValueKey  (394,  (394, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (394, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 02619   416   NtClose  (394, ... ) == 0x0
 02620   416   NtClose  (390, ... ) == 0x0
 02621   416   NtAllocateVirtualMemory  (-1, 1486848, 0, 8192, 4096, 4, ... 1486848, 8192, ) == 0x0
 02622   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02623   416   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02624   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02625   416   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02626   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02627   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02628   416   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02629   416   NtClose  (392, ... ) == 0x0
 02630   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02631   416   NtOpenKey  (0x1, {24, 390, 0x40, 0, 0,  (0x1, {24, 390, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02632   416   NtClose  (390, ... ) == 0x0
 02633   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227504, ... ) }, 1227504, ... ) == 0x0
 02634   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02635   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 392, ) == 0x0
 02636   416   NtClose  (388, ... ) == 0x0
 02637   416   NtMapViewOfSection  (392, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xea0000), 0x0, 1339392, ) == 0x0
 02638   416   NtClose  (392, ... ) == 0x0
 02639   416   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 02640   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227820, ... ) }, 1227820, ... ) == 0x0
 02641   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 392, {status=0x0, info=1}, ) }, 5, 96, ... 392, {status=0x0, info=1}, ) == 0x0
 02642   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 392, ... 388, ) == 0x0
 02643   416   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02644   416   NtClose  (392, ... ) == 0x0
 02645   416   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 02646   416   NtClose  (388, ... ) == 0x0
 02647   416   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 02648   416   NtQueryDefaultUILanguage  (1226184, ...
 02649   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02650   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482212, ) == 0x0
 02651   416   NtQueryInformationToken  (-2147482212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02652   416   NtClose  (-2147482212, ... ) == 0x0
 02653   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482212, ) }, ... -2147482212, ) == 0x0
 02654   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02655   416   NtOpenKey  (0x80000000, {24, -2147482212, 0x640, 0, 0,  (0x80000000, {24, -2147482212, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 02656   416   NtQueryValueKey  (-2147482208,  (-2147482208, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02657   416   NtClose  (-2147482208, ... ) == 0x0
 02658   416   NtClose  (-2147482212, ... ) == 0x0
 02648   416   NtQueryDefaultUILanguage  ... ) == 0x0
 02659   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02660   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 388, {status=0x0, info=1}, ) }, 1, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02661   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 388, ... 392, ) == 0x0
 02662   416   NtMapViewOfSection  (392, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xea0000), 0x0, 1339392, ) == 0x0
 02663   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02664   416   NtQueryDefaultLocale  (1, 1224220, ... ) == 0x0
 02665   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02666   416   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1225076, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1225076, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\204\1\0\0\377\377\377\377\0\0\0\0\10\340\365\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 2648, 0} " S\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\204\1\0\0\377\377\377\377\0\0\0\0\10\340\365\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 416, 2648, 0}  (24, {128, 156, new_msg, 0, 1225076, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\204\1\0\0\377\377\377\377\0\0\0\0\10\340\365\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 2648, 0} " S\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\204\1\0\0\377\377\377\377\0\0\0\0\10\340\365\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" )  ) == 0x0
 02667   416   NtClose  (388, ... ) == 0x0
 02668   416   NtClose  (392, ... ) == 0x0
 02669   416   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 02670   416   NtUnmapViewOfSection  (-1, 0x12b874, ... ) == STATUS_NOT_MAPPED_VIEW
 02671   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02672   416   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02673   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02674   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02675   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1222760, ... ) }, 1222760, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02676   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02677   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02678   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02679   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1223352, ... ) }, 1223352, ... ) == 0x0
 02680   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 392, {status=0x0, info=1}, ) }, 3, 33, ... 392, {status=0x0, info=1}, ) == 0x0
 02681   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02682   416   NtUserFindExistingCursorIcon  (1227304, 1227320, 1227888, ... ) == 0x10011
 02683   416   NtUserRegisterClassExWOW  (1227756, 1227836, 1227820, 1227852, 0, 384, 0, ... ) == 0x810d0000
 02684   416   NtUserGetClassInfo  (1905590272, 1227920, 1227872, 1227948, 0, ... ) == 0xc05f
 02685   416   NtGdiCreateHalftonePalette  (0, ... ) == 0x11080465
 02686   416   NtGdiDoPalette  (285738085, 0, 256, 1227012, 2, 0, ... ) == 0x100
 02687   416   NtGdiDeleteObjectApp  (285738085, ... ) == 0x1
 02688   416   NtGdiCreateCompatibleDC  (0, ... ) == 0x12010465
 02689   416   NtGdiCreatePaletteInternal  (1227008, 256, ... ) == 0xd08046c
 02690   416   NtGdiDeleteObjectApp  (302056549, ... ) == 0x1
 02691   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 02692   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02693   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 388, ) }, ... 388, ) == 0x0
 02694   416   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 02695   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02696   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02697   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02698   416   NtClose  (396, ... ) == 0x0
 02699   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02700   416   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02701   416   NtClose  (390, ... ) == 0x0
 02702   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02703   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02704   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 388, ) }, ... 388, ) == 0x0
 02705   416   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02706   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02707   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02708   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02709   416   NtClose  (396, ... ) == 0x0
 02710   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02711   416   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02712   416   NtClose  (390, ... ) == 0x0
 02713   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02714   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02715   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 388, ) }, ... 388, ) == 0x0
 02716   416   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02717   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02718   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02719   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02720   416   NtClose  (396, ... ) == 0x0
 02721   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02722   416   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02723   416   NtClose  (390, ... ) == 0x0
 02724   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02725   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02726   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 388, ) }, ... 388, ) == 0x0
 02727   416   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02728   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02729   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02730   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02731   416   NtClose  (396, ... ) == 0x0
 02732   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02733   416   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02734   416   NtClose  (390, ... ) == 0x0
 02735   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02736   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02737   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 388, ) }, ... 388, ) == 0x0
 02738   416   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02739   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02740   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02741   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02742   416   NtClose  (396, ... ) == 0x0
 02743   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02744   416   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02745   416   NtClose  (390, ... ) == 0x0
 02746   416   NtAllocateVirtualMemory  (-1, 1495040, 0, 4096, 4096, 4, ... 1495040, 4096, ) == 0x0
 02747   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02748   416   NtAllocateVirtualMemory  (-1, 1499136, 0, 12288, 4096, 4, ... 1499136, 12288, ) == 0x0
 02749   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02750   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02751   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 388, ) }, ... 388, ) == 0x0
 02752   416   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02753   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02754   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02755   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02756   416   NtClose  (396, ... ) == 0x0
 02757   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02758   416   NtQueryValueKey  (390,  (390, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02759   416   NtClose  (390, ... ) == 0x0
 02760   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02761   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02762   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 388, ) }, ... 388, ) == 0x0
 02763   416   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 02764   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02765   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02766   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02767   416   NtClose  (396, ... ) == 0x0
 02768   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02769   416   NtQueryValueKey  (390,  (390, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02770   416   NtClose  (390, ... ) == 0x0
 02771   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02772   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02773   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 388, ) }, ... 388, ) == 0x0
 02774   416   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 02775   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02776   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02777   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02778   416   NtClose  (396, ... ) == 0x0
 02779   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02780   416   NtQueryValueKey  (390,  (390, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02781   416   NtClose  (390, ... ) == 0x0
 02782   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02783   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02784   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 388, ) }, ... 388, ) == 0x0
 02785   416   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02786   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02787   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02788   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02789   416   NtClose  (396, ... ) == 0x0
 02790   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02791   416   NtQueryValueKey  (390,  (390, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02792   416   NtClose  (390, ... ) == 0x0
 02793   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 388, ) }, ... 388, ) == 0x0
 02794   416   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 02795   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02796   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02797   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 396, ) }, ... 396, ) == 0x0
 02798   416   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02799   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02800   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 02801   416   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02802   416   NtClose  (400, ... ) == 0x0
 02803   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02804   416   NtQueryValueKey  (398, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (398, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 02805   416   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02806   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02807   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 02808   416   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02809   416   NtClose  (400, ... ) == 0x0
 02810   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02811   416   NtQueryValueKey  (398,  (398, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02812   416   NtClose  (398, ... ) == 0x0
 02813   416   NtEnumerateValueKey  (388, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02814   416   NtClose  (388, ... ) == 0x0
 02815   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02816   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02817   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wptarxbn.bat"}, 1232464, ... ) }, 1232464, ... ) == 0x0
 02818   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02819   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02820   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 02821   416   NtQueryValueKey  (388,  (388, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (388, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (388, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 02822   416   NtClose  (388, ... ) == 0x0
 02823   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02824   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02825   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wptarxbn.bat"}, 1233492, ... ) }, 1233492, ... ) == 0x0
 02826   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02827   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02828   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 02829   416   NtQueryValueKey  (388,  (388, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02830   416   NtQueryValueKey  (388,  (388, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (388, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 02831   416   NtClose  (388, ... ) == 0x0
 02832   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234316,  (0x80100080, {24, 0, 0x40, 0, 1234316, "\??\u:\work\wptarxbn.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 388, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 388, {status=0x0, info=1}, ) == 0x0
 02833   416   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 396, ) }, ... 396, ) == 0x0
 02834   416   NtQuerySymbolicLinkObject  (396, ...  (396, ... "\Device\WinDfs\U:000000000000922c", 66, ) , 66, ) == 0x0
 02835   416   NtClose  (396, ... ) == 0x0
 02836   416   NtQueryInformationFile  (388, 1232760, 528, Name, ... {status=0x0, info=76}, ) == 0x0
 02837   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02838   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02839   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\wptarxbn.bat"}, 1231440, ... ) }, 1231440, ... ) == 0x0
 02840   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02841   416   NtQueryDirectoryFile  (396, 0, 0, 0, 1230800, 616, BothDirectory, 1,  (396, 0, 0, 0, 1230800, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 02842   416   NtClose  (396, ... ) == 0x0
 02843   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02844   416   NtQueryDirectoryFile  (396, 0, 0, 0, 1230800, 616, BothDirectory, 1,  (396, 0, 0, 0, 1230800, 616, BothDirectory, 1, "wptarxbn.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 02845   416   NtClose  (396, ... ) == 0x0
 02846   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02847   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02848   416   NtSetInformationFile  (388, 1234200, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02849   416   NtReadFile  (388, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (388, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "@e", ) , ) == 0x0
 02850   416   NtWaitForSingleObject  (100, 0, 0x0, ... ) == 0x0
 02851   416   NtClearEvent  (128, ... ) == 0x0
 02852   416   NtReleaseMutant  (100, ... 0x0, ) == 0x0
 02853   416   NtWaitForSingleObject  (100, 0, 0x0, ... ) == 0x0
 02854   416   NtSetEvent  (128, ... 0x0, ) == 0x0
 02855   416   NtReleaseMutant  (100, ... 0x0, ) == 0x0
 02856   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02857   416   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02858   416   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0
 02859   416   NtClose  (396, ... ) == 0x0
 02860   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02861   416   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02862   416   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02863   416   NtClose  (396, ... ) == 0x0
 02864   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02865   416   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02866   416   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0
 02867   416   NtClose  (396, ... ) == 0x0
 02868   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02869   416   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02870   416   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0
 02871   416   NtClose  (396, ... ) == 0x0
 02872   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02873   416   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02874   416   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0
 02875   416   NtClose  (396, ... ) == 0x0
 02876   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02877   416   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02878   416   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0
 02879   416   NtClose  (396, ... ) == 0x0
 02880   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02881   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02882   416   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02883   416   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0
 02884   416   NtClose  (396, ... ) == 0x0
 02885   416   NtWaitForMultipleObjects  (2, (100, 128, ), 0, 0, 0x0, ... ) == 0x0
 02886   416   NtReleaseMutant  (100, ... 0x0, ) == 0x0
 02887   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02888   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02889   416   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02890   416   NtClose  (396, ... ) == 0x0
 02891   416   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 396, ) }, ... 396, ) == 0x0
 02892   416   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02893   416   NtClose  (396, ... ) == 0x0
 02894   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 396, ) }, ... 396, ) == 0x0
 02895   416   NtQueryValueKey  (396,  (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02896   416   NtQueryValueKey  (396,  (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02897   416   NtQueryValueKey  (396,  (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02898   416   NtQueryValueKey  (396,  (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02899   416   NtClose  (396, ... ) == 0x0
 02900   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 396, ) }, ... 396, ) == 0x0
 02901   416   NtQueryValueKey  (396,  (396, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02902   416   NtQueryValueKey  (396,  (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02903   416   NtQueryValueKey  (396,  (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02904   416   NtQueryValueKey  (396,  (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02905   416   NtQueryValueKey  (396,  (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02906   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1231488, ... ) }, 1231488, ... ) == 0x0
 02907   416   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 400, ) }, ... 400, ) == 0x0
 02908   416   NtQueryValueKey  (400,  (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02909   416   NtQueryValueKey  (400,  (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02910   416   NtQueryValueKey  (400,  (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02911   416   NtQueryValueKey  (400,  (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02912   416   NtClose  (400, ... ) == 0x0
 02913   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02914   416   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02915   416   NtOpenProcessToken  (-1, 0x8, ... 400, ) == 0x0
