Summary:


NtAllocateLocallyUniqueId(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtUserCallOneParam(>)  30 

NtCallbackReturn(>)  1 
NtSetEvent(>)  2 
NtUserCallNoParam(>)  7 
NtWriteFile(>)  30 

NtClearEvent(>)  1 
NtTestAlert(>)  2 
NtUserDestroyCursor(>)  7 
NtEnumerateKey(>)  32 

NtConnectPort(>)  1 
NtUserCloseDesktop(>)  2 
NtUserSetCursorIconData(>)  7 
NtOpenThreadToken(>)  32 

NtDelayExecution(>)  1 
NtUserCreateWindowEx(>)  2 
NtGdiCreateBitmap(>)  8 
NtCreateEvent(>)  33 

NtDuplicateToken(>)  1 
NtUserDestroyWindow(>)  2 
NtWriteVirtualMemory(>)  8 
NtFlushInstructionCache(>)  34 

NtGdiCreateHalftonePalette(>)  1 
NtUserGetObjectInformation(>)  2 
NtGdiExtGetObjectW(>)  10 
NtUnmapViewOfSection(>)  38 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserMessageCall(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtQueryInformationProcess(>)  39 

NtGdiDoPalette(>)  1 
NtAddAtom(>)  3 
NtSetValueKey(>)  10 
NtQueryDefaultLocale(>)  42 

NtGdiInit(>)  1 
NtCreateThread(>)  3 
NtUserGetWindowDC(>)  10 
NtContinue(>)  46 

NtGdiQueryFontAssocInfo(>)  1 
NtDuplicateObject(>)  3 
NtGdiCreateCompatibleDC(>)  11 
NtUserUnregisterClass(>)  47 

NtOpenKeyedEvent(>)  1 
NtOpenProcess(>)  3 
NtUserGetDC(>)  11 
NtCreateSection(>)  57 

NtQueryFullAttributesFile(>)  1 
NtResumeThread(>)  3 
NtQueryVirtualMemory(>)  12 
NtGdiSelectBitmap(>)  57 

NtQueryInformationThread(>)  1 
NtTerminateProcess(>)  3 
NtFreeVirtualMemory(>)  13 
NtUserRegisterClassExWOW(>)  65 

NtQueryObject(>)  1 
NtUserOpenDesktop(>)  3 
NtOpenProcessToken(>)  14 
NtProtectVirtualMemory(>)  68 

NtQueryPerformanceCounter(>)  1 
NtUserRemoveProp(>)  3 
NtUserSelectPalette(>)  14 
NtOpenSection(>)  73 

NtQuerySystemTime(>)  1 
NtWaitForMultipleObjects(>)  3 
NtUserSystemParametersInfo(>)  14 
NtUserFindExistingCursorIcon(>)  73 

NtSecureConnectPort(>)  1 
NtCreateMutant(>)  4 
NtCreateKey(>)  15 
NtReleaseMutant(>)  74 

NtUserBuildNameList(>)  1 
NtOpenEvent(>)  4 
NtNotifyChangeKey(>)  15 
NtAllocateVirtualMemory(>)  83 

NtUserEnumDisplayMonitors(>)  1 
NtOpenMutant(>)  4 
NtQueryVolumeInformationFile(>)  15 
NtMapViewOfSection(>)  83 

NtUserGetAtomName(>)  1 
NtQuerySecurityObject(>)  4 
NtRequestWaitReplyPort(>)  15 
NtWaitForSingleObject(>)  84 

NtUserGetForegroundWindow(>)  1 
NtGdiHfontCreate(>)  5 
NtDeviceIoControlFile(>)  17 
NtOpenFile(>)  89 

NtUserGetGUIThreadInfo(>)  1 
NtReadVirtualMemory(>)  5 
NtFsControlFile(>)  17 
NtQuerySystemInformation(>)  91 

NtUserGetKeyboardLayoutList(>)  1 
NtSetInformationObject(>)  5 
NtQueryDirectoryFile(>)  19 
NtUserGetClassInfo(>)  91 

NtUserGetThreadDesktop(>)  1 
NtUserBuildHwndList(>)  5 
NtSetInformationProcess(>)  21 
NtReadFile(>)  95 

NtUserSetProp(>)  1 
NtUserGetProcessWindowStation(>)  5 
NtUserRegisterWindowMessage(>)  21 
NtOpenProcessTokenEx(>)  110 

NtUserSetWindowsHookEx(>)  1 
NtCreateSemaphore(>)  6 
NtEnumerateValueKey(>)  23 
NtOpenThreadTokenEx(>)  110 

NtAccessCheck(>)  2 
NtOpenSymbolicLinkObject(>)  6 
NtRaiseException(>)  23 
NtQueryInformationToken(>)  126 

NtCreateIoCompletion(>)  2 
NtQuerySymbolicLinkObject(>)  6 
NtGdiDeleteObjectApp(>)  24 
NtQueryKey(>)  129 

NtCreateProcessEx(>)  2 
NtGdiBitBlt(>)  7 
NtQueryDebugFilterState(>)  24 
NtUserQueryWindow(>)  138 

NtDeleteAtom(>)  2 
NtGdiCreateDIBitmapInternal(>)  7 
NtSetInformationFile(>)  26 
NtQueryAttributesFile(>)  157 

NtGdiCreatePaletteInternal(>)  2 
NtGdiGetDCObject(>)  7 
NtReleaseSemaphore(>)  27 
NtQueryValueKey(>)  223 

NtGdiCreateSolidBrush(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtSetInformationThread(>)  28 
NtOpenKey(>)  478 