 02916   416   NtQueryInformationToken  (400, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 02917   416   NtClose  (400, ... ) == 0x0
 02918   416   NtClose  (396, ... ) == 0x0
 02919   416   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02920   416   NtOpenProcessToken  (-1, 0x8, ... 396, ) == 0x0
 02921   416   NtQueryInformationToken  (396, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02922   416   NtClose  (396, ... ) == 0x0
 02923   416   NtOpenKey  (0x2000000, {24, 300, 0x40, 0, 0,  (0x2000000, {24, 300, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 396, ) }, ... 396, ) == 0x0
 02924   416   NtCreateKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 400, 2, ) }, 0, 0x0, 0, ... 400, 2, ) == 0x0
 02925   416   NtClose  (396, ... ) == 0x0
 02926   416   NtQueryValueKey  (400,  (400, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0
 02927   416   NtClose  (400, ... ) == 0x0
 02928   416   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02929   416   NtOpenProcessToken  (-1, 0x8, ... 400, ) == 0x0
 02930   416   NtQueryInformationToken  (400, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02931   416   NtClose  (400, ... ) == 0x0
 02932   416   NtOpenKey  (0x2000000, {24, 300, 0x40, 0, 0,  (0x2000000, {24, 300, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 400, ) }, ... 400, ) == 0x0
 02933   416   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 396, ) }, ... 396, ) == 0x0
 02934   416   NtClose  (400, ... ) == 0x0
 02935   416   NtQueryValueKey  (396,  (396, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0
 02936   416   NtClose  (396, ... ) == 0x0
 02937   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02938   416   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02939   416   NtOpenProcessToken  (-1, 0x8, ... 396, ) == 0x0
 02940   416   NtQueryInformationToken  (396, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02941   416   NtClose  (396, ... ) == 0x0
 02942   416   NtOpenKey  (0x2000000, {24, 300, 0x40, 0, 0,  (0x2000000, {24, 300, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 396, ) }, ... 396, ) == 0x0
 02943   416   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02944   416   NtClose  (396, ... ) == 0x0
 02945   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02946   416   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 388, ... 396, ) == 0x0
 02947   416   NtMapViewOfSection  (396, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xea0000), {0, 0}, 4096, ) == 0x0
 02948   416   NtClose  (396, ... ) == 0x0
 02949   416   NtQueryInformationFile  (388, 1233704, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02950   416   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 02951   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 396, ) }, ... 396, ) == 0x0
 02952   416   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "EncodingType 0"}, ... 400, ) }, ... 400, ) == 0x0
 02953   416   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 404, ) }, ... 404, ) == 0x0
 02954   416   NtEnumerateKey  (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02955   416   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 408, ) }, ... 408, ) == 0x0
 02956   416   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02957   416   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02958   416   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02959   416   NtClose  (408, ... ) == 0x0
 02960   416   NtEnumerateKey  (404, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02961   416   NtClose  (404, ... ) == 0x0
 02962   416   NtClose  (400, ... ) == 0x0
 02963   416   NtClose  (396, ... ) == 0x0
 02964   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 396, ) }, ... 396, ) == 0x0
 02965   416   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "EncodingType 0"}, ... 400, ) }, ... 400, ) == 0x0
 02966   416   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 404, ) }, ... 404, ) == 0x0
 02967   416   NtEnumerateKey  (404, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (404, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02968   416   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 408, ) }, ... 408, ) == 0x0
 02969   416   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02970   416   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02971   416   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02972   416   NtClose  (408, ... ) == 0x0
 02973   416   NtEnumerateKey  (404, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (404, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02974   416   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 408, ) }, ... 408, ) == 0x0
 02975   416   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02976   416   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02977   416   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02978   416   NtClose  (408, ... ) == 0x0
 02979   416   NtEnumerateKey  (404, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (404, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02980   416   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 408, ) }, ... 408, ) == 0x0
 02981   416   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02982   416   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02983   416   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02984   416   NtClose  (408, ... ) == 0x0
 02985   416   NtEnumerateKey  (404, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (404, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02986   416   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 408, ) }, ... 408, ) == 0x0
 02987   416   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02988   416   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02989   416   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02990   416   NtClose  (408, ... ) == 0x0
 02991   416   NtEnumerateKey  (404, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02992   416   NtClose  (404, ... ) == 0x0
 02993   416   NtClose  (400, ... ) == 0x0
 02994   416   NtClose  (396, ... ) == 0x0
 02995   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 396, ) }, ... 396, ) == 0x0
 02996   416   NtEnumerateKey  (396, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (396, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02997   416   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "EncodingType 0"}, ... 400, ) }, ... 400, ) == 0x0
 02998   416   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 404, ) }, ... 404, ) == 0x0
 02999   416   NtEnumerateKey  (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 03000   416   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 408, ) }, ... 408, ) == 0x0
 03001   416   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03002   416   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 03003   416   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 03004   416   NtClose  (408, ... ) == 0x0
 03005   416   NtEnumerateKey  (404, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03006   416   NtClose  (404, ... ) == 0x0
 03007   416   NtClose  (400, ... ) == 0x0
 03008   416   NtEnumerateKey  (396, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (396, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 03009   416   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "EncodingType 1"}, ... 400, ) }, ... 400, ) == 0x0
 03010   416   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03011   416   NtClose  (400, ... ) == 0x0
 03012   416   NtEnumerateKey  (396, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03013   416   NtClose  (396, ... ) == 0x0
 03014   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231232, ... ) }, 1231232, ... ) == 0x0
 03015   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 396, {status=0x0, info=1}, ) }, 5, 96, ... 396, {status=0x0, info=1}, ) == 0x0
 03016   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 396, ... 400, ) == 0x0
 03017   416   NtClose  (396, ... ) == 0x0
 03018   416   NtMapViewOfSection  (400, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xea0000), 0x0, 16384, ) == 0x0
 03019   416   NtClose  (400, ... ) == 0x0
 03020   416   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 03021   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231548, ... ) }, 1231548, ... ) == 0x0
 03022   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 400, {status=0x0, info=1}, ) }, 5, 96, ... 400, {status=0x0, info=1}, ) == 0x0
 03023   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 400, ... 396, ) == 0x0
 03024   416   NtQuerySection  (396, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03025   416   NtClose  (400, ... ) == 0x0
 03026   416   NtMapViewOfSection  (396, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x70eb0000), 0x0, 28672, ) == 0x0
 03027   416   NtClose  (396, ... ) == 0x0
 03028   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPT32.dll"}, 1230808, ... ) }, 1230808, ... ) == 0x0
 03029   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 03030   416   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15335424, 1048576, ) == 0x0
 03031   416   NtAllocateVirtualMemory  (-1, 16375808, 0, 8192, 4096, 4, ... 16375808, 8192, ) == 0x0
 03032   416   NtProtectVirtualMemory  (-1, (0xf9e000), 4096, 260, ... (0xf9e000), 4096, 4, ) == 0x0
 03033   416   NtCreateThread  (0x1f03ff, 0x0, -1, 1232756, 1233472, 1, ... 400, {412, 212}, ) == 0x0
 03034   416   NtQueryInformationThread  (400, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=412,Tid=212,}, 0x0, ) == 0x0
 03035   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\0\220\1\0\0\234\1\0\0\324\0\0\0" ... {28, 56, reply, 0, 412, 416, 2649, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\220\1\0\0\234\1\0\0\324\0\0\0" )  ... {28, 56, reply, 0, 412, 416, 2649, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\0\220\1\0\0\234\1\0\0\324\0\0\0" ... {28, 56, reply, 0, 412, 416, 2649, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\220\1\0\0\234\1\0\0\324\0\0\0" )  ) == 0x0
 03036   416   NtResumeThread  (400, ... 1, ) == 0x0
 03037   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 404, ) }, ... 404, ) == 0x0
 03038   416   NtEnumerateKey  (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 03039   416   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "EncodingType 0"}, ... }, ...
 03040   212   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03041   212   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03042   212   NtTestAlert  (... ) == 0x0
 03043   212   NtContinue  (16383280, 1, ...
 03044   212   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03045   212   NtWaitForMultipleObjects  (1, (396, ), 1, 0, {-150000000, -1}, ...
 03039   416   NtOpenKey  ... 408, ) == 0x0
 03046   416   NtOpenKey  (0x20019, {24, 408, 0x40, 0, 0,  (0x20019, {24, 408, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 412, ) }, ... 412, ) == 0x0
 03047   416   NtEnumerateKey  (412, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (412, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 03048   416   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 416, ) }, ... 416, ) == 0x0
 03049   416   NtQueryKey  (416, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03050   416   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 03051   416   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 03052   416   NtClose  (416, ... ) == 0x0
 03053   416   NtEnumerateKey  (412, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (412, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 03054   416   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 416, ) }, ... 416, ) == 0x0
 03055   416   NtQueryKey  (416, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03056   416   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 03057   416   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 03058   416   NtClose  (416, ... ) == 0x0
 03059   416   NtEnumerateKey  (412, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (412, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 03060   416   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 416, ) }, ... 416, ) == 0x0
 03061   416   NtQueryKey  (416, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03062   416   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 03063   416   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 03064   416   NtClose  (416, ... ) == 0x0
 03065   416   NtEnumerateKey  (412, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (412, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 03066   416   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 416, ) }, ... 416, ) == 0x0
 03067   416   NtQueryKey  (416, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03068   416   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 03069   416   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 03070   416   NtClose  (416, ... ) == 0x0
 03071   416   NtEnumerateKey  (412, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03072   416   NtClose  (412, ... ) == 0x0
 03073   416   NtClose  (408, ... ) == 0x0
 03074   416   NtEnumerateKey  (404, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (404, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 03075   416   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "EncodingType 1"}, ... 408, ) }, ... 408, ) == 0x0
 03076   416   NtOpenKey  (0x20019, {24, 408, 0x40, 0, 0,  (0x20019, {24, 408, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03077   416   NtClose  (408, ... ) == 0x0
 03078   416   NtEnumerateKey  (404, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03079   416   NtClose  (404, ... ) == 0x0
 03080   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSISIP.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03081   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSISIP.DLL"}, 1231540, ... ) }, 1231540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03082   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "MSISIP.DLL"}, 1231540, ... ) }, 1231540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03083   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 1231540, ... ) }, 1231540, ... ) == 0x0
 03084   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 5, 96, ... 404, {status=0x0, info=1}, ) }, 5, 96, ... 404, {status=0x0, info=1}, ) == 0x0
 03085   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 404, ... 408, ) == 0x0
 03086   416   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03087   416   NtClose  (404, ... ) == 0x0
 03088   416   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x605f0000), 0x0, 53248, ) == 0x0
 03089   416   NtClose  (408, ... ) == 0x0
 03090   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03091   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16384000, 65536, ) == 0x0
 03092   416   NtAllocateVirtualMemory  (-1, 16384000, 0, 4096, 4096, 4, ... 16384000, 4096, ) == 0x0
 03093   416   NtAllocateVirtualMemory  (-1, 16388096, 0, 8192, 4096, 4, ... 16388096, 8192, ) == 0x0
 03094   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1231128, ... ) }, 1231128, ... ) == 0x0
 03095   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03096   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 408, ... 404, ) == 0x0
 03097   416   NtClose  (408, ... ) == 0x0
 03098   416   NtMapViewOfSection  (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 262144, ) == 0x0
 03099   416   NtClose  (404, ... ) == 0x0
 03100   416   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03101   416   NtAllocateLocallyUniqueId  (... {105830, 0}, ) == 0x0
 03102   416   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 03103   416   NtOpenProcessToken  (-1, 0x20008, ... 404, ) == 0x0
 03104   416   NtQueryInformationToken  (404, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 03105   416   NtClose  (404, ... ) == 0x0
 03106   416   NtCreateSection  (0xf0007, {24, 52, 0x80, 1232448, 0,  (0xf0007, {24, 52, 0x80, 1232448, 0, "DfSharedHeap19D66"}, {4194304, 0}, 4, 67108864, 0, ... 404, ) }, {4194304, 0}, 4, 67108864, 0, ... 404, ) == 0x0
 03107   416   NtMapViewOfSection  (404, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1090000), {0, 0}, 4194304, ) == 0x0
 03108   416   NtAllocateVirtualMemory  (-1, 17367040, 0, 16376, 4096, 4, ... 17367040, 16384, ) == 0x0
 03109   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1229964,  (0x80100080, {24, 0, 0x40, 0, 1229964, "\??\UNC\missouri\binaries\work\wptarxbn.bat"}, 0x0, 128, 3, 1, 2144, 0, 0, ... 408, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 2144, 0, 0, ... 408, {status=0x0, info=1}, ) == 0x0
 03110   416   NtReadFile  (408, 0, 0, 1232668, 512, {0, 0}, 0, ... {status=0x0, info=124},  (408, 0, 0, 1232668, 512, {0, 0}, 0, ... {status=0x0, info=124}, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del wptarxbn.bat\15\12", ) , ) == 0x0
 03111   416   NtClose  (408, ... ) == 0x0
 03112   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231232, ... ) }, 1231232, ... ) == 0x0
 03113   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03114   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 408, ... 412, ) == 0x0
 03115   416   NtClose  (408, ... ) == 0x0
 03116   416   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 69632, ) == 0x0
 03117   416   NtClose  (412, ... ) == 0x0
 03118   416   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03119   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231548, ... ) }, 1231548, ... ) == 0x0
 03120   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03121   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 412, ... 408, ) == 0x0
 03122   416   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03123   416   NtClose  (412, ... ) == 0x0
 03124   416   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74ea0000), 0x0, 65536, ) == 0x0
 03125   416   NtClose  (408, ... ) == 0x0
 03126   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 408, ) }, ... 408, ) == 0x0
 03127   416   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 03128   416   NtClose  (408, ... ) == 0x0
 03129   416   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03130   416   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03131   416   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 03132   416   NtProtectVirtualMemory  (-1, (0x74eaa000), 672, 4, ... (0x74eaa000), 4096, 2, ) == 0x0
 03133   416   NtProtectVirtualMemory  (-1, (0x74eaa000), 4096, 2, ... (0x74eaa000), 4096, 4, ) == 0x0
 03134   416   NtFlushInstructionCache  (-1, 1961533440, 672, ... ) == 0x0
 03135   416   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 03136   416   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 03137   416   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 03138   416   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 03139   416   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 03140   416   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 03141   416   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 03142   416   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 03143   416   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 03144   416   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 03145   416   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 03146   416   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 03147   416   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 03148   416   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 03149   416   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 03150   416   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 03151   416   NtOpenProcessToken  (-1, 0x8, ... 408, ) == 0x0
 03152   416   NtQueryInformationToken  (408, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03153   416   NtClose  (408, ... ) == 0x0
 03154   416   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 03155   416   NtReleaseMutant  (16, ...
 03156   416   NtContinue  (-136511352, 0, ...
 03155   416   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 03157   416   NtQueryDefaultLocale  (1, 1230228, ... ) == 0x0
 03158   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228220, ... ) }, 1228220, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03159   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228536, ... ) }, 1228536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03160   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03161   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03162   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03163   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03164   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03165   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03166   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03167   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03168   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03169   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228220, ... ) }, 1228220, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03170   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228536, ... ) }, 1228536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03171   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03172   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03173   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03174   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03175   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03176   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03177   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03178   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03179   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03180   416   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 03181   416   NtReleaseMutant  (16, ...
 03182   416   NtContinue  (-136511352, 0, ...