NtOpenDirectoryObject(>)  2 
NtGdiGetStockObject(>)  7 
NtQuerySection(>)  29 
NtClose(>)  576 

NtQueryInformationJobObject(>)  2 
NtGdiRestoreDC(>)  7 
NtCreateFile(>)  30 

NtQueryInstallUILanguage(>)  2 
NtGdiSaveDC(>)  7 

Trace:
 00001   424   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   424   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   424   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   424   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   424   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   424   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   424   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   424   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   424   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   424   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   424   NtClose  (12, ... ) == 0x0
 00014   424   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   424   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   424   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   424   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   424   NtClose  (16, ... ) == 0x0
 00021   424   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   424   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   424   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   424   NtClose  (16, ... ) == 0x0
 00026   424   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   424   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   424   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   424   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   424   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 416, 424, 1474, 0} "\350\206\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 416, 424, 1474, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 416, 424, 1474, 0} "\350\206\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   424   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   424   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   424   NtClose  (16, ... ) == 0x0
 00036   424   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   424   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   424   NtClose  (28, ... ) == 0x0
 00041   424   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   424   NtClose  (28, ... ) == 0x0
 00045   424   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   424   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   424   NtClose  (28, ... ) == 0x0
 00049   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   424   NtClose  (28, ... ) == 0x0
 00052   424   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   424   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 416, 424, 1475, 0} "\220\270\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 416, 424, 1475, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 416, 424, 1475, 0} "\220\270\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 8, ) == 0x0
 00057   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 8, ... (0x422000), 4096, 4, ) == 0x0
 00058   424   NtFlushInstructionCache  (-1, 4333568, 4096, ... ) == 0x0
 00059   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   424   NtClose  (28, ... ) == 0x0
 00062   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   424   NtClose  (28, ... ) == 0x0
 00065   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 4, ) == 0x0
 00066   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 4, ) == 0x0
 00067   424   NtFlushInstructionCache  (-1, 4333568, 4096, ... ) == 0x0
 00068   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   424   NtClose  (28, ... ) == 0x0
 00071   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 4, ) == 0x0
 00072   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 4, ) == 0x0
 00073   424   NtFlushInstructionCache  (-1, 4333568, 4096, ... ) == 0x0
 00074   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00076   424   NtClose  (28, ... ) == 0x0
 00077   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00078   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00079   424   NtClose  (28, ... ) == 0x0
 00080   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00082   424   NtClose  (28, ... ) == 0x0
 00083   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00085   424   NtClose  (28, ... ) == 0x0
 00086   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 4, ) == 0x0
 00087   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 4, ) == 0x0
 00088   424   NtFlushInstructionCache  (-1, 4333568, 4096, ... ) == 0x0
 00089   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00091   424   NtClose  (28, ... ) == 0x0
 00092   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00094   424   NtClose  (28, ... ) == 0x0
 00095   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 4, ) == 0x0
 00096   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 4, ) == 0x0
 00097   424   NtFlushInstructionCache  (-1, 4333568, 4096, ... ) == 0x0
 00098   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 4, ) == 0x0
 00099   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 4, ) == 0x0
 00100   424   NtFlushInstructionCache  (-1, 4333568, 4096, ... ) == 0x0
 00101   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   424   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00103   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00106   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00107   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00108   424   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00109   424   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00110   424   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00111   424   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00113   424   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00114   424   NtClose  (40, ... ) == 0x0
 00115   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00116   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00117   424   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00118   424   NtClose  (40, ... ) == 0x0
 00119   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00120   424   NtClose  (36, ... ) == 0x0
 00121   424   NtClose  (28, ... ) == 0x0
 00122   424   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00123   424   NtClose  (32, ... ) == 0x0
 00124   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00128   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00129   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00130   424   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00131   424   NtClose  (32, ... ) == 0x0
 00132   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00133   424   NtClose  (28, ... ) == 0x0
 00134   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 4, ) == 0x0
 00135   424   NtProtectVirtualMemory  (-1, (0x422000), 4096, 4, ... (0x422000), 4096, 4, ) == 0x0
 00136   424   NtFlushInstructionCache  (-1, 4333568, 4096, ... ) == 0x0
 00137   424   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00138   424   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00139   424   NtClose  (28, ... ) == 0x0
 00140   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00141   424   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00142   424   NtClose  (28, ... ) == 0x0
 00143   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   424   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   424   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00146   424   NtClose  (28, ... ) == 0x0
 00147   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00148   424   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   424   NtClose  (28, ... ) == 0x0
 00150   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00151   424   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00152   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00154   424   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00155   424   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00156   424   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00157   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00158   424   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00159   424   NtClose  (32, ... ) == 0x0
 00160   424   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00161   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00162   424   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 416, 424, 1476, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 416, 424, 1476, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 416, 424, 1476, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00163   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   424   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00165   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00166   424   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00167   424   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482032, ) == 0x0
 00168   424   NtQueryInformationToken  (-2147482032, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00169   424   NtQueryInformationToken  (-2147482032, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00170   424   NtClose  (-2147482032, ... ) == 0x0
 00171   424   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00172   424   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00173   424   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00174   424   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00175   424   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   424   NtClose  (-2147482032, ... ) == 0x0
 00177   424   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00178   424   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   424   NtClose  (-2147482032, ... ) == 0x0
 00180   424   NtQueryDefaultLocale  (0, -104224244, ... ) == 0x0
 00181   424   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00182   424   NtUserCallNoParam  (24, ... ) == 0x0
 00183   424   NtGdiCreateCompatibleDC  (0, ...
 00184   424   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00183   424   NtGdiCreateCompatibleDC  ... ) == 0x140103c9
 00185   424   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00186   424   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00187   424   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050405
 00188   424   NtGdiCreateSolidBrush  (0, 0, ...
 00189   424   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00188   424   NtGdiCreateSolidBrush  ... ) == 0x161003fd
 00190   424   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00191   424   NtGdiCreateCompatibleDC  (0, ... ) == 0x400103e1
 00192   424   NtGdiSelectBitmap  (1073808353, 319095813, ... ) == 0x185000f
 00193   424   NtUserGetThreadDesktop  (424, 0, ... ) == 0x2c
 00194   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00195   424   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00196   424   NtClose  (52, ... ) == 0x0
 00197   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00198   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810fc017
 00199   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00200   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810fc01c
 00201   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00202   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810fc01e
 00203   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00204   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810f8002
 00205   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00206   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810fc018
 00207   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00208   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810fc01a
 00209   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00210   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810fc01d
 00211   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00212   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00213   424   NtAllocateVirtualMemory  (-1, 6451200, 0, 4096, 4096, 32, ... 6451200, 4096, ) == 0x0
 00212   424   NtUserRegisterClassExWOW  ... ) == 0x810fc026
 00214   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00215   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810fc019
 00216   424   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810fc020
 00217   424   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810fc022
 00218   424   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810fc023
 00219   424   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810fc024
 00220   424   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810fc025
 00221   424   NtCallbackReturn  (0, 0, 0, ...
 00222   424   NtGdiInit  (... ) == 0x1
 00223   424   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00224   424   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00225   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00226   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00227   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00228   424   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00229   424   NtClose  (52, ... ) == 0x0
 00230   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00231   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00232   424   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00233   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00234   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00235   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00236   424   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00237   424   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   424   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00239   424   NtClose  (52, ... ) == 0x0
 00240   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00241   424   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   424   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   424   NtClose  (52, ... ) == 0x0
 00244   424   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00245   424   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00246   424   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00247   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   424   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00249   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00250   424   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   424   NtClose  (56, ... ) == 0x0