 03181   416   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 03183   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228220, ... ) }, 1228220, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03184   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228536, ... ) }, 1228536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03185   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03186   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03187   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03188   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03189   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03190   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03191   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03192   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03193   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03194   416   NtClose  (388, ... ) == 0x0
 03195   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 03196   416   NtQueryValueKey  (388,  (388, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03197   416   NtClose  (388, ... ) == 0x0
 03198   416   NtOpenThreadToken  (-2, 0x2000a, 1, ... ) == STATUS_NO_TOKEN
 03199   416   NtOpenProcessToken  (-1, 0x2000a, ... 388, ) == 0x0
 03200   416   NtQueryInformationToken  (388, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03201   416   NtQueryInformationToken  (388, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03202   416   NtClose  (388, ... ) == 0x0
 03203   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03204   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03205   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03206   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03207   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 388, ) }, ... 388, ) == 0x0
 03208   416   NtQueryValueKey  (388,  (388, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03209   416   NtClose  (388, ... ) == 0x0
 03210   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03211   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03212   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03213   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 388, ) }, ... 388, ) == 0x0
 03214   416   NtQueryValueKey  (388,  (388, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03215   416   NtClose  (388, ... ) == 0x0
 03216   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 03217   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03218   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 388, ) }, ... 388, ) == 0x0
 03219   416   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 03220   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03221   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03222   416   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03223   416   NtClose  (408, ... ) == 0x0
 03224   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03225   416   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03226   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1230836, ... ) }, 1230836, ... ) == 0x0
 03227   416   NtClose  (390, ... ) == 0x0
 03228   416   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03229   416   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 388, {status=0x0, info=1}, ) }, 3, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03230   416   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 408, ) }, ... 408, ) == 0x0
 03231   416   NtQuerySymbolicLinkObject  (408, ...  (408, ... "\Device\WinDfs\U:000000000000922c", 66, ) , 66, ) == 0x0
 03232   416   NtClose  (408, ... ) == 0x0
 03233   416   NtQueryVolumeInformationFile  (388, 1234188, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03234   416   NtClose  (388, ... ) == 0x0
 03235   416   NtWaitForSingleObject  (120, 0, {0, 0}, ... ) == 0x102
 03236   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 388, ) }, ... 388, ) == 0x0
 03237   416   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 408, ) }, ... 408, ) == 0x0
 03238   416   NtQueryValueKey  (408,  (408, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 03239   416   NtQueryValueKey  (408,  (408, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 03240   416   NtClose  (408, ... ) == 0x0
 03241   416   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 408, ) }, ... 408, ) == 0x0
 03242   416   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03243   416   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03244   416   NtQueryValueKey  (408,  (408, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03245   416   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 03246   416   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 03247   416   NtClose  (408, ... ) == 0x0
 03248   416   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 408, ) }, ... 408, ) == 0x0
 03249   416   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 03250   416   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 03251   416   NtQueryValueKey  (408,  (408, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03252   416   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 03253   416   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 03254   416   NtClose  (408, ... ) == 0x0
 03255   416   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 408, ) }, ... 408, ) == 0x0
 03256   416   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 03257   416   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 03258   416   NtQueryValueKey  (408,  (408, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03259   416   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03260   416   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03261   416   NtClose  (408, ... ) == 0x0
 03262   416   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 408, ) }, ... 408, ) == 0x0
 03263   416   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03264   416   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03265   416   NtQueryValueKey  (408,  (408, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03266   416   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 03267   416   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 03268   416   NtClose  (408, ... ) == 0x0
 03269   416   NtClose  (388, ... ) == 0x0
 03270   416   NtQueryDefaultLocale  (1, 1233740, ... ) == 0x0
 03271   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231752, ... ) }, 1231752, ... ) == 0x0
 03272   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03273   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 408, ) == 0x0
 03274   416   NtClose  (388, ... ) == 0x0
 03275   416   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 12288, ) == 0x0
 03276   416   NtClose  (408, ... ) == 0x0
 03277   416   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03278   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1232068, ... ) }, 1232068, ... ) == 0x0
 03279   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03280   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 388, ) == 0x0
 03281   416   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03282   416   NtClose  (408, ... ) == 0x0
 03283   416   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 03284   416   NtClose  (388, ... ) == 0x0
 03285   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 388, ) }, ... 388, ) == 0x0
 03286   416   NtQueryValueKey  (388,  (388, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (388, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03287   416   NtClose  (388, ... ) == 0x0
 03288   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231752, ... ) }, 1231752, ... ) == 0x0
 03289   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03290   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 408, ) == 0x0
 03291   416   NtClose  (388, ... ) == 0x0
 03292   416   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 40960, ) == 0x0
 03293   416   NtClose  (408, ... ) == 0x0
 03294   416   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03295   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1232068, ... ) }, 1232068, ... ) == 0x0
 03296   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03297   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 388, ) == 0x0
 03298   416   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03299   416   NtClose  (408, ... ) == 0x0
 03300   416   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 03301   416   NtClose  (388, ... ) == 0x0
 03302   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03303   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1231256, ... ) }, 1231256, ... ) == 0x0
 03304   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03305   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 388, ... 408, ) == 0x0
 03306   416   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03307   416   NtClose  (388, ... ) == 0x0
 03308   416   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 03309   416   NtClose  (408, ... ) == 0x0
 03310   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03311   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1231256, ... ) }, 1231256, ... ) == 0x0
 03312   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03313   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 388, ) == 0x0
 03314   416   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03315   416   NtClose  (408, ... ) == 0x0
 03316   416   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 03317   416   NtClose  (388, ... ) == 0x0
 03318   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03319   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1230452, ... ) }, 1230452, ... ) == 0x0
 03320   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03321   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 388, ... 408, ) == 0x0
 03322   416   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03323   416   NtClose  (388, ... ) == 0x0
 03324   416   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 03325   416   NtClose  (408, ... ) == 0x0
 03326   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03327   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1230452, ... ) }, 1230452, ... ) == 0x0
 03328   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03329   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 388, ) == 0x0
 03330   416   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03331   416   NtClose  (408, ... ) == 0x0
 03332   416   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 03333   416   NtClose  (388, ... ) == 0x0
 03334   416   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 388, ) }, ... 388, ) == 0x0
 03335   416   NtQueryValueKey  (388,  (388, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03336   416   NtAllocateVirtualMemory  (-1, 8884224, 0, 4096, 4096, 4, ... 8884224, 4096, ) == 0x0
 03337   416   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 408, ) == 0x0
 03338   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231752, ... ) }, 1231752, ... ) == 0x0
 03339   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03340   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 412, ... 416, ) == 0x0
 03341   416   NtClose  (412, ... ) == 0x0
 03342   416   NtMapViewOfSection  (416, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 24576, ) == 0x0
 03343   416   NtClose  (416, ... ) == 0x0
 03344   416   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03345   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1232068, ... ) }, 1232068, ... ) == 0x0
 03346   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 03347   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 416, ... 412, ) == 0x0
 03348   416   NtQuerySection  (412, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03349   416   NtClose  (416, ... ) == 0x0
 03350   416   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 03351   416   NtClose  (412, ... ) == 0x0
 03352   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 412, ) }, ... 412, ) == 0x0
 03353   416   NtQueryValueKey  (412,  (412, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 03354   416   NtClose  (412, ... ) == 0x0
 03355   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03356   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03357   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03358   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03359   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == 0x0
 03360   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03361   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 412, ... 416, ) == 0x0
 03362   416   NtClose  (412, ... ) == 0x0
 03363   416   NtMapViewOfSection  (416, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 122880, ) == 0x0
 03364   416   NtClose  (416, ... ) == 0x0
 03365   416   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03366   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03367   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03368   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03369   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03370   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == 0x0
 03371   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 03372   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 416, ... 412, ) == 0x0
 03373   416   NtQuerySection  (412, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03374   416   NtClose  (416, ... ) == 0x0
 03375   416   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xfb0000), 0x0, 131072, ) == STATUS_IMAGE_NOT_AT_BASE
 03376   416   NtProtectVirtualMemory  (-1, (0xfb1000), 81920, 4, ... (0xfb1000), 81920, 32, ) == 0x0
 03377   416   NtProtectVirtualMemory  (-1, (0xfc5000), 12288, 4, ... (0xfc5000), 12288, 2, ) == 0x0
 03378   416   NtProtectVirtualMemory  (-1, (0xfce000), 8192, 4, ... (0xfce000), 8192, 2, ) == 0x0
 03379   416   NtMapViewOfSection  (412, -1, (0xfb0000), 0, 0, 0x0, 131072, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 03380   416   NtProtectVirtualMemory  (-1, (0xfb1000), 81920, 16, ... (0xfb1000), 81920, 4, ) == 0x0
 03381   416   NtProtectVirtualMemory  (-1, (0xfc5000), 12288, 2, ... (0xfc5000), 12288, 4, ) == 0x0
 03382   416   NtProtectVirtualMemory  (-1, (0xfce000), 8192, 2, ... (0xfce000), 8192, 8, ) == 0x0
 03383   416   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 03384   416   NtClose  (412, ... ) == 0x0
 03385   416   NtProtectVirtualMemory  (-1, (0xfc5000), 416, 4, ... (0xfc5000), 4096, 2, ) == 0x0
 03386   416   NtProtectVirtualMemory  (-1, (0xfc5000), 4096, 2, ... (0xfc5000), 4096, 4, ) == 0x0
 03387   416   NtFlushInstructionCache  (-1, 16535552, 416, ... ) == 0x0
 03388   416   NtProtectVirtualMemory  (-1, (0xfc5000), 416, 4, ... (0xfc5000), 4096, 2, ) == 0x0
 03389   416   NtProtectVirtualMemory  (-1, (0xfc5000), 4096, 2, ... (0xfc5000), 4096, 4, ) == 0x0
 03390   416   NtFlushInstructionCache  (-1, 16535552, 416, ... ) == 0x0
 03391   416   NtProtectVirtualMemory  (-1, (0xfc5000), 416, 4, ... (0xfc5000), 4096, 2, ) == 0x0
 03392   416   NtProtectVirtualMemory  (-1, (0xfc5000), 4096, 2, ... (0xfc5000), 4096, 4, ) == 0x0
 03393   416   NtFlushInstructionCache  (-1, 16535552, 416, ... ) == 0x0
 03394   416   NtProtectVirtualMemory  (-1, (0xfc5000), 416, 4, ... (0xfc5000), 4096, 2, ) == 0x0
 03395   416   NtProtectVirtualMemory  (-1, (0xfc5000), 4096, 2, ... (0xfc5000), 4096, 4, ) == 0x0
 03396   416   NtFlushInstructionCache  (-1, 16535552, 416, ... ) == 0x0
 03397   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03398   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16580608, 65536, ) == 0x0
 03399   416   NtAllocateVirtualMemory  (-1, 16580608, 0, 4096, 4096, 4, ... 16580608, 4096, ) == 0x0
 03400   416   NtAllocateVirtualMemory  (-1, 16584704, 0, 8192, 4096, 4, ... 16584704, 8192, ) == 0x0
 03401   416   NtAllocateVirtualMemory  (-1, 16592896, 0, 4096, 4096, 4, ... 16592896, 4096, ) == 0x0
 03402   416   NtQueryPerformanceCounter  (... {320074920, 0}, {3579545, 0}, ) == 0x0
 03403   416   NtRaiseException  (1231552, 1230812, 1, ...
 03404   416   NtContinue  (1229608, 0, ...
 03405   416   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 412, ) }, ... 412, ) == 0x0
 03406   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03407   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03408   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03409   416   NtRaiseException  (1221528, 1220788, 1, ...
 03410   416   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 03411   416   NtContinue  (1219584, 0, ...
 03412   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03413   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03414   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03415   416   NtRaiseException  (1223288, 1222548, 1, ...
 03416   416   NtContinue  (1221344, 0, ...
 03417   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03418   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03419   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03420   416   NtRaiseException  (1223292, 1222552, 1, ...
 03421   416   NtContinue  (1221348, 0, ...
 03422   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03423   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03424   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03425   416   NtRaiseException  (1223288, 1222548, 1, ...
 03426   416   NtContinue  (1221344, 0, ...
 03427   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03428   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03429   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03430   416   NtRaiseException  (1223292, 1222552, 1, ...
 03431   416   NtContinue  (1221348, 0, ...
 03432   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03433   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03434   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03435   416   NtRaiseException  (1223288, 1222548, 1, ...
 03436   416   NtContinue  (1221344, 0, ...
 03437   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03438   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03439   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03440   416   NtRaiseException  (1223292, 1222552, 1, ...
 03441   416   NtContinue  (1221348, 0, ...
 03442   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03443   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03444   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03445   416   NtRaiseException  (1223288, 1222548, 1, ...
 03446   416   NtContinue  (1221344, 0, ...
 03447   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03448   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03449   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03450   416   NtRaiseException  (1223292, 1222552, 1, ...
 03451   416   NtContinue  (1221348, 0, ...
 03452   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03453   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03454   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03455   416   NtRaiseException  (1223288, 1222548, 1, ...
 03456   416   NtContinue  (1221344, 0, ...
 03457   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03458   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03459   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03460   416   NtRaiseException  (1223292, 1222552, 1, ...
 03461   416   NtContinue  (1221348, 0, ...
 03462   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03463   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03464   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03465   416   NtRaiseException  (1223288, 1222548, 1, ...
 03466   416   NtContinue  (1221344, 0, ...
 03467   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03468   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03469   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03470   416   NtRaiseException  (1223292, 1222552, 1, ...
 03471   416   NtContinue  (1221348, 0, ...
 03472   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03473   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03474   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03475   416   NtRaiseException  (1223288, 1222548, 1, ...
 03476   416   NtContinue  (1221344, 0, ...
 03477   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03478   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03479   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03480   416   NtRaiseException  (1223292, 1222552, 1, ...
 03481   416   NtContinue  (1221348, 0, ...
 03482   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03483   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03484   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03485   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231720, ... ) }, 1231720, ... ) == 0x0
 03486   416   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 416, ) == 0x0
 03487   416   NtQueryInformationProcess  (416, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 03488   416   NtClose  (416, ... ) == 0x0
 03489   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231720, ... ) }, 1231720, ... ) == 0x0
 03490   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03491   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 416, ) == 0x0
 03492   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03493   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03494   416   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230768,  (0xc0100080, {24, 0, 0x40, 0, 1230768, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 03495   416   NtSetInformationFile  (420, 1230824, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03496   416   NtSetInformationFile  (420, 1230816, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03497   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03498   416   NtWriteFile  (420, 253, 0, 0,  (420, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03499   416   NtReadFile  (420, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (420, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20L\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03500   416   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20L\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20L\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03501   416   NtClose  (416, ... ) == 0x0
 03502   416   NtClose  (420, ... ) == 0x0
 03503   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03504   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 420, ) == 0x0
 03505   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03506   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03507   416   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230768,  (0xc0100080, {24, 0, 0x40, 0, 1230768, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 03508   416   NtSetInformationFile  (416, 1230824, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03509   416   NtSetInformationFile  (416, 1230816, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03510   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03511   416   NtWriteFile  (416, 253, 0, 0,  (416, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03512   416   NtReadFile  (416, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (416, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20M\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03513   416   NtFsControlFile  (416, 253, 0x0, 0x0, 0x11c017,  (416, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20M\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (416, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20M\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03514   416   NtClose  (420, ... ) == 0x0
 03515   416   NtClose  (416, ... ) == 0x0
 03516   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 416, ) }, ... 416, ) == 0x0
 03517   416   NtQueryKey  (416, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 03518   416   NtQuerySecurityObject  (416, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03519   416   NtQuerySecurityObject  (416, 15, 0, ... ) == STATUS_ACCESS_DENIED
 03520   416   NtQueryValueKey  (416,  (416, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 03521   416   NtClose  (416, ... ) == 0x0
 03522   416   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 03523   416   NtFsControlFile  (416, 0, 0x0, 0x0, 0x600bc,  (416, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (416, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03524   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03525   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 420, ) == 0x0
 03526   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03527   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03528   416   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232208,  (0xc0100080, {24, 0, 0x40, 0, 1232208, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 424, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 424, {status=0x0, info=1}, ) == 0x0
 03529   416   NtSetInformationFile  (424, 1232264, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03530   416   NtSetInformationFile  (424, 1232256, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03531   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03532   416   NtWriteFile  (424, 253, 0, 0,  (424, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03533   416   NtReadFile  (424, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (424, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03534   416   NtFsControlFile  (424, 253, 0x0, 0x0, 0x11c017,  (424, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\270\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (424, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\270\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N\35\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03535   416   NtClose  (420, ... ) == 0x0
 03536   416   NtClose  (424, ... ) == 0x0
 03537   416   NtWaitForSingleObject  (408, 0, {-70000000, -1}, ... ) == 0x0
 03538   416   NtReleaseSemaphore  (408, 1, ... 0x0, ) == 0x0
 03539   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231720, ... ) }, 1231720, ... ) == 0x0
 03540   416   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 424, ) }, ... 424, ) == 0x0
 03541   416   NtWaitForSingleObject  (424, 0, {-1800000000, -1}, ... ) == 0x0
 03542   416   NtClose  (424, ... ) == 0x0
 03543   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03544   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 424, ) == 0x0
 03545   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03546   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03547   416   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232244,  (0xc0100080, {24, 0, 0x40, 0, 1232244, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 03548   416   NtSetInformationFile  (420, 1232300, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03549   416   NtSetInformationFile  (420, 1232292, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03550   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03551   416   NtWriteFile  (420, 253, 0, 0,  (420, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03552   416   NtReadFile  (420, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (420, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\10\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03553   416   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\10\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\10\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03554   416   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0T\330.q\300i\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0T\330.q\300i\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0T\330.q\300i\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0T\330.q\300i\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03555   416   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0U\330.q\300i\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0U\330.q\300i\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0U\330.q\300i\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0U\330.q\300i\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03556   416   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0T\330.q\300i\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0T\330.q\300i\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03557   416   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0U\330.q\300i\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0U\330.q\300i\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03558   416   NtClose  (424, ... ) == 0x0
 03559   416   NtClose  (420, ... ) == 0x0
 03560   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03561   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03562   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03563   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03564   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == 0x0
 03565   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 420, ) }, ... 420, ) == 0x0
 03566   416   NtQueryValueKey  (420,  (420, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 03567   416   NtClose  (420, ... ) == 0x0
 03568   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 420, ) }, ... 420, ) == 0x0
 03569   416   NtQueryValueKey  (420,  (420, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 03570   416   NtClose  (420, ... ) == 0x0
 03571   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 420, ) }, ... 420, ) == 0x0
 03572   416   NtQueryValueKey  (420,  (420, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03573   416   NtClose  (420, ... ) == 0x0
 03574   416   NtRaiseException  (1222212, 1221472, 1, ...
 03575   416   NtContinue  (1220268, 0, ...
 03576   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03577   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03578   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03579   416   NtRaiseException  (1222208, 1221468, 1, ...
 03580   416   NtContinue  (1220264, 0, ...
 03581   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03582   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03583   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03584   416   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1232876, 0,  (0x1f0001, {24, 52, 0x80, 1232876, 0, "HGFSMUTEX"}, 1, ... 420, ) }, 1, ... 420, ) == STATUS_OBJECT_NAME_EXISTS
 03585   416   NtWaitForSingleObject  (420, 0, 0x0, ... ) == 0x0
 03586   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "HGFSMEMORY"}, ... 424, ) }, ... 424, ) == 0x0
 03587   416   NtMapViewOfSection  (424, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xfe0000), {0, 0}, 28672, ) == 0x0
 03588   416   NtReleaseMutant  (420, ... 0x0, ) == 0x0
 03589   416   NtRaiseException  (1223264, 1222524, 1, ...
 03590   416   NtContinue  (1221320, 0, ...
 03591   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03592   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03593   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03594   416   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1233920, 1233508,  (0xc0100080, {24, 0, 0x40, 1233920, 1233508, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 428, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 428, {status=0x0, info=0}, ) == 0x0
 03595   416   NtDeviceIoControlFile  (428, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (428, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 03596   416   NtClose  (428, ... ) == 0x0
 03597   416   NtRaiseException  (1223244, 1222504, 1, ...
 03598   416   NtContinue  (1221300, 0, ...
 03599   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03600   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03601   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03602   416   NtRaiseException  (1223264, 1222524, 1, ...
 03603   416   NtContinue  (1221320, 0, ...
 03604   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03605   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03606   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03607   416   NtAllocateVirtualMemory  (-1, 1511424, 0, 20480, 4096, 4, ... 1511424, 20480, ) == 0x0
 03608   416   NtAllocateVirtualMemory  (-1, 1531904, 0, 20480, 4096, 4, ... 1531904, 20480, ) == 0x0
 03609   416   NtWaitForSingleObject  (408, 0, {-70000000, -1}, ... ) == 0x0
 03610   416   NtReleaseSemaphore  (408, 1, ... 0x0, ) == 0x0
 03611   416   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 428, ) }, ... 428, ) == 0x0
 03612   416   NtWaitForSingleObject  (428, 0, {-1800000000, -1}, ... ) == 0x0
 03613   416   NtClose  (428, ... ) == 0x0
 03614   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03615   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 428, ) == 0x0
 03616   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03617   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03618   416   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232184,  (0xc0100080, {24, 0, 0x40, 0, 1232184, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 432, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 432, {status=0x0, info=1}, ) == 0x0
 03619   416   NtSetInformationFile  (432, 1232240, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03620   416   NtSetInformationFile  (432, 1232232, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03621   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03622   416   NtWriteFile  (432, 253, 0, 0,  (432, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03623   416   NtReadFile  (432, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (432, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03624   416   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11\34\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03625   416   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0V\330.q\300i\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0V\330.q\300i\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0V\330.q\300i\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0V\330.q\300i\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03626   416   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0W\330.q\300i\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0W\330.q\300i\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0W\330.q\300i\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0W\330.q\300i\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03627   416   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0V\330.q\300i\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0V\330.q\300i\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03628   416   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0W\330.q\300i\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0W\330.q\300i\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03629   416   NtClose  (428, ... ) == 0x0
 03630   416   NtClose  (432, ... ) == 0x0
 03631   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03632   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 432, ) == 0x0
 03633   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03634   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03635   416   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232276,  (0xc0100080, {24, 0, 0x40, 0, 1232276, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 428, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 428, {status=0x0, info=1}, ) == 0x0
 03636   416   NtSetInformationFile  (428, 1232332, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03637   416   NtSetInformationFile  (428, 1232324, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03638   416   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03639   416   NtWriteFile  (428, 253, 0, 0,  (428, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03640   416   NtReadFile  (428, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (428, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20j \0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03641   416   NtFsControlFile  (428, 253, 0x0, 0x0, 0x11c017,  (428, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20j \0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (428, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20j \0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03642   416   NtClose  (432, ... ) == 0x0
 03643   416   NtClose  (428, ... ) == 0x0
 03644   416   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 428, 2, ) }, 0, 0x0, 0, ... 428, 2, ) == 0x0
 03645   416   NtSetValueKey  (428,  (428, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (428, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03646   416   NtClose  (428, ... ) == 0x0
 03647   416   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 428, ) }, ... 428, ) == 0x0
 03648   416   NtQueryValueKey  (428,  (428, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03649   416   NtClose  (428, ... ) == 0x0
 03650   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03651   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03652   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03653   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03654   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03655   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03656   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03657   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03658   416   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 428, 2, ) }, 0, 0x0, 0, ... 428, 2, ) == 0x0
 03659   416   NtSetValueKey  (428,  (428, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (428, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03660   416   NtClose  (428, ... ) == 0x0
 03661   416   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 428, ) }, ... 428, ) == 0x0
 03662   416   NtQueryValueKey  (428,  (428, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03663   416   NtClose  (428, ... ) == 0x0
 03664   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03665   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03666   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03667   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03668   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03669   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03670   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03671   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03672   416   NtWaitForSingleObject  (408, 0, {-70000000, -1}, ... ) == 0x0
 03673   416   NtReleaseSemaphore  (408, 1, ... 0x0, ) == 0x0
 03674   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03675   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03676   416   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03677   416   NtClose  (428, ... ) == 0x0
 03678   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 428, ) }, ... 428, ) == 0x0
 03679   416   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "Network"}, ... 432, ) }, ... 432, ) == 0x0
 03680   416   NtClose  (428, ... ) == 0x0
 03681   416   NtQueryKey  (432, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (432, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 03682   416   NtQuerySecurityObject  (432, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03683   416   NtQuerySecurityObject  (432, 15, 0, ... ) == STATUS_ACCESS_DENIED
 03684   416   NtWaitForSingleObject  (120, 0, {0, 0}, ... ) == 0x102
 03685   416   NtEnumerateKey  (432, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (432, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 03686   416   NtOpenKey  (0x2001f, {24, 432, 0x40, 0, 0,  (0x2001f, {24, 432, 0x40, 0, 0, "f"}, ... 428, ) }, ... 428, ) == 0x0
 03687   416   NtQueryValueKey  (428,  (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03688   416   NtQueryValueKey  (428,  (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03689   416   NtQueryValueKey  (428,  (428, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03690   416   NtQueryValueKey  (428,  (428, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03691   416   NtQueryValueKey  (428,  (428, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03692   416   NtQueryValueKey  (428,  (428, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03693   416   NtQueryValueKey  (428,  (428, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03694   416   NtClose  (428, ... ) == 0x0
 03695   416   NtEnumerateKey  (432, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (432, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 03696   416   NtOpenKey  (0x2001f, {24, 432, 0x40, 0, 0,  (0x2001f, {24, 432, 0x40, 0, 0, "u"}, ... 428, ) }, ... 428, ) == 0x0
 03697   416   NtQueryValueKey  (428,  (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03698   416   NtQueryValueKey  (428,  (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03699   416   NtQueryValueKey  (428,  (428, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03700   416   NtQueryValueKey  (428,  (428, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03701   416   NtQueryValueKey  (428,  (428, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03702   416   NtQueryValueKey  (428,  (428, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03703   416   NtQueryValueKey  (428,  (428, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03704   416   NtClose  (428, ... ) == 0x0