 00252   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00255   424   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00256   424   NtClose  (56, ... ) == 0x0
 00257   424   NtQueryDefaultUILanguage  (1241756, ...
 00258   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00259   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00260   424   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00261   424   NtClose  (-2147482032, ... ) == 0x0
 00262   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00263   424   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   424   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00265   424   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   424   NtClose  (-2147482036, ... ) == 0x0
 00267   424   NtClose  (-2147482032, ... ) == 0x0
 00257   424   NtQueryDefaultUILanguage  ... ) == 0x0
 00268   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   424   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00270   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00271   424   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00272   424   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x910000), 0x0, 8323072, ) == 0x0
 00273   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   424   NtQueryDefaultUILanguage  (2013024600, ...
 00275   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00276   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00277   424   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00278   424   NtClose  (-2147482032, ... ) == 0x0
 00279   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00280   424   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   424   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00282   424   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   424   NtClose  (-2147482036, ... ) == 0x0
 00284   424   NtClose  (-2147482032, ... ) == 0x0
 00274   424   NtQueryDefaultUILanguage  ... ) == 0x0
 00285   424   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00286   424   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00287   424   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00288   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   424   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 424, 1477, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 416, 424, 1477, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 424, 1477, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00290   424   NtClose  (56, ... ) == 0x0
 00291   424   NtClose  (60, ... ) == 0x0
 00292   424   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00293   424   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00294   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00295   424   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00297   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00298   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00300   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00301   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00302   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00303   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00304   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00305   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00306   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00307   424   NtClose  (56, ... ) == 0x0
 00308   424   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 921600, ) == 0x0
 00309   424   NtClose  (64, ... ) == 0x0
 00310   424   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00311   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00312   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00313   424   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00314   424   NtClose  (64, ... ) == 0x0
 00315   424   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00316   424   NtClose  (56, ... ) == 0x0
 00317   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00318   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00319   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00320   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00321   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00322   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00323   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00324   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00325   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00326   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00327   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00328   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00329   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00330   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00331   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00332   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   424   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00339   424   NtQueryDefaultUILanguage  (1239368, ...
 00340   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00341   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00342   424   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00343   424   NtClose  (-2147482032, ... ) == 0x0
 00344   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00345   424   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00346   424   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00347   424   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348   424   NtClose  (-2147482036, ... ) == 0x0
 00349   424   NtClose  (-2147482032, ... ) == 0x0
 00339   424   NtQueryDefaultUILanguage  ... ) == 0x0
 00350   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00351   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00352   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00353   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00354   424   NtClose  (56, ... ) == 0x0
 00355   424   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x370000), 0x0, 4096, ) == 0x0
 00356   424   NtClose  (64, ... ) == 0x0
 00357   424   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00358   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00359   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00360   424   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00361   424   NtClose  (64, ... ) == 0x0
 00362   424   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x370000), {0, 0}, 4096, ) == 0x0
 00363   424   NtClose  (56, ... ) == 0x0
 00364   424   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00365   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00366   424   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00367   424   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x370000), 0x0, 4096, ) == 0x0
 00368   424   NtQueryInformationFile  (56, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00369   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00370   424   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 424, 1478, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 416, 424, 1478, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 424, 1478, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00371   424   NtClose  (56, ... ) == 0x0
 00372   424   NtClose  (64, ... ) == 0x0
 00373   424   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00374   424   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00375   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00376   424   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00377   424   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00378   424   NtUserGetDC  (0, ... ) == 0x1010051
 00379   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00380   424   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00381   424   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00382   424   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00383   424   NtAccessCheck  (1327448, 64, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00384   424   NtClose  (64, ... ) == 0x0
 00385   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00386   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00387   424   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00388   424   NtClose  (64, ... ) == 0x0
 00389   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00390   424   NtSetInformationObject  (64, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00391   424   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00392   424   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393   424   NtClose  (56, ... ) == 0x0
 00394   424   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00395   424   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00396   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00397   424   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00399   424   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   424   NtClose  (68, ... ) == 0x0
 00401   424   NtClose  (56, ... ) == 0x0
 00402   424   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00403   424   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00404   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 56, ) }, ... 56, ) == 0x0
 00405   424   NtEnumerateValueKey  (56, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00406   424   NtClose  (56, ... ) == 0x0
 00407   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00408   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc03b
 00409   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc03d
 00410   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00411   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810fc03f
 00412   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00413   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc041
 00414   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00415   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc043
 00416   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc045
 00417   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00418   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc047
 00419   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00420   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810fc049
 00421   424   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00422   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00423   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc04b
 00424   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00425   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc04d
 00426   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00427   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc04f
 00428   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc051
 00429   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00430   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc053
 00431   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00432   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810fc055
 00433   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810fc057
 00434   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00435   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc059
 00436   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00437   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc05b
 00438   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00439   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc05d
 00440   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00441   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc05f
 00442   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00443   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810fc017
 00444   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00445   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810fc019
 00446   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00447   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810fc018
 00448   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00449   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ...
 00450   424   NtAllocateVirtualMemory  (-1, 6455296, 0, 4096, 4096, 32, ... 6455296, 4096, ) == 0x0
 00449   424   NtUserRegisterClassExWOW  ... ) == 0x810fc01a
 00451   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00452   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810fc01c
 00453   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00454   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc01e
 00455   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00456   424   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810fc01b
 00457   424   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00458   424   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810fc068
 00459   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00460   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810fc06a
 00461   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00462   424   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00463   424   NtClose  (56, ... ) == 0x0
 00464   424   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {416, 0}, ... 56, ) == 0x0
 00465   424   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00466   424   NtClose  (56, ... ) == 0x0
 00467   424   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00468   424   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00469   424   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00470   424   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00471   424   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00472   424   NtClose  (56, ... ) == 0x0
 00473   424   NtUserSystemParametersInfo  (41, 500, 1241332, 0, ... ) == 0x1
 00474   424   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00475   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00476   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00477   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc03b
 00478   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00479   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc03d
 00480   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00481   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00482   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc03f
 00483   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00484   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00485   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc041