 03705   416   NtClose  (432, ... ) == 0x0
 03706   416   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03707   416   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03708   416   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03709   416   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03710   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03711   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03712   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 432, ) }, ... 432, ) == 0x0
 03713   416   NtQueryKey  (434, Name, 392, ... {Name= (434, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 03714   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03715   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03716   416   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03717   416   NtClose  (428, ... ) == 0x0
 03718   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03719   416   NtEnumerateKey  (434, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (434, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 03720   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03721   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03722   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 428, ) }, ... 428, ) == 0x0
 03723   416   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 03724   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03725   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03726   416   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03727   416   NtClose  (436, ... ) == 0x0
 03728   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03729   416   NtQueryValueKey  (430,  (430, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (430, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03730   416   NtClose  (430, ... ) == 0x0
 03731   416   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03732   416   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 428, {status=0x0, info=1}, ) }, 3, 96, ... 428, {status=0x0, info=1}, ) == 0x0
 03733   416   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 436, ) }, ... 436, ) == 0x0
 03734   416   NtQuerySymbolicLinkObject  (436, ...  (436, ... "\Device\WinDfs\U:000000000000922c", 66, ) , 66, ) == 0x0
 03735   416   NtClose  (436, ... ) == 0x0
 03736   416   NtQueryVolumeInformationFile  (428, 1233596, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03737   416   NtClose  (428, ... ) == 0x0
 03738   416   NtEnumerateKey  (434, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03739   416   NtClose  (434, ... ) == 0x0
 03740   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03741   416   NtQueryDirectoryFile  (432, 0, 0, 0, 1232380, 616, BothDirectory, 1,  (432, 0, 0, 0, 1232380, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03742   416   NtClose  (432, ... ) == 0x0
 03743   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03744   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03745   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 432, ) }, ... 432, ) == 0x0
 03746   416   NtQueryKey  (434, Name, 384, ... {Name= (434, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03747   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03748   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03749   416   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03750   416   NtClose  (428, ... ) == 0x0
 03751   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03752   416   NtOpenKey  (0x1, {24, 434, 0x40, 0, 0,  (0x1, {24, 434, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03753   416   NtQueryKey  (434, Name, 384, ... {Name= (434, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03754   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03755   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03756   416   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03757   416   NtClose  (428, ... ) == 0x0
 03758   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03759   416   NtOpenKey  (0x2000000, {24, 434, 0x40, 0, 0, ""}, ... 428, ) == 0x0
 03760   416   NtClose  (434, ... ) == 0x0
 03761   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03762   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03763   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03764   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03765   416   NtQueryValueKey  (432,  (432, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03766   416   NtClose  (432, ... ) == 0x0
 03767   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03768   416   NtOpenKey  (0x2000000, {24, 260, 0x40, 0, 0, ""}, ... 432, ) == 0x0
 03769   416   NtQueryValueKey  (432,  (432, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (432, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03770   416   NtQueryValueKey  (432,  (432, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (432, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03771   416   NtClose  (432, ... ) == 0x0
 03772   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03773   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03774   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03775   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03776   416   NtQueryValueKey  (432,  (432, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03777   416   NtClose  (432, ... ) == 0x0
 03778   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03779   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03780   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03781   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03782   416   NtQueryValueKey  (432,  (432, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03783   416   NtClose  (432, ... ) == 0x0
 03784   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03785   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03786   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03787   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03788   416   NtQueryValueKey  (432,  (432, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03789   416   NtClose  (432, ... ) == 0x0
 03790   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03791   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03792   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03793   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03794   416   NtQueryValueKey  (432,  (432, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03795   416   NtClose  (432, ... ) == 0x0
 03796   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03797   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03798   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03799   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03800   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03801   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03802   416   NtQueryValueKey  (432,  (432, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03803   416   NtClose  (432, ... ) == 0x0
 03804   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03805   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03806   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03807   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03808   416   NtQueryValueKey  (432,  (432, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03809   416   NtClose  (432, ... ) == 0x0
 03810   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03811   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03812   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03813   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03814   416   NtQueryValueKey  (432,  (432, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03815   416   NtClose  (432, ... ) == 0x0
 03816   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03817   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03818   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03819   416   NtOpenKey  (0x2000000, {24, 260, 0x40, 0, 0,  (0x2000000, {24, 260, 0x40, 0, 0, "Advanced"}, ... 432, ) }, ... 432, ) == 0x0
 03820   416   NtQueryValueKey  (432,  (432, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 03821   416   NtQueryValueKey  (432,  (432, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03822   416   NtQueryValueKey  (432,  (432, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03823   416   NtQueryValueKey  (432,  (432, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03824   416   NtQueryValueKey  (432,  (432, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03825   416   NtQueryValueKey  (432,  (432, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03826   416   NtQueryValueKey  (432,  (432, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03827   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03828   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03829   416   NtQueryValueKey  (432,  (432, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03830   416   NtQueryValueKey  (432,  (432, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03831   416   NtQueryValueKey  (432,  (432, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03832   416   NtQueryValueKey  (432,  (432, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03833   416   NtQueryValueKey  (432,  (432, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03834   416   NtClose  (432, ... ) == 0x0
 03835   416   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1329480, 0,  (0x1f0003, {24, 52, 0x80, 1329480, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 432, ) }, 0, 2147483647, ... 432, ) == STATUS_OBJECT_NAME_EXISTS
 03836   416   NtReleaseSemaphore  (432, 1, ... 0, ) == 0x0
 03837   416   NtWaitForSingleObject  (432, 0, {0, 0}, ... ) == 0x0
 03838   416   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03839   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03840   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03841   416   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03842   416   NtClose  (436, ... ) == 0x0
 03843   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03844   416   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03845   416   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03846   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03847   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03848   416   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03849   416   NtClose  (436, ... ) == 0x0
 03850   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03851   416   NtQueryValueKey  (430,  (430, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03852   416   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03853   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03854   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03855   416   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03856   416   NtClose  (436, ... ) == 0x0
 03857   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03858   416   NtQueryValueKey  (430,  (430, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03859   416   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03860   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03861   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03862   416   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03863   416   NtClose  (436, ... ) == 0x0
 03864   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03865   416   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03866   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03867   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03868   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 436, ) }, ... 436, ) == 0x0
 03869   416   NtQueryKey  (438, Name, 384, ... {Name= (438, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 03870   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03871   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03872   416   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03873   416   NtClose  (440, ... ) == 0x0
 03874   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03875   416   NtOpenKey  (0x1, {24, 438, 0x40, 0, 0,  (0x1, {24, 438, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03876   416   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03877   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03878   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03879   416   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03880   416   NtClose  (440, ... ) == 0x0
 03881   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03882   416   NtQueryValueKey  (430,  (430, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03883   416   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03884   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03885   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03886   416   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03887   416   NtClose  (440, ... ) == 0x0
 03888   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03889   416   NtQueryValueKey  (430,  (430, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (430, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03890   416   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03891   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03892   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03893   416   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03894   416   NtClose  (440, ... ) == 0x0
 03895   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03896   416   NtQueryValueKey  (430,  (430, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03897   416   NtClose  (430, ... ) == 0x0
 03898   416   NtClose  (438, ... ) == 0x0
 03899   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\work\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 03900   416   NtQueryDirectoryFile  (436, 0, 0, 0, 1232300, 616, BothDirectory, 1,  (436, 0, 0, 0, 1232300, 616, BothDirectory, 1, "wptarxbn.bat", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 03901   416   NtClose  (436, ... ) == 0x0
 03902   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03903   416   NtOpenKey  (0x2000000, {24, 260, 0x40, 0, 0,  (0x2000000, {24, 260, 0x40, 0, 0, "FileExts"}, ... 436, ) }, ... 436, ) == 0x0
 03904   416   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03905   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03906   416   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03907   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03908   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03909   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 428, ) }, ... 428, ) == 0x0
 03910   416   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03911   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03912   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03913   416   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03914   416   NtClose  (440, ... ) == 0x0
 03915   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03916   416   NtQueryValueKey  (430, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (430, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03917   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03918   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03919   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 440, ) }, ... 440, ) == 0x0
 03920   416   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03921   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03922   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 03923   416   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03924   416   NtClose  (444, ... ) == 0x0
 03925   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03926   416   NtOpenKey  (0x1, {24, 442, 0x40, 0, 0,  (0x1, {24, 442, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03927   416   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03928   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03929   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 03930   416   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03931   416   NtClose  (444, ... ) == 0x0
 03932   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03933   416   NtOpenKey  (0x2000000, {24, 442, 0x40, 0, 0, ""}, ... 444, ) == 0x0
 03934   416   NtClose  (442, ... ) == 0x0
 03935   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03936   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03937   416   NtReleaseSemaphore  (432, 1, ... 0, ) == 0x0
 03938   416   NtWaitForSingleObject  (432, 0, {0, 0}, ... ) == 0x0
 03939   416   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03940   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03941   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03942   416   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03943   416   NtClose  (440, ... ) == 0x0
 03944   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03945   416   NtOpenKey  (0x1, {24, 446, 0x40, 0, 0,  (0x1, {24, 446, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03946   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03947   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03948   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03949   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03950   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03951   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 440, ) }, ... 440, ) == 0x0
 03952   416   NtQueryKey  (442, Name, 392, ... {Name= (442, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03953   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03954   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 03955   416   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03956   416   NtClose  (448, ... ) == 0x0
 03957   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03958   416   NtQueryValueKey  (442,  (442, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03959   416   NtClose  (442, ... ) == 0x0
 03960   416   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03961   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03962   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03963   416   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03964   416   NtClose  (440, ... ) == 0x0
 03965   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03966   416   NtQueryValueKey  (446,  (446, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03967   416   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03968   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03969   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03970   416   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03971   416   NtClose  (440, ... ) == 0x0
 03972   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03973   416   NtQueryValueKey  (446,  (446, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03974   416   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03975   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03976   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03977   416   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03978   416   NtClose  (440, ... ) == 0x0
 03979   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03980   416   NtOpenKey  (0x1, {24, 446, 0x40, 0, 0,  (0x1, {24, 446, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03981   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03982   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03983   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 440, ) }, ... 440, ) == 0x0
 03984   416   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03985   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03986   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 03987   416   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03988   416   NtClose  (448, ... ) == 0x0
 03989   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03990   416   NtOpenKey  (0x1, {24, 442, 0x40, 0, 0,  (0x1, {24, 442, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03991   416   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03992   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03993   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 03994   416   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03995   416   NtClose  (448, ... ) == 0x0
 03996   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03997   416   NtQueryValueKey  (446,  (446, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03998   416   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03999   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04000   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04001   416   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04002   416   NtClose  (448, ... ) == 0x0
 04003   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04004   416   NtQueryValueKey  (446,  (446, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04005   416   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04006   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04007   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04008   416   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04009   416   NtClose  (448, ... ) == 0x0
 04010   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04011   416   NtQueryValueKey  (446,  (446, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04012   416   NtClose  (430, ... ) == 0x0
 04013   416   NtClose  (446, ... ) == 0x0
 04014   416   NtClose  (442, ... ) == 0x0
 04015   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04016   416   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04017   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04018   416   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04019   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04020   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04021   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 440, ) }, ... 440, ) == 0x0
 04022   416   NtQueryKey  (442, Name, 392, ... {Name= (442, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 04023   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04024   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 04025   416   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04026   416   NtClose  (444, ... ) == 0x0
 04027   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04028   416   NtQueryValueKey  (442, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (442, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 04029   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04030   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04031   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 444, ) }, ... 444, ) == 0x0
 04032   416   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04033   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04034   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 04035   416   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04036   416   NtClose  (428, ... ) == 0x0
 04037   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04038   416   NtOpenKey  (0x1, {24, 446, 0x40, 0, 0,  (0x1, {24, 446, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04039   416   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04040   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04041   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 04042   416   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04043   416   NtClose  (428, ... ) == 0x0
 04044   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04045   416   NtOpenKey  (0x2000000, {24, 446, 0x40, 0, 0, ""}, ... 428, ) == 0x0
 04046   416   NtClose  (446, ... ) == 0x0
 04047   416   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04048   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04049   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 04050   416   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04051   416   NtClose  (444, ... ) == 0x0
 04052   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04053   416   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04054   416   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 04055   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04056   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 04057   416   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04058   416   NtClose  (444, ... ) == 0x0
 04059   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04060   416   NtOpenKey  (0x1, {24, 442, 0x40, 0, 0,  (0x1, {24, 442, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04061   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04062   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04063   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04064   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 04065   416   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04066   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 444, ) }, ... 444, ) == 0x0
 04067   416   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 04068   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04069   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04070   416   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04071   416   NtClose  (448, ... ) == 0x0
 04072   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04073   416   NtQueryValueKey  (446,  (446, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04074   416   NtClose  (446, ... ) == 0x0
 04075   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04076   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04077   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 444, ) }, ... 444, ) == 0x0
 04078   416   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 04079   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04080   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04081   416   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04082   416   NtClose  (448, ... ) == 0x0
 04083   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04084   416   NtOpenKey  (0x1, {24, 446, 0x40, 0, 0,  (0x1, {24, 446, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04085   416   NtClose  (442, ... ) == 0x0
 04086   416   NtClose  (430, ... ) == 0x0
 04087   416   NtClose  (446, ... ) == 0x0
 04088   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04089   416   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04090   416   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04091   416   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04092   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04093   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04094   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 444, ) }, ... 444, ) == 0x0
 04095   416   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 04096   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04097   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 04098   416   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04099   416   NtClose  (428, ... ) == 0x0
 04100   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04101   416   NtQueryValueKey  (446, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (446, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 04102   416   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04103   416   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04104   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 428, ) }, ... 428, ) == 0x0
 04105   416   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04106   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04107   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 04108   416   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04109   416   NtClose  (440, ... ) == 0x0
 04110   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04111   416   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04112   416   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04113   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04114   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 04115   416   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04116   416   NtClose  (440, ... ) == 0x0
 04117   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04118   416   NtOpenKey  (0x2000000, {24, 430, 0x40, 0, 0, ""}, ... 440, ) == 0x0
 04119   416   NtClose  (430, ... ) == 0x0
 04120   416   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04121   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04122   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 04123   416   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04124   416   NtClose  (428, ... ) == 0x0
 04125   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04126   416   NtOpenKey  (0x2000000, {24, 442, 0x40, 0, 0,  (0x2000000, {24, 442, 0x40, 0, 0, "shell\open"}, ... 428, ) }, ... 428, ) == 0x0
 04127   416   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04128   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04129   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04130   416   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04131   416   NtClose  (448, ... ) == 0x0
 04132   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04133   416   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "command"}, ... 448, ) }, ... 448, ) == 0x0
 04134   416   NtQueryKey  (450, Name, 392, ... {Name= (450, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04135   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04136   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 452, ) == 0x0
 04137   416   NtQueryInformationToken  (452, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04138   416   NtClose  (452, ... ) == 0x0
 04139   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04140   416   NtQueryValueKey  (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 04141   416   NtClose  (450, ... ) == 0x0
 04142   416   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04143   416   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 04144   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04145   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04146   416   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04147   416   NtClose  (448, ... ) == 0x0
 04148   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04149   416   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "command"}, ... 448, ) }, ... 448, ) == 0x0
 04150   416   NtQueryKey  (450, Name, 392, ... {Name= (450, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04151   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04152   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 452, ) == 0x0
 04153   416   NtQueryInformationToken  (452, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04154   416   NtClose  (452, ... ) == 0x0
 04155   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04156   416   NtQueryValueKey  (450,  (450, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04157   416   NtClose  (450, ... ) == 0x0
 04158   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\wptarxbn.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04159   416   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 04160   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04161   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04162   416   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04163   416   NtClose  (448, ... ) == 0x0
 04164   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04165   416   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "command"}, ... 448, ) }, ... 448, ) == 0x0
 04166   416   NtQueryKey  (450, Name, 392, ... {Name= (450, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04167   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04168   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 452, ) == 0x0
 04169   416   NtQueryInformationToken  (452, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04170   416   NtClose  (452, ... ) == 0x0
 04171   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04172   416   NtQueryValueKey  (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 04173   416   NtClose  (450, ... ) == 0x0
 04174   416   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04175   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04176   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04177   416   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04178   416   NtClose  (448, ... ) == 0x0
 04179   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04180   416   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04181   416   NtUserGetForegroundWindow  (... ) == 0x100a8
 04182   416   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04183   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04184   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04185   416   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04186   416   NtClose  (448, ... ) == 0x0
 04187   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04188   416   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "command"}, ... 448, ) }, ... 448, ) == 0x0
 04189   416   NtQueryKey  (450, Name, 392, ... {Name= (450, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04190   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04191   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 452, ) == 0x0
 04192   416   NtQueryInformationToken  (452, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04193   416   NtClose  (452, ... ) == 0x0
 04194   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04195   416   NtQueryValueKey  (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 04196   416   NtClose  (450, ... ) == 0x0
 04197   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 04198   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 04199   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04200   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 448, ) }, ... 448, ) == 0x0
 04201   416   NtQueryValueKey  (448,  (448, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04202   416   NtClose  (448, ... ) == 0x0
 04203   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 04204   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 04205   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04206   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 448, ) }, ... 448, ) == 0x0
 04207   416   NtQueryValueKey  (448,  (448, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04208   416   NtClose  (448, ... ) == 0x0
 04209   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\wptarxbn.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04210   416   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04211   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\wptarxbn.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04212   416   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 04213   416   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 04214   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04215   416   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 448, ) }, ... 448, ) == 0x0
 04216   416   NtQueryValueKey  (448,  (448, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04217   416   NtClose  (448, ... ) == 0x0
 04218   416   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\wptarxbn.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04219   416   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 04220   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wptarxbn.bat"}, 1228792, ... ) }, 1228792, ... ) == 0x0
 04221   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wptarxbn.bat"}, 1229484, ... ) }, 1229484, ... ) == 0x0
 04222   416   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\wptarxbn.bat"}, 5, 96, ... 448, {status=0x0, info=1}, ) }, 5, 96, ... 448, {status=0x0, info=1}, ) == 0x0
 04223   416   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 448, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 04224   416   NtQueryVolumeInformationFile  (448, 1228792, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04225   416   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 04226   416   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 04227   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 452, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 452, {status=0x0, info=1}, ) == 0x0
 04228   416   NtQueryInformationFile  (452, 1227380, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04229   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 452, ... 456, ) == 0x0
 04230   416   NtMapViewOfSection  (456, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1490000), 0x0, 1028096, ) == 0x0
 04231   416   NtQueryInformationFile  (452, 1227476, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04232   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04233   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04234   416   NtQueryDirectoryFile  (460, 0, 0, 0, 1225040, 616, BothDirectory, 1,  (460, 0, 0, 0, 1225040, 616, BothDirectory, 1, "wptarxbn.bat", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 04235   416   NtClose  (460, ... ) == 0x0
 04236   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04237   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04238   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wptarxbn.bat"}, 1224428, ... ) }, 1224428, ... ) == 0x0
 04239   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04240   416   NtQueryDirectoryFile  (460, 0, 0, 0, 1223788, 616, BothDirectory, 1,  (460, 0, 0, 0, 1223788, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04241   416   NtClose  (460, ... ) == 0x0
 04242   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04243   416   NtQueryDirectoryFile  (460, 0, 0, 0, 1223788, 616, BothDirectory, 1,  (460, 0, 0, 0, 1223788, 616, BothDirectory, 1, "wptarxbn.bat", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 04244   416   NtClose  (460, ... ) == 0x0
 04245   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04246   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04247   416   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04248   416   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 460, {status=0x0, info=1}, ) }, 3, 96, ... 460, {status=0x0, info=1}, ) == 0x0
 04249   416   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 464, ) }, ... 464, ) == 0x0
 04250   416   NtQuerySymbolicLinkObject  (464, ...  (464, ... "\Device\WinDfs\U:000000000000922c", 66, ) , 66, ) == 0x0
 04251   416   NtClose  (464, ... ) == 0x0
 04252   416   NtQueryVolumeInformationFile  (460, 1225180, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04253   416   NtClose  (460, ... ) == 0x0
 04254   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04255   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 460, ) == 0x0
 04256   416   NtQueryInformationToken  (460, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04257   416   NtClose  (460, ... ) == 0x0
 04258   416   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04259   416   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\wptarxbn.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04260   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04261   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04262   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wptarxbn.bat"}, 1226708, ... ) }, 1226708, ... ) == 0x0
 04263   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04264   416   NtQueryDirectoryFile  (460, 0, 0, 0, 1226068, 616, BothDirectory, 1,  (460, 0, 0, 0, 1226068, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04265   416   NtClose  (460, ... ) == 0x0
 04266   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04267   416   NtQueryDirectoryFile  (460, 0, 0, 0, 1226068, 616, BothDirectory, 1,  (460, 0, 0, 0, 1226068, 616, BothDirectory, 1, "wptarxbn.bat", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 04268   416   NtClose  (460, ... ) == 0x0
 04269   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04270   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04271   416   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 04272   416   NtQueryVolumeInformationFile  (448, 1227352, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04273   416   NtQueryInformationFile  (448, 1227332, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 04274   416   NtQueryInformationFile  (448, 1227372, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04275   416   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 04276   416   NtUnmapViewOfSection  (-1, 0x1490000, ... ) == 0x0
 04277   416   NtClose  (456, ... ) == 0x0
 04278   416   NtClose  (452, ... ) == 0x0
 04279   416   NtClose  (448, ... ) == 0x0
 04280   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1228768, ... ) }, 1228768, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04281   416   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "cmd.exe"}, 1228768, ... ) }, 1228768, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04282   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1228768, ... ) }, 1228768, ... ) == 0x0
 04283   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1229484, ... ) }, 1229484, ... ) == 0x0
 04284   416   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 448, {status=0x0, info=1}, ) }, 5, 96, ... 448, {status=0x0, info=1}, ) == 0x0
 04285   416   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 448, ... 452, ) == 0x0
 04286   416   NtQuerySection  (452, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04287   416   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04288   416   NtCreateProcessEx  (1231420, 2035711, 0, -1, 0, 452, 0, 0, 0, ... ) == 0x0