 00486   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00487   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00488   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc043
 00489   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00490   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc045
 00491   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00492   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00493   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc047
 00494   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00495   424   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x10011
 00496   424   NtUserRegisterClassExWOW  (1241572, 1241652, 1241636, 1241668, 0, 384, 0, ... ) == 0x810fc049
 00497   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00498   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00499   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc04b
 00500   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00501   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00502   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc04d
 00503   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00504   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00505   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc04f
 00506   424   NtUserGetClassInfo  (1999896576, 1241744, 1241696, 1241772, 0, ... ) == 0x0
 00507   424   NtUserRegisterClassExWOW  (1241580, 1241660, 1241644, 1241676, 0, 384, 0, ... ) == 0x810fc051
 00508   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00509   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00510   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc053
 00511   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00512   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00513   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc055
 00514   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc057
 00515   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00516   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00517   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc059
 00518   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00519   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10013
 00520   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc05b
 00521   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00522   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00523   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc05d
 00524   424   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00525   424   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00526   424   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810fc05f
 00527   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00528   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00529   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00530   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00531   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00532   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00533   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00534   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00535   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00536   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00537   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00538   424   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00539   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00540   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00541   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00542   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00543   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00544   424   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00545   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00546   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00547   424   NtTestAlert  (... ) == 0x0
 00548   424   NtContinue  (1244464, 1, ...
 00549   424   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x423000,}, 4, ... ) == 0x0
 00550   424   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 56, ) }, ... 56, ) == 0x0
 00551   424   NtQueryValueKey  (56,  (56, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00552   424   NtClose  (56, ... ) == 0x0
 00553   424   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00554   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) == 0x0
 00555   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00556   424   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 3, 1, 5, 1311416}  (24, {20, 48, new_msg, 0, 3, 1, 5, 1311416} "\0\0\0\0\2\0\1\0`\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 416, 424, 1479, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 416, 424, 1479, 0}  (24, {20, 48, new_msg, 0, 3, 1, 5, 1311416} "\0\0\0\0\2\0\1\0`\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 416, 424, 1479, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00557   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 68, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 68, {status=0x0, info=2}, ) == 0x0
 00558   424   NtClose  (68, ... ) == 0x0
 00559   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00560   424   NtClose  (-2147482032, ... ) == 0x0
 00559   424   NtCreateFile  ... 68, {status=0x0, info=3}, ) == 0x0
 00561   424   NtSetInformationFile  (56, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00562   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "&\243\340\0i\371\260\0o\371\277\0\224\6\260\0\323\371\260\0k\371\260\0+\371\252\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\373\260\0\321\351\260\16tM\271\315JA\261L\246\330 \220?\221\331sK\211\302o\14\213\321mK\224\305s\37\331\322eK\213\305nK\214\336d\16\213\220W\2\227\2032f\363\2247k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0k\371\260\0", ) , ) == 0x0
 00563   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00564   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ">\361\206\34\4\305\375E\4\213\311,\313\224\321\10[\3721\7\2431\326\331\119\361\304\243\272x\354\265-\247\335(\365+\364\342\314;j0\221\306k^\334\362(\224\370\316\204\345u\253r\355\304\240\240&\357\347:\30\306\307I\4F;\367Q\224S1\343\1\365Q\207\225M-\230\217\330Ju\223\235\303\227\250\312\371\16m\4\3013x3\224\200\213\337r\372XF\335\267\220\241\220^r\32\233\227\177\6O\12G\201\214\231J\341\324\360\277h\310]V\327\23\261\277\234W\354j"\274pa'CP\14\232x\266u\273\223\350\22\21\2735\2OT&\217\241\277\11\266$\200\2i\231\360\3\371\261\30\211)\241\2132O\242W\324\277\252\23\17\357\350\2\1\207\346\1\22\17\261x\324l=\352\274\16PW$`\362\253a\35556[\307\11m\17", ) \354\265-\247\335(\365+\364\342\314;j0\221\306k^\334\362(\224\370\316\204\345u\253r\355\304\240\240&\357\347:\30\306\307I\4F;\367Q\224S1\343\1\365Q\207\225M-\230\217\330Ju\223\235\303\227\250\312\371\16m\4\3013x3\224\200\213\337r\372XF\335\267\220\241\220^r\32\233\227\177\6O\12G\201\214\231J\341\324\360\277h\310]V\327\23\261\277\234W\354j (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ">\361\206\34\4\305\375E\4\213\311,\313\224\321\10[\3721\7\2431\326\331\119\361\304\243\272x\354\265-\247\335(\365+\364\342\314;j0\221\306k^\334\362(\224\370\316\204\345u\253r\355\304\240\240&\357\347:\30\306\307I\4F;\367Q\224S1\343\1\365Q\207\225M-\230\217\330Ju\223\235\303\227\250\312\371\16m\4\3013x3\224\200\213\337r\372XF\335\267\220\241\220^r\32\233\227\177\6O\12G\201\214\231J\341\324\360\277h\310]V\327\23\261\277\234W\354j"\274pa'CP\14\232x\266u\273\223\350\22\21\2735\2OT&\217\241\277\11\266$\200\2i\231\360\3\371\261\30\211)\241\2132O\242W\324\277\252\23\17\357\350\2\1\207\346\1\22\17\261x\324l=\352\274\16PW$`\362\253a\35556[\307\11m\17", ) , ) == 0x0