 04289   416   NtSetInformationProcess  (456, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04290   416   NtQueryInformationProcess  (456, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=220,ParentPid=412,}, 0x0, ) == 0x0
 04291   416   NtReadVirtualMemory  (456, 0x7ffdf008, 4, ...  (456, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 04292   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04293   416   NtReadVirtualMemory  (456, 0x4ad00000, 4096, ...  (456, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 04294   416   NtReadVirtualMemory  (456, 0x4ad3b000, 256, ...  (456, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 04295   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04296   416   NtQueryInformationProcess  (456, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=220,ParentPid=412,}, 0x0, ) == 0x0
 04297   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1229484, ... ) }, 1229484, ... ) == 0x0
 04298   416   NtAllocateVirtualMemory  (-1, 0, 0, 1648, 4096, 4, ... 16777216, 4096, ) == 0x0
 04299   416   NtAllocateVirtualMemory  (456, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 04300   416   NtWriteVirtualMemory  (456, 0x10000,  (456, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 04301   416   NtAllocateVirtualMemory  (456, 0, 0, 1648, 4096, 4, ... 131072, 4096, ) == 0x0
 04302   416   NtWriteVirtualMemory  (456, 0x20000,  (456, 0x20000, "\0\20\0\0p\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0@\0B\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\24\6\0\0\36\0 \0L\6\0\0\0\0\2\0l\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1648, ... 0x0, ) , 1648, ... 0x0, ) == 0x0
 04303   416   NtWriteVirtualMemory  (456, 0x7ffdf010,  (456, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04304   416   NtWriteVirtualMemory  (456, 0x7ffdf1e8,  (456, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04305   416   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 4096, ) == 0x0
 04306   416   NtAllocateVirtualMemory  (456, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 04307   416   NtAllocateVirtualMemory  (456, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 04308   416   NtCreateThread  (0x1f03ff, 0x0, 456, 1229684, 1230404, 1, ... 460, {220, 216}, ) == 0x0
 04309   416   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1231516, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1231516, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\310\1\0\0\314\1\0\0\334\0\0\0\330\0\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 412, 416, 2651, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\310\1\0\0\314\1\0\0\334\0\0\0\330\0\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 412, 416, 2651, 0}  (24, {168, 196, new_msg, 0, 0, 1231516, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\310\1\0\0\314\1\0\0\334\0\0\0\330\0\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 412, 416, 2651, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\310\1\0\0\314\1\0\0\334\0\0\0\330\0\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04310   416   NtResumeThread  (460, ... 1, ) == 0x0
 04311   416   NtClose  (448, ... ) == 0x0
 04312   416   NtClose  (452, ... ) == 0x0
 04313   416   NtClose  (430, ... ) == 0x0
 04314   416   NtClose  (446, ... ) == 0x0
 04315   416   NtClose  (442, ... ) == 0x0
 04316   416   NtClose  (456, ... ) == 0x0
 04317   416   NtClose  (460, ... ) == 0x0
 04318   416   NtFreeVirtualMemory  (-1, (0x162000), 20480, 16384, ... (0x162000), 20480, ) == 0x0
 04319   416   NtGdiDeleteObjectApp  (218629228, ... ) == 0x1
 04320   416   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04321   416   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04322   416   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04323   416   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04324   416   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04325   416   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04326   416   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04327   416   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04328   416   NtUnmapViewOfSection  (-1, 0xff0000, ... ) == 0x0
 04329   416   NtClose  (392, ... ) == 0x0
 04330   416   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 04331   416   NtUserDestroyWindow  (131300, ...
 04332   416   NtUserRemoveProp  (131300, 43288, ... ) == 0xffffffff
 04333   416   NtUserRemoveProp  (131300, 43282, ... ) == 0x0
 04334   416   NtUserRemoveProp  (131300, 43287, ... ) == 0x0
 04331   416   NtUserDestroyWindow  ... ) == 0x1
 04335   416   NtUserUnregisterClass  (1234864, 1998258176, 1234852, ... ) == 0x1
 04336   416   NtClose  (296, ... ) == 0x0
 04337   416   NtClose  (288, ... ) == 0x0
 04338   416   NtClose  (292, ... ) == 0x0
 04339   416   NtClose  (268, ... ) == 0x0
 04340   416   NtClose  (284, ... ) == 0x0
 04341   416   NtClose  (316, ... ) == 0x0
 04342   416   NtClose  (320, ... ) == 0x0
 04343   416   NtClose  (312, ... ) == 0x0
 04344   416   NtClose  (304, ... ) == 0x0
 04345   416   NtClose  (308, ... ) == 0x0
 04346   416   NtClose  (332, ... ) == 0x0
 04347   416   NtClose  (336, ... ) == 0x0
 04348   416   NtClose  (324, ... ) == 0x0
 04349   416   NtClose  (328, ... ) == 0x0
 04350   416   NtClose  (356, ... ) == 0x0
 04351   416   NtClose  (348, ... ) == 0x0
 04352   416   NtClose  (352, ... ) == 0x0
 04353   416   NtClose  (340, ... ) == 0x0
 04354   416   NtClose  (344, ... ) == 0x0
 04355   416   NtClose  (360, ... ) == 0x0
 04356   416   NtClose  (364, ... ) == 0x0
 04357   416   NtClose  (376, ... ) == 0x0
 04358   416   NtClose  (380, ... ) == 0x0
 04359   416   NtClose  (368, ... ) == 0x0
 04360   416   NtClose  (372, ... ) == 0x0
 04361   416   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 04362   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 1235740, ... ) }, 1235740, ... ) == 0x0
 04363   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 1236432, ... ) }, 1236432, ... ) == 0x0
 04364   416   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 5, 96, ... 372, {status=0x0, info=1}, ) }, 5, 96, ... 372, {status=0x0, info=1}, ) == 0x0
 04365   416   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 372, ... 368, ) == 0x0
 04366   416   NtQueryVolumeInformationFile  (372, 1235740, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04367   416   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 04368   416   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 04369   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 380, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 380, {status=0x0, info=1}, ) == 0x0
 04370   416   NtQueryInformationFile  (380, 1234328, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04371   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 380, ... 376, ) == 0x0
 04372   416   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1490000), 0x0, 1028096, ) == 0x0
 04373   416   NtQueryInformationFile  (380, 1234424, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04374   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04375   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04376   416   NtQueryDirectoryFile  (364, 0, 0, 0, 1231988, 616, BothDirectory, 1,  (364, 0, 0, 0, 1231988, 616, BothDirectory, 1, "Isass.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04377   416   NtClose  (364, ... ) == 0x0
 04378   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04379   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04380   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 1231376, ... ) }, 1231376, ... ) == 0x0
 04381   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04382   416   NtQueryDirectoryFile  (364, 0, 0, 0, 1230736, 616, BothDirectory, 1,  (364, 0, 0, 0, 1230736, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04383   416   NtClose  (364, ... ) == 0x0
 04384   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04385   416   NtQueryDirectoryFile  (364, 0, 0, 0, 1230736, 616, BothDirectory, 1,  (364, 0, 0, 0, 1230736, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04386   416   NtClose  (364, ... ) == 0x0
 04387   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04388   416   NtQueryDirectoryFile  (364, 0, 0, 0, 1230736, 616, BothDirectory, 1,  (364, 0, 0, 0, 1230736, 616, BothDirectory, 1, "Isass.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04389   416   NtClose  (364, ... ) == 0x0
 04390   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04391   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04392   416   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04393   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04394   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 04395   416   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04396   416   NtClose  (364, ... ) == 0x0
 04397   416   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04398   416   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\Isass.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04399   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04400   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04401   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 1233656, ... ) }, 1233656, ... ) == 0x0
 04402   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04403   416   NtQueryDirectoryFile  (364, 0, 0, 0, 1233016, 616, BothDirectory, 1,  (364, 0, 0, 0, 1233016, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04404   416   NtClose  (364, ... ) == 0x0
 04405   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04406   416   NtQueryDirectoryFile  (364, 0, 0, 0, 1233016, 616, BothDirectory, 1,  (364, 0, 0, 0, 1233016, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04407   416   NtClose  (364, ... ) == 0x0
 04408   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04409   416   NtQueryDirectoryFile  (364, 0, 0, 0, 1233016, 616, BothDirectory, 1,  (364, 0, 0, 0, 1233016, 616, BothDirectory, 1, "Isass.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04410   416   NtClose  (364, ... ) == 0x0
 04411   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04412   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04413   416   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 04414   416   NtQueryVolumeInformationFile  (372, 1234300, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04415   416   NtQueryInformationFile  (372, 1234280, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 04416   416   NtQueryInformationFile  (372, 1234320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04417   416   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 04418   416   NtUnmapViewOfSection  (-1, 0x1490000, ... ) == 0x0
 04419   416   NtClose  (376, ... ) == 0x0
 04420   416   NtClose  (380, ... ) == 0x0
 04421   416   NtQuerySection  (368, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04422   416   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Isass.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04423   416   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 04424   416   NtOpenProcessToken  (-1, 0xa, ... 380, ) == 0x0
 04425   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 376, ) }, ... 376, ) == 0x0
 04426   416   NtQueryValueKey  (376,  (376, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 04427   416   NtQueryValueKey  (376,  (376, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (376, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 04428   416   NtClose  (376, ... ) == 0x0
 04429   416   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 376, ) }, ... 376, ) == 0x0
 04430   416   NtQuerySymbolicLinkObject  (376, ...  (376, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 04431   416   NtClose  (376, ... ) == 0x0
 04432   416   NtQueryInformationFile  (372, 1234092, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 04433   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04434   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04435   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 1232772, ... ) }, 1232772, ... ) == 0x0
 04436   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 04437   416   NtQueryDirectoryFile  (376, 0, 0, 0, 1232132, 616, BothDirectory, 1,  (376, 0, 0, 0, 1232132, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04438   416   NtClose  (376, ... ) == 0x0
 04439   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 04440   416   NtQueryDirectoryFile  (376, 0, 0, 0, 1232132, 616, BothDirectory, 1,  (376, 0, 0, 0, 1232132, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04441   416   NtClose  (376, ... ) == 0x0
 04442   416   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 04443   416   NtQueryDirectoryFile  (376, 0, 0, 0, 1232132, 616, BothDirectory, 1,  (376, 0, 0, 0, 1232132, 616, BothDirectory, 1, "Isass.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04444   416   NtClose  (376, ... ) == 0x0
 04445   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04446   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04447   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 376, ) }, ... 376, ) == 0x0
 04448   416   NtQueryValueKey  (376,  (376, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04449   416   NtClose  (376, ... ) == 0x0
 04450   416   NtQueryInformationToken  (380, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 04451   416   NtQueryInformationToken  (380, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 04452   416   NtClose  (380, ... ) == 0x0
 04453   416   NtCreateProcessEx  (1238368, 2035711, 0, -1, 4, 368, 0, 0, 0, ... ) == 0x0
 04454   416   NtSetInformationProcess  (380, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 04455   416   NtQueryInformationProcess  (380, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=236,ParentPid=412,}, 0x0, ) == 0x0
 04456   416   NtReadVirtualMemory  (380, 0x7ffdf008, 4, ...  (380, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 04457   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04458   416   NtReadVirtualMemory  (380, 0x400000, 4096, ...  (380, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\371\250E\275\305\303L\34\227(\275\232\202z5\212PE\0\0L\1\6\0\360\19F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\260\0\0\0\20\0\0\0`\1\0\0@\4\0\0\240\2\0\0 \2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\4\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\240\2\0\20\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\241\2\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 04459   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04460   416   NtQueryInformationProcess  (380, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=236,ParentPid=412,}, 0x0, ) == 0x0
 04461   416   NtAllocateVirtualMemory  (-1, 0, 0, 1648, 4096, 4, ... 16711680, 4096, ) == 0x0
 04462   416   NtAllocateVirtualMemory  (380, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 04463   416   NtWriteVirtualMemory  (380, 0x10000,  (380, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 04464   416   NtAllocateVirtualMemory  (380, 0, 0, 1648, 4096, 4, ... 131072, 4096, ) == 0x0
 04465   416   NtWriteVirtualMemory  (380, 0x20000,  (380, 0x20000, "\0\20\0\0p\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\10\2\220\2\0\0\367\0\0\0\374\0\376\0\230\4\0\0:\0<\0\230\5\0\0:\0<\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\20\6\0\0\36\0 \0L\6\0\0\0\0\2\0l\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1648, ... 0x0, ) , 1648, ... 0x0, ) == 0x0
 04466   416   NtWriteVirtualMemory  (380, 0x7ffdf010,  (380, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04467   416   NtWriteVirtualMemory  (380, 0x7ffdf1e8,  (380, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04468   416   NtFreeVirtualMemory  (-1, (0xff0000), 0, 32768, ... (0xff0000), 4096, ) == 0x0
 04469   416   NtAllocateVirtualMemory  (380, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 04470   416   NtAllocateVirtualMemory  (380, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 04471   416   NtProtectVirtualMemory  (380, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 04472   416   NtCreateThread  (0x1f03ff, 0x0, 380, 1236632, 1237352, 1, ... 376, {236, 664}, ) == 0x0
 04473   416   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1485912, 1238452}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1485912, 1238452} "\0\0\0\0\0\0\1\0\2$\370w U\367w\177\1\0\0x\1\0\0\354\0\0\0\230\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 412, 416, 2684, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w|\1\0\0x\1\0\0\354\0\0\0\230\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 412, 416, 2684, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1485912, 1238452} "\0\0\0\0\0\0\1\0\2$\370w U\367w\177\1\0\0x\1\0\0\354\0\0\0\230\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 412, 416, 2684, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w|\1\0\0x\1\0\0\354\0\0\0\230\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04474   416   NtResumeThread  (376, ... 1, ) == 0x0
 04475   416   NtClose  (372, ... ) == 0x0
 04476   416   NtClose  (368, ... ) == 0x0
 04477   416   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 368, ) == 0x0
 04478   416   NtYieldExecution  (... ) == 0x0
 04479   416   NtFreeVirtualMemory  (-1, (0x148000), 4096, 16384, ... (0x148000), 4096, ) == 0x0
 04480   416   NtClose  (96, ... ) == 0x0
 04481   416   NtClose  (92, ... ) == 0x0
 04482   416   NtFreeVirtualMemory  (-1, (0xdb0000), 0, 32768, ... (0xdb0000), 65536, ) == 0x0
 04483   416   NtYieldExecution  (... ) == 0x0
 04484   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 04485   416   NtClearEvent  (212, ... ) == 0x0
 04486   416   NtClose  (212, ... ) == 0x0
 04487   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 04488   416   NtUnmapViewOfSection  (-1, 0x76fb0000, ... ) == 0x0
 04489   416   NtUnmapViewOfSection  (-1, 0x76f60000, ... ) == 0x0
 04490   416   NtUnmapViewOfSection  (-1, 0x71a50000, ... ) == 0x0
 04491   416   NtClose  (108, ... ) == 0x0
 04492   416   NtClose  (104, ... ) == 0x0
 04493   416   NtTerminateProcess  (0, 0, ...
 01734  1352   NtDelayExecution  ... ) == 0xc0
 01722  1488   NtDelayExecution  ... ) == 0xc0
 01743   780   NtDelayExecution  ... ) == 0xc0
 03045   212   NtWaitForMultipleObjects  ... ) == 0xc0
 04493   416   NtTerminateProcess  ... ) == 0x0
 04494   416   NtRaiseException  (1238116, 1237376, 1, ...
 04495   416   NtContinue  (1236172, 0, ...
 04496   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 04497   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04498   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 04499   416   NtRaiseException  (1228092, 1227352, 1, ...
 04500   416   NtContinue  (1226148, 0, ...
 04501   416   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 04502   416   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04503   416   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 04504   416   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 04505   416   NtClose  (424, ... ) == 0x0
 04506   416   NtClose  (420, ... ) == 0x0
 04507   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x14,}, 4, ... ) == 0x0
 04508   416   NtFreeVirtualMemory  (-1, (0xfd0000), 0, 32768, ... (0xfd0000), 65536, ) == 0x0
 04509   416   NtClose  (408, ... ) == 0x0
 04510   416   NtClose  (416, ... ) == 0x0
 04511   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x13,}, 4, ... ) == 0x0
 04512   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 416, ) }, ... 416, ) == 0x0
 04513   416   NtQueryValueKey  (416,  (416, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 04514   416   NtClose  (416, ... ) == 0x0
 04515   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 04516   416   NtFreeVirtualMemory  (-1, (0xfa0000), 0, 32768, ... (0xfa0000), 65536, ) == 0x0
 04517   416   NtUnmapViewOfSection  (-1, 0xe80000, ... ) == 0x0
 04518   416   NtClose  (384, ... ) == 0x0
 04519   416   NtFreeVirtualMemory  (-1, (0xe90000), 4096, 16384, ... (0xe90000), 4096, ) == 0x0
 04520   416   NtFreeVirtualMemory  (-1, (0xe90000), 0, 32768, ... (0xe90000), 65536, ) == 0x0
 04521   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 04522   416   NtFreeVirtualMemory  (-1, (0x15e000), 12288, 16384, ... (0x15e000), 12288, ) == 0x0
 04523   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 04524   416   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 04525   416   NtClose  (240, ... ) == 0x0
 04526   416   NtGdiDeleteObjectApp  (34603849, ... ) == 0x1
 04527   416   NtUserGetProcessWindowStation  (... ) == 0x28
 04528   416   NtUserBuildNameList  (40, 256, 1328520, 1238756, ... ) == 0x0
 04529   416   NtUserGetProcessWindowStation  (... ) == 0x28
 04530   416   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0xf0
 04531   416   NtUserBuildHwndList  (240, 0, 0, 0, 64, ... (0x3004c, 0x100de, 0x100b6, 0x100b4, 0x100b2, 0x100ae, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x300e2, 0x300c6, 0x100d6, 0x100be, 0x100bc, 0x100ba, 0x60036, 0x20060, 0x20064, 0x2005e, 0x20062, 0x100a8, 0x100d8, 0x100cc, 0x100ca, 0x100b8, 0x100a2, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 41, ) == 0x0