 00565   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00566   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\274;\273X\323\353\245wZ\363\274H\270\264s\30!o\374\340>\\2HkR"\345\333|\7}s\275\360\221\216i\325Z\17\245\350Ye\242*\09\262\323T;\235\211dp\233\2446\17\231!\345\373\234\332!\7\221\341\226(o\302\14\37\211\234\35\242\231{z\27\314\310@Ax(C{\205\252\301\24|$\235\360\231\327\20\305\211\13\363RR\346%yq\2749@}\240\274lr69\361\270<\14\343\226\360\323\224\16\232\276Cs\367\10Q)\3049\235\277\133\301\260e\256\363%\347\4\222\225\365]\334\375\3664\230\277\257\306\335\273\244\270\305\25\244\5g\267\265>on\372V[\217\22\310\201\177\215\366n\3620K+\241s\13\371~\345?`\211sk\304\324[\221\327\35x\257_1\261\367j\327H\27\217\277\321l\30~\336\31\217z\343T\31\214\325\1E\3728\4\4\14\201\322\341\251\246D{\373\207\304\356\207;wP\310y\212#\272\364\10\227\6\362\2674\371\270\215\36\366;|c\376\201\300\341\367\213J\227\214\7~\312\242>\a\13\254\16\235:o\237"\214Ro0RA\371|\271\224\16j\300H~\266\\327\5F=\213\200S\336\277Mo\242K\302\31\355\257\4N\17\202\37V9\321b\230\273\212,s\232\201\233\253^\356\212\6o\177\260s\350c\377s\356\12\356\242\343o\7\205\256\13}\341?\36f\300D\355f\7\350\32\353\36o9\240\5\7\0$\350\250\33\36\25]\355]\373\1 \374\22x?\353\34o:\3359]\355q\22R\35\341\225\252\221\7\341\362\305\371\6r\11\223\36\373u\233v\23:\340\306\3\4\353\306\265\2666Z\267\203\272\266\261\267d\13O\255\301N\372\20\21\376N\261\31\362\307\15dFy\3!%\32\5W>O\321\345#OB\216w\211\1", ) \345\333|\7}s\275\360\221\216i\325Z\17\245\350Ye\242*\09\262\323T;\235\211dp\233\2446\17\231!\345\373\234\332!\7\221\341\226(o\302\14\37\211\234\35\242\231{z\27\314\310@Ax(C{\205\252\301\24|$\235\360\231\327\20\305\211\13\363RR\346%yq\2749@}\240\274lr69\361\270<\14\343\226\360\323\224\16\232\276Cs\367\10Q)\3049\235\277\133\301\260e\256\363%\347\4\222\225\365]\334\375\3664\230\277\257\306\335\273\244\270\305\25\244\5g\267\265>on\372V[\217\22\310\201\177\215\366n\3620K+\241s\13\371~\345?`\211sk\304\324[\221\327\35x\257_1\261\367j\327H\27\217\277\321l\30~\336\31\217z\343T\31\214\325\1E\3728\4\4\14\201\322\341\251\246D{\373\207\304\356\207;wP\310y\212#\272\364\10\227\6\362\2674\371\270\215\36\366;|c\376\201\300\341\367\213J\227\214\7~\312\242>\a\13\254\16\235:o\237 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\274;\273X\323\353\245wZ\363\274H\270\264s\30!o\374\340>\\2HkR"\345\333|\7}s\275\360\221\216i\325Z\17\245\350Ye\242*\09\262\323T;\235\211dp\233\2446\17\231!\345\373\234\332!\7\221\341\226(o\302\14\37\211\234\35\242\231{z\27\314\310@Ax(C{\205\252\301\24|$\235\360\231\327\20\305\211\13\363RR\346%yq\2749@}\240\274lr69\361\270<\14\343\226\360\323\224\16\232\276Cs\367\10Q)\3049\235\277\133\301\260e\256\363%\347\4\222\225\365]\334\375\3664\230\277\257\306\335\273\244\270\305\25\244\5g\267\265>on\372V[\217\22\310\201\177\215\366n\3620K+\241s\13\371~\345?`\211sk\304\324[\221\327\35x\257_1\261\367j\327H\27\217\277\321l\30~\336\31\217z\343T\31\214\325\1E\3728\4\4\14\201\322\341\251\246D{\373\207\304\356\207;wP\310y\212#\272\364\10\227\6\362\2674\371\270\215\36\366;|c\376\201\300\341\367\213J\227\214\7~\312\242>\a\13\254\16\235:o\237"\214Ro0RA\371|\271\224\16j\300H~\266\\327\5F=\213\200S\336\277Mo\242K\302\31\355\257\4N\17\202\37V9\321b\230\273\212,s\232\201\233\253^\356\212\6o\177\260s\350c\377s\356\12\356\242\343o\7\205\256\13}\341?\36f\300D\355f\7\350\32\353\36o9\240\5\7\0$\350\250\33\36\25]\355]\373\1 \374\22x?\353\34o:\3359]\355q\22R\35\341\225\252\221\7\341\362\305\371\6r\11\223\36\373u\233v\23:\340\306\3\4\353\306\265\2666Z\267\203\272\266\261\267d\13O\255\301N\372\20\21\376N\261\31\362\307\15dFy\3!%\32\5W>O\321\345#OB\216w\211\1", ) , ) == 0x0
 00567   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00568   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\375\22M\265\353.\34f8p5\6}y:\265\34?5\227\24\367\307\21\15F\4\22>\365\325\211bY\351\6\330>\321\35[E\254\210\337\202/\240\341t%>a\371\4\274\14\327\367\263\32\323p0r\240+4j>\262\316\357[\357\271\342n\204tc\243\264\310\366}&\244@'At\10\242\343\364>\253\224\361>\361\342",yv5\343u\365\13#{\33\200\305s\274&By\201\254V\35[\12v\362\307\266\235\177M\13$s\345\373|\250\365v^\237qi[xT1\254\245\306\214N\201\234\2a\2712\32\357\362HB\314\3570{^O\240\31\245g\300\353l\335d\350Xy&t\350\273\227!\3\240\360{\370\373=\5\177\37s\377F\324\N\15X'\360\15^\220\364~\177\20\266\277\363D\364\2733\240\240I\251\0\326F \267C\227\264\337\0P\251\214/G\330\223\207{\216\2148p\213x\310W\301\2148B\330\226\205\314\36\377\210l"\213w0\367$\341j\365\20\346\252d\260\233c\203\266\243p\373\236,\256>\346\272\301\310\246z\235;\240\360:t"`\350\357\244\310\217\245"\246\313J\377X\233\22\254\307Y\33a\243J\240\35X0\344\17\374s\253\0\354\25\250\1\251\211i\22\311\367s^T\370B\2040~\233\271>\7D\15\336\17\264\322\26\17\365\376\34\257h\353A\350\234\332i\277L\26\265\204\203:W\204\273`\377\340\372\33ec\330O\372\275\355\25c\335\222\16j\345\361\340\13n\322\364(s\242\20\237\243\26\266m\360\337\21\223\11\34\0s\31\264UE\360\231*b\375\27\26c\251\334\253\327\15\243\4\240q\227\247)\377\232H\203aC9\262\267\5j\236\377@\354\205\222\342\321\270\271H\234\251\373\204\08\216\316\350\24\211\333\330\307\351\257\322\223\254\3558", ) ,yv5\343u\365\13#{\33\200\305s\274&By\201\254V\35[\12v\362\307\266\235\177M\13$s\345\373|\250\365v^\237qi[xT1\254\245\306\214N\201\234\2a\2712\32\357\362HB\314\3570{^O\240\31\245g\300\353l\335d\350Xy&t\350\273\227!\3\240\360{\370\373=\5\177\37s\377F\324\N\15X'\360\15^\220\364~\177\20\266\277\363D\364\2733\240\240I\251\0\326F \267C\227\264\337\0P\251\214/G\330\223\207{\216\2148p\213x\310W\301\2148B\330\226\205\314\36\377\210l (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\375\22M\265\353.\34f8p5\6}y:\265\34?5\227\24\367\307\21\15F\4\22>\365\325\211bY\351\6\330>\321\35[E\254\210\337\202/\240\341t%>a\371\4\274\14\327\367\263\32\323p0r\240+4j>\262\316\357[\357\271\342n\204tc\243\264\310\366}&\244@'At\10\242\343\364>\253\224\361>\361\342",yv5\343u\365\13#{\33\200\305s\274&By\201\254V\35[\12v\362\307\266\235\177M\13$s\345\373|\250\365v^\237qi[xT1\254\245\306\214N\201\234\2a\2712\32\357\362HB\314\3570{^O\240\31\245g\300\353l\335d\350Xy&t\350\273\227!\3\240\360{\370\373=\5\177\37s\377F\324\N\15X'\360\15^\220\364~\177\20\266\277\363D\364\2733\240\240I\251\0\326F \267C\227\264\337\0P\251\214/G\330\223\207{\216\2148p\213x\310W\301\2148B\330\226\205\314\36\377\210l"\213w0\367$\341j\365\20\346\252d\260\233c\203\266\243p\373\236,\256>\346\272\301\310\246z\235;\240\360:t"`\350\357\244\310\217\245"\246\313J\377X\233\22\254\307Y\33a\243J\240\35X0\344\17\374s\253\0\354\25\250\1\251\211i\22\311\367s^T\370B\2040~\233\271>\7D\15\336\17\264\322\26\17\365\376\34\257h\353A\350\234\332i\277L\26\265\204\203:W\204\273`\377\340\372\33ec\330O\372\275\355\25c\335\222\16j\345\361\340\13n\322\364(s\242\20\237\243\26\266m\360\337\21\223\11\34\0s\31\264UE\360\231*b\375\27\26c\251\334\253\327\15\243\4\240q\227\247)\377\232H\203aC9\262\267\5j\236\377@\354\205\222\342\321\270\271H\234\251\373\204\08\216\316\350\24\211\333\330\307\351\257\322\223\254\3558", ) `\350\357\244\310\217\245 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\375\22M\265\353.