 04532   416   NtUserQueryWindow  (196684, 0, ... ) == 0x764
 04533   416   NtUserQueryWindow  (196684, 1, ... ) == 0x784
 04534   416   NtUserQueryWindow  (65758, 0, ... ) == 0x764
 04535   416   NtUserQueryWindow  (65758, 1, ... ) == 0x784
 04536   416   NtUserQueryWindow  (65718, 0, ... ) == 0x7c8
 04537   416   NtUserQueryWindow  (65718, 1, ... ) == 0x7cc
 04538   416   NtUserQueryWindow  (65716, 0, ... ) == 0x7c8
 04539   416   NtUserQueryWindow  (65716, 1, ... ) == 0x7cc
 04540   416   NtUserQueryWindow  (65714, 0, ... ) == 0x7c8
 04541   416   NtUserQueryWindow  (65714, 1, ... ) == 0x7cc
 04542   416   NtUserQueryWindow  (65710, 0, ... ) == 0x7c8
 04543   416   NtUserQueryWindow  (65710, 1, ... ) == 0x7cc
 04544   416   NtUserQueryWindow  (65696, 0, ... ) == 0x764
 04545   416   NtUserQueryWindow  (65696, 1, ... ) == 0x784
 04546   416   NtUserQueryWindow  (65662, 0, ... ) == 0x764
 04547   416   NtUserQueryWindow  (65662, 1, ... ) == 0x784
 04548   416   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 04549   416   NtUserQueryWindow  (65664, 0, ... ) == 0x764
 04550   416   NtUserQueryWindow  (65664, 1, ... ) == 0x784
 04551   416   NtUserQueryWindow  (65670, 0, ... ) == 0x764
 04552   416   NtUserQueryWindow  (65670, 1, ... ) == 0x784
 04553   416   NtUserQueryWindow  (65672, 0, ... ) == 0x764
 04554   416   NtUserQueryWindow  (65672, 1, ... ) == 0x784
 04555   416   NtUserQueryWindow  (65674, 0, ... ) == 0x764
 04556   416   NtUserQueryWindow  (65674, 1, ... ) == 0x784
 04557   416   NtUserQueryWindow  (65678, 0, ... ) == 0x764
 04558   416   NtUserQueryWindow  (65678, 1, ... ) == 0x784
 04559   416   NtUserQueryWindow  (65680, 0, ... ) == 0x764
 04560   416   NtUserQueryWindow  (65680, 1, ... ) == 0x784
 04561   416   NtUserQueryWindow  (65682, 0, ... ) == 0x764
 04562   416   NtUserQueryWindow  (65682, 1, ... ) == 0x784
 04563   416   NtUserQueryWindow  (65684, 0, ... ) == 0x764
 04564   416   NtUserQueryWindow  (65684, 1, ... ) == 0x784
 04565   416   NtUserQueryWindow  (65686, 0, ... ) == 0x764
 04566   416   NtUserQueryWindow  (65686, 1, ... ) == 0x784
 04567   416   NtUserQueryWindow  (65690, 0, ... ) == 0x764
 04568   416   NtUserQueryWindow  (65690, 1, ... ) == 0x784
 04569   416   NtUserQueryWindow  (65692, 0, ... ) == 0x764
 04570   416   NtUserQueryWindow  (65692, 1, ... ) == 0x784
 04571   416   NtUserQueryWindow  (65694, 0, ... ) == 0x764
 04572   416   NtUserQueryWindow  (65694, 1, ... ) == 0x784
 04573   416   NtUserQueryWindow  (65652, 0, ... ) == 0x764
 04574   416   NtUserQueryWindow  (65652, 1, ... ) == 0x784
 04575   416   NtUserQueryWindow  (65640, 0, ... ) == 0x764
 04576   416   NtUserQueryWindow  (65640, 1, ... ) == 0x784
 04577   416   NtUserQueryWindow  (196682, 0, ... ) == 0x764
 04578   416   NtUserQueryWindow  (196682, 1, ... ) == 0x784
 04579   416   NtUserQueryWindow  (65638, 0, ... ) == 0x764
 04580   416   NtUserQueryWindow  (65638, 1, ... ) == 0x784
 04581   416   NtUserQueryWindow  (196668, 0, ... ) == 0x764
 04582   416   NtUserQueryWindow  (196668, 1, ... ) == 0x784
 04583   416   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 04584   416   NtUserQueryWindow  (196670, 0, ... ) == 0x764
 04585   416   NtUserQueryWindow  (196670, 1, ... ) == 0x784
 04586   416   NtUserQueryWindow  (196674, 0, ... ) == 0x764
 04587   416   NtUserQueryWindow  (196674, 1, ... ) == 0x784
 04588   416   NtUserQueryWindow  (196672, 0, ... ) == 0x764
 04589   416   NtUserQueryWindow  (196672, 1, ... ) == 0x784
 04590   416   NtUserQueryWindow  (196676, 0, ... ) == 0x764
 04591   416   NtUserQueryWindow  (196676, 1, ... ) == 0x784
 04592   416   NtUserQueryWindow  (196678, 0, ... ) == 0x764
 04593   416   NtUserQueryWindow  (196678, 1, ... ) == 0x784
 04594   416   NtUserQueryWindow  (196680, 0, ... ) == 0x764
 04595   416   NtUserQueryWindow  (196680, 1, ... ) == 0x784
 04596   416   NtUserQueryWindow  (65642, 0, ... ) == 0x764
 04597   416   NtUserQueryWindow  (65642, 1, ... ) == 0x784
 04598   416   NtUserQueryWindow  (65646, 0, ... ) == 0x764
 04599   416   NtUserQueryWindow  (65646, 1, ... ) == 0x784
 04600   416   NtUserQueryWindow  (65650, 0, ... ) == 0x764
 04601   416   NtUserQueryWindow  (65650, 1, ... ) == 0x784
 04602   416   NtUserQueryWindow  (65688, 0, ... ) == 0x764
 04603   416   NtUserQueryWindow  (65688, 1, ... ) == 0x784
 04604   416   NtUserQueryWindow  (65676, 0, ... ) == 0x764
 04605   416   NtUserQueryWindow  (65676, 1, ... ) == 0x784
 04606   416   NtUserQueryWindow  (65660, 0, ... ) == 0x764
 04607   416   NtUserQueryWindow  (65660, 1, ... ) == 0x768
 04608   416   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 04609   416   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 04610   416   NtUserQueryWindow  (196834, 0, ... ) == 0xdc
 04611   416   NtUserQueryWindow  (196834, 1, ... ) == 0xd8
 04612   416   NtUserQueryWindow  (196806, 0, ... ) == 0x4ac
 04613   416   NtUserQueryWindow  (196806, 1, ... ) == 0x140
 04614   416   NtUserQueryWindow  (65750, 0, ... ) == 0x4ac
 04615   416   NtUserQueryWindow  (65750, 1, ... ) == 0x140
 04616   416   NtUserQueryWindow  (65726, 0, ... ) == 0x7d4
 04617   416   NtUserQueryWindow  (65726, 1, ... ) == 0x7d8
 04618   416   NtUserQueryWindow  (65724, 0, ... ) == 0x7d4
 04619   416   NtUserQueryWindow  (65724, 1, ... ) == 0x7d8
 04620   416   NtUserQueryWindow  (65722, 0, ... ) == 0x7d4
 04621   416   NtUserQueryWindow  (65722, 1, ... ) == 0x7d8
 04622   416   NtUserQueryWindow  (393270, 0, ... ) == 0x7d4
 04623   416   NtUserQueryWindow  (393270, 1, ... ) == 0x7d8
 04624   416   NtUserQueryWindow  (131168, 0, ... ) == 0x7d4
 04625   416   NtUserQueryWindow  (131168, 1, ... ) == 0x7d8
 04626   416   NtUserQueryWindow  (131172, 0, ... ) == 0x7d4
 04627   416   NtUserQueryWindow  (131172, 1, ... ) == 0x7d8
 04628   416   NtUserQueryWindow  (131166, 0, ... ) == 0x7d4
 04629   416   NtUserQueryWindow  (131166, 1, ... ) == 0x7d8
 04630   416   NtUserQueryWindow  (131170, 0, ... ) == 0x7d4
 04631   416   NtUserQueryWindow  (131170, 1, ... ) == 0x7d8
 04632   416   NtUserQueryWindow  (65704, 0, ... ) == 0x7e8
 04633   416   NtUserQueryWindow  (65704, 1, ... ) == 0x7ec
 04634   416   NtUserQueryWindow  (65752, 0, ... ) == 0x764
 04635   416   NtUserQueryWindow  (65752, 1, ... ) == 0x4c4
 04636   416   NtUserQueryWindow  (65740, 0, ... ) == 0x764
 04637   416   NtUserQueryWindow  (65740, 1, ... ) == 0x4c4
 04638   416   NtUserBuildHwndList  (0, 65740, 1, 0, 64, ... (0x100ce, 0x100d0, 0x100d2, 0x100d4, 0x1, ), 5, ) == 0x0
 04639   416   NtUserQueryWindow  (65742, 0, ... ) == 0x764
 04640   416   NtUserQueryWindow  (65742, 1, ... ) == 0x4c4
 04641   416   NtUserQueryWindow  (65744, 0, ... ) == 0x764
 04642   416   NtUserQueryWindow  (65744, 1, ... ) == 0x4c4
 04643   416   NtUserQueryWindow  (65746, 0, ... ) == 0x764
 04644   416   NtUserQueryWindow  (65746, 1, ... ) == 0x4c4
 04645   416   NtUserQueryWindow  (65748, 0, ... ) == 0x764
 04646   416   NtUserQueryWindow  (65748, 1, ... ) == 0x4c4
 04647   416   NtUserQueryWindow  (65738, 0, ... ) == 0x764
 04648   416   NtUserQueryWindow  (65738, 1, ... ) == 0x784
 04649   416   NtUserQueryWindow  (65720, 0, ... ) == 0x7c8
 04650   416   NtUserQueryWindow  (65720, 1, ... ) == 0x7cc
 04651   416   NtUserQueryWindow  (65698, 0, ... ) == 0x7b0
 04652   416   NtUserQueryWindow  (65698, 1, ... ) == 0x7b4
 04653   416   NtUserQueryWindow  (65644, 0, ... ) == 0x764
 04654   416   NtUserQueryWindow  (65644, 1, ... ) == 0x79c
 04655   416   NtUserQueryWindow  (327760, 0, ... ) == 0x764
 04656   416   NtUserQueryWindow  (327760, 1, ... ) == 0x768
 04657   416   NtUserQueryWindow  (262228, 0, ... ) == 0x764
 04658   416   NtUserQueryWindow  (262228, 1, ... ) == 0x768
 04659   416   NtUserQueryWindow  (327758, 0, ... ) == 0x764
 04660   416   NtUserQueryWindow  (327758, 1, ... ) == 0x768
 04661   416   NtUserQueryWindow  (65666, 0, ... ) == 0x764
 04662   416   NtUserQueryWindow  (65666, 1, ... ) == 0x768
 04663   416   NtUserQueryWindow  (65654, 0, ... ) == 0x764
 04664   416   NtUserQueryWindow  (65654, 1, ... ) == 0x768
 04665   416   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 04666   416   NtUserQueryWindow  (65656, 0, ... ) == 0x764
 04667   416   NtUserQueryWindow  (65656, 1, ... ) == 0x768
 04668   416   NtUserQueryWindow  (65658, 0, ... ) == 0x764
 04669   416   NtUserQueryWindow  (65658, 1, ... ) == 0x768
 04670   416   NtUserCloseDesktop  (240, ...
 04671   416   NtClose  (240, ... ) == 0x0
 04670   416   NtUserCloseDesktop  ... ) == 0x1
 04672   416   NtUserGetProcessWindowStation  (... ) == 0x28
 04673   416   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04674   416   NtUserGetProcessWindowStation  (... ) == 0x28
 04675   416   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04676   416   NtGdiDeleteObjectApp  (50987847, ... ) == 0x1
 04677   416   NtGdiDeleteObjectApp  (50987846, ... ) == 0x1
 04678   416   NtClose  (12, ... ) == 0x0
 04679   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 04680   416   NtFreeVirtualMemory  (-1, (0x158000), 16384, 16384, ... (0x158000), 16384, ) == 0x0
 04681   416   NtFreeVirtualMemory  (-1, (0xdc0000), 0, 32768, ... (0xdc0000), 262144, ) == 0x0
 04682   416   NtUserUnregisterClass  (1238716, 1991376896, 1238704, ... ) == 0x0
 04683   416   NtClose  (192, ... ) == 0x0
 04684   416   NtUnmapViewOfSection  (-1, 0xe10000, ... ) == 0x0
 04685   416   NtClose  (196, ... ) == 0x0
 04686   416   NtClose  (188, ... ) == 0x0
 04687   416   NtFreeVirtualMemory  (-1, (0x151000), 4096, 16384, ... (0x151000), 4096, ) == 0x0
 04688   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 04689   416   NtFreeVirtualMemory  (-1, (0xc30000), 0, 32768, ... (0xc30000), 262144, ) == 0x0
 04690   416   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04691   416   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04692   416   NtReleaseMutant  (76, ... 0x0, ) == 0x0
 04693   416   NtUserUnhookWindowsHookEx  (196667, ... ) == 0x1
 04694   416   NtTerminateThread  (80, 0, ... ) == 0x0
 04695   416   NtTerminateThread  (56, 0, ... ) == 0x0
 04696   416   NtTerminateThread  (72, 0, ... ) == 0x0
 04697   416   NtUserKillTimer  (0, 32761, ... ) == 0x1
 04698   416   NtClose  (84, ... ) == 0x0
 04699   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc03b
 04700   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04701   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc03d
 04702   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04703   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc03f
 04704   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04705   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc041
 04706   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04707   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc043
 04708   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04709   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc045
 04710   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04711   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc047
 04712   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04713   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc049
 04714   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04715   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc04b
 04716   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04717   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc04d
 04718   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04719   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc04f
 04720   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04721   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc051
 04722   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04723   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc053
 04724   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04725   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc057
 04726   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04727   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc059
 04728   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04729   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc05b
 04730   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04731   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc05d
 04732   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04733   416   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc05f
 04734   416   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04735   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc03b
 04736   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04737   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc03d
 04738   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04739   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc03f
 04740   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04741   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc041
 04742   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04743   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc043
 04744   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04745   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc045
 04746   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04747   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc047
 04748   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04749   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc049
 04750   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04751   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc04b
 04752   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04753   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc04d
 04754   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04755   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc04f
 04756   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04757   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc051
 04758   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04759   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc053
 04760   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04761   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc057
 04762   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04763   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc059
 04764   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04765   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc05b
 04766   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04767   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc05d
 04768   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04769   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc05f
 04770   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04771   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc017
 04772   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04773   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc019
 04774   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04775   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc018
 04776   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04777   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01a
 04778   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04779   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01c
 04780   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04781   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01e
 04782   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04783   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01b
 04784   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04785   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc068
 04786   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04787   416   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc06a
 04788   416   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04789   416   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 04790   416   NtFreeVirtualMemory  (-1, (0x175000), 4096, 16384, ... (0x175000), 4096, ) == 0x0
 04791   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 04792   416   NtClose  (264, ... ) == 0x0
 04793   416   NtClose  (432, ... ) == 0x0
 04794   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 04795   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 04796   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 04797   416   NtClose  (260, ... ) == 0x0
 04798   416   NtClose  (436, ... ) == 0x0
 04799   416   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 04800   416   NtUnmapViewOfSection  (-1, 0x1090000, ... ) == 0x0
 04801   416   NtClose  (404, ... ) == 0x0
 04802   416   NtClose  (248, ... ) == 0x0
 04803   416   NtFreeVirtualMemory  (-1, (0x890000), 4096, 32768, ... (0x890000), 4096, ) == 0x0
 04804   416   NtClose  (388, ... ) == 0x0
 04805   416   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 1239308, 2012553151, 1310720}  (24, {20, 48, new_msg, 0, 0, 1239308, 2012553151, 1310720} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 412, 416, 2698, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 412, 416, 2698, 0}  (24, {20, 48, new_msg, 0, 0, 1239308, 2012553151, 1310720} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 412, 416, 2698, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04806   416   NtTerminateProcess  (-1, 0, ...
 04807   416   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtQueryInstallUILanguage(>)	2	NtUserCallNoParam(>)	7	NtQueryDefaultLocale(>)	42
NtAllocateLocallyUniqueId(>)	1	NtSetEvent(>)	2	NtCreateThread(>)	8	NtContinue(>)	45
NtCallbackReturn(>)	1	NtUnlockFile(>)	2	NtOpenSymbolicLinkObject(>)	8	NtCreateEvent(>)	46
NtDuplicateToken(>)	1	NtUserCloseDesktop(>)	2	NtQuerySymbolicLinkObject(>)	8	NtUserUnregisterClass(>)	47
NtGdiCreateBitmap(>)	1	NtUserCreateWindowEx(>)	2	NtRegisterThreadTerminatePort(>)	8	NtUserFindExistingCursorIcon(>)	49
NtGdiCreateHalftonePalette(>)	1	NtUserDestroyWindow(>)	2	NtResumeThread(>)	8	NtQueryInformationFile(>)	50
NtGdiCreatePaletteInternal(>)	1	NtUserGetObjectInformation(>)	2	NtQueryVirtualMemory(>)	9	NtSetInformationFile(>)	50
NtGdiCreatePatternBrushInternal(>)	1	NtUserMessageCall(>)	2	NtReadVirtualMemory(>)	9	NtQueryDirectoryFile(>)	51
NtGdiDoPalette(>)	1	NtUserSetTimer(>)	2	NtQueryDefaultUILanguage(>)	10	NtCreateFile(>)	52
NtGdiInit(>)	1	NtYieldExecution(>)	2	NtUserGetWindowDC(>)	10	NtDelayExecution(>)	59
NtGdiQueryFontAssocInfo(>)	1	NtOpenMutant(>)	3	NtUserCallOneParam(>)	11	NtQueryInformationProcess(>)	63
NtGdiSelectBitmap(>)	1	NtOpenProcess(>)	3	NtUserSystemParametersInfo(>)	11	NtUserRegisterClassExWOW(>)	65
NtOpenKeyedEvent(>)	1	NtTerminateProcess(>)	3	NtSetValueKey(>)	13	NtProtectVirtualMemory(>)	71
NtQueryFullAttributesFile(>)	1	NtTerminateThread(>)	3	NtWriteVirtualMemory(>)	16	NtUnmapViewOfSection(>)	71
NtQueryObject(>)	1	NtUserOpenDesktop(>)	3	NtNotifyChangeKey(>)	17	NtCreateSection(>)	73
NtQueryPerformanceCounter(>)	1	NtUserRemoveProp(>)	3	NtOpenProcessToken(>)	17	NtWaitForSingleObject(>)	74
NtQuerySystemTime(>)	1	NtWaitForMultipleObjects(>)	3	NtCreateKey(>)	18	NtOpenSection(>)	78
NtSecureConnectPort(>)	1	NtConnectPort(>)	4	NtDeviceIoControlFile(>)	18	NtReadFile(>)	83
NtUserBuildNameList(>)	1	NtCreateProcessEx(>)	4	NtUserRegisterWindowMessage(>)	19	NtUserGetClassInfo(>)	91
NtUserGetAtomName(>)	1	NtGdiCreateCompatibleDC(>)	4	NtWriteFile(>)	20	NtQuerySystemInformation(>)	95
NtUserGetDC(>)	1	NtOpenEvent(>)	4	NtQueryVolumeInformationFile(>)	21	NtOpenProcessTokenEx(>)	112
NtUserGetForegroundWindow(>)	1	NtQueryInformationJobObject(>)	4	NtFsControlFile(>)	22	NtOpenThreadTokenEx(>)	112
NtUserGetGUIThreadInfo(>)	1	NtQueryInformationThread(>)	4	NtRaiseException(>)	23	NtAllocateVirtualMemory(>)	119
NtUserGetThreadDesktop(>)	1	NtQuerySecurityObject(>)	4	NtFlushInstructionCache(>)	24	NtMapViewOfSection(>)	120
NtUserKillTimer(>)	1	NtUserWaitForInputIdle(>)	4	NtFreeVirtualMemory(>)	24	NtQueryKey(>)	129
NtUserSetProp(>)	1	NtCreateMutant(>)	5	NtQueryDebugFilterState(>)	26	NtOpenFile(>)	130
NtUserSetWindowsHookEx(>)	1	NtGdiGetStockObject(>)	5	NtReleaseSemaphore(>)	27	NtQueryInformationToken(>)	133
NtUserUnhookWindowsHookEx(>)	1	NtSetInformationObject(>)	5	NtRequestWaitReplyPort(>)	29	NtUserQueryWindow(>)	134
NtAccessCheck(>)	2	NtUserBuildHwndList(>)	5	NtEnumerateKey(>)	31	NtQueryAttributesFile(>)	182
NtClearEvent(>)	2	NtUserGetProcessWindowStation(>)	5	NtSetInformationThread(>)	31	NtQueryValueKey(>)	371
NtCreateIoCompletion(>)	2	NtCreateSemaphore(>)	6	NtEnumerateValueKey(>)	33	NtOpenKey(>)	531
NtGdiCreateSolidBrush(>)	2	NtGdiDeleteObjectApp(>)	6	NtOpenThreadToken(>)	36	NtClose(>)	713
NtGdiHfontCreate(>)	2	NtSetEventBoostPriority(>)	6	NtSetInformationProcess(>)	36
NtLockFile(>)	2	NtDuplicateObject(>)	7	NtQuerySection(>)	37
NtOpenDirectoryObject(>)	2