\34f8p5\6}y:\265\34?5\227\24\367\307\21\15F\4\22>\365\325\211bY\351\6\330>\321\35[E\254\210\337\202/\240\341t%>a\371\4\274\14\327\367\263\32\323p0r\240+4j>\262\316\357[\357\271\342n\204tc\243\264\310\366}&\244@'At\10\242\343\364>\253\224\361>\361\342",yv5\343u\365\13#{\33\200\305s\274&By\201\254V\35[\12v\362\307\266\235\177M\13$s\345\373|\250\365v^\237qi[xT1\254\245\306\214N\201\234\2a\2712\32\357\362HB\314\3570{^O\240\31\245g\300\353l\335d\350Xy&t\350\273\227!\3\240\360{\370\373=\5\177\37s\377F\324\N\15X'\360\15^\220\364~\177\20\266\277\363D\364\2733\240\240I\251\0\326F \267C\227\264\337\0P\251\214/G\330\223\207{\216\2148p\213x\310W\301\2148B\330\226\205\314\36\377\210l"\213w0\367$\341j\365\20\346\252d\260\233c\203\266\243p\373\236,\256>\346\272\301\310\246z\235;\240\360:t"`\350\357\244\310\217\245"\246\313J\377X\233\22\254\307Y\33a\243J\240\35X0\344\17\374s\253\0\354\25\250\1\251\211i\22\311\367s^T\370B\2040~\233\271>\7D\15\336\17\264\322\26\17\365\376\34\257h\353A\350\234\332i\277L\26\265\204\203:W\204\273`\377\340\372\33ec\330O\372\275\355\25c\335\222\16j\345\361\340\13n\322\364(s\242\20\237\243\26\266m\360\337\21\223\11\34\0s\31\264UE\360\231*b\375\27\26c\251\334\253\327\15\243\4\240q\227\247)\377\232H\203aC9\262\267\5j\236\377@\354\205\222\342\321\270\271H\234\251\373\204\08\216\316\350\24\211\333\330\307\351\257\322\223\254\3558", ) , ) == 0x0
 00569   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (68, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00570   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "t\226r#J\351p\11\323\325b\345\17\366\31y\15;1\307+\233\253\341u\3332|j\3612.3\357\245&HRX{*Ks\270e\365\10%*Ea\273\342\241\226w\275t\300\30|A\1\263\254\3639\34\242\353\315\314-C\273 c\257+\301\375Qj\233\6\364V{\347\371^Y\261\223\254\334\267\321\267\361\36,\35\210i\375w]kG\221\264\215\21\241xQ\237\257a\3331\320\315\237\344L\252>k\232\262\301\371\345\315\25n\210\322^\217\225_\37\346\347\307e\362\262CN\321*8\200\370_\305\311\332\336\5\3330\306Y\207\224\275PE\244\\271\34\265\310\353VH\12\370{\215\271F\267\341\336\303c_\227\25\267\347\270D\24a]\242\10\331\5\347\253\271\11\14X\270e\222\27\370\16v\343\33070\3377\300\302r0\371q<\252\213\370\330\246\244\237\36\260\24;.y\305>\17\224hC?\217\204J?:8=k\363Z\4\333\303\220mQ\220\13\303\150\330*]\340e\241\233v\230\30^I\33\366Y!\324$\365\220\275X\;\227h\347\312k\265py\0\0D\246r\36285\301^\206\31]\327\301\265c\357\240\214\201\3569\342G4mq\3Q\0$/L\371\4k\3548\367a\247\340\345Sb\334\362y\211\365\344;A\251F\361u\273\254\356\2319\24\275y4\35\1\275\204=m\231\223F\260t\26H\305F<\2-G[ \3\233'\213\347\370\261X\323{\25Ig\240W\362y\31\323\2\271iTig\227P\14\231\374\265\333j\343P\262d~-\330aq\213tY\7\16ja`P\3409U\213\205\326\216\26\21\327\330\0\177\3330&\30go\343|=[\361\357\353H\370ix\343\247\217<+\353\370\2\304\246\311Y!"\215}5\231\343`\263\370\7", ) \215}5\231\343`\263\370\7", ) == 0x0
 00571   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00572   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Yg\340\20\254\331\360\12\331\261\214\350\265\362\346\34c\324\225\14_+\261\324\240\336D\377\353\244\11AIw+\275\264\261\273\250\264\337B+\254\247\342 w2N\342)L`R\367\347;\373\373\226[\220\356\276\332\15\6\246-o\236\15K\204\302[J\0c\233U\37\241\207W]\331\327\22h\335\225\21\230\315\221%\304m0\341.)\355N\361v\325\377\217\336\311\336y\213>\252\356\350\304%]1\321\267\211\2766\312\205\233@\330!\377\334\25h\322\340j\355\271]u5N*[~=\224\1\356`y\325\361_\11th\14z\21F\267\337\11\330_\331\237\263\35\374\223R\225\325\206"\221\253\3\244\371\340\13\10\351\220kz\347.\212\315\331X\13\20\246\252\3!\2441x\177=\352\357E\301\316\23>\337\21''O\333'\34\235\344\3179\377\240S7\235\373c\340\344IJS\322\334\260\274h\252\304`\367b >\314\334\24d\346\36\32\177\207h;8\335\30\345\255X\22]nn\363\30\345=]\200\236\265\34#\273p\222\306(\3765\373\240\312Y\1\272=\232ek\2704\12=]\333\337\25\6\243\211o?\360,k\372\225@\6\315\262\324\370\325\326\210\366\221\324\242o(\313~K\31\241\360\24\305W:1Q\312\237\235\274\304\371g"\375\21p\343|-_)\316\4\4\22\234\215/\2\266\205\271\204\262\300@\375\243\353\240\257\22j>\344\256\14\37\367\264\217\322\264\235\27{\322r\263^\216\307\4\25\377h\344\243\322z\15]\233\234>\340\366\355\20\37\344\4\205\373\270\12\0\262A032\26r\342\225\256\361\36_|\335\200\260\302\331tr\11\274Pv\313\271'\245\301y;[y\354\310kM\200\366JY\3030\330\3668\4\327\324<\204\\252\210\27\342\251\210\221\352S!&\331\372\244\275", ) \221\253\3\244\371\340\13\10\351\220kz\347.\212\315\331X\13\20\246\252\3!\2441x\177=\352\357E\301\316\23>\337\21''O\333'\34\235\344\3179\377\240S7\235\373c\340\344IJS\322\334\260\274h\252\304`\367b >\314\334\24d\346\36\32\177\207h;8\335\30\345\255X\22]nn\363\30\345=]\200\236\265\34#\273p\222\306(\3765\373\240\312Y\1\272=\232ek\2704\12=]\333\337\25\6\243\211o?\360,k\372\225@\6\315\262\324\370\325\326\210\366\221\324\242o(\313~K\31\241\360\24\305W:1Q\312\237\235\274\304\371g (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Yg\340\20\254\331\360\12\331\261\214\350\265\362\346\34c\324\225\14_+\261\324\240\336D\377\353\244\11AIw+\275\264\261\273\250\264\337B+\254\247\342 w2N\342)L`R\367\347;\373\373\226[\220\356\276\332\15\6\246-o\236\15K\204\302[J\0c\233U\37\241\207W]\331\327\22h\335\225\21\230\315\221%\304m0\341.)\355N\361v\325\377\217\336\311\336y\213>\252\356\350\304%]1\321\267\211\2766\312\205\233@\330!\377\334\25h\322\340j\355\271]u5N*[~=\224\1\356`y\325\361_\11th\14z\21F\267\337\11\330_\331\237\263\35\374\223R\225\325\206"\221\253\3\244\371\340\13\10\351\220kz\347.\212\315\331X\13\20\246\252\3!\2441x\177=\352\357E\301\316\23>\337\21''O\333'\34\235\344\3179\377\240S7\235\373c\340\344IJS\322\334\260\274h\252\304`\367b >\314\334\24d\346\36\32\177\207h;8\335\30\345\255X\22]nn\363\30\345=]\200\236\265\34#\273p\222\306(\3765\373\240\312Y\1\272=\232ek\2704\12=]\333\337\25\6\243\211o?\360,k\372\225@\6\315\262\324\370\325\326\210\366\221\324\242o(\313~K\31\241\360\24\305W:1Q\312\237\235\274\304\371g"\375\21p\343|-_)\316\4\4\22\234\215/\2\266\205\271\204\262\300@\375\243\353\240\257\22j>\344\256\14\37\367\264\217\322\264\235\27{\322r\263^\216\307\4\25\377h\344\243\322z\15]\233\234>\340\366\355\20\37\344\4\205\373\270\12\0\262A032\26r\342\225\256\361\36_|\335\200\260\302\331tr\11\274Pv\313\271'\245\301y;[y\354\310kM\200\366JY\3030\330\3668\4\327\324<\204\\252\210\27\342\251\210\221\352S!&\331\372\244\275", ) , ) == 0x0
 00573   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (68, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00574   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "i\12hH\36S\32\277\243\270\222\210\266z=\3278\246\0\337|9xdy\240\230`=\374\4ap\353\15\377})S'\323\243\211\212'\370O\200\202\363>\375\261\243\10\4hf\372\215M\235\204?l\14=I+\263\305\3364\213\33\14\267\226\262\25\33\365BL\210\360\312\4\254\207\21\4\301ZBdj\334\307\2H\5r2I\273\13\31-\34\3765\231\272~Wc\353\304h\341\328NQ\234\331\325\306\1\343=Qr\217\355\263\333j\370\237O\211\325wOfY\36(\255;G\333#\335\343\31\310\0\233S\342*f\252D-\371\332\2\215\26\1\25v\1xj0\37:8\0\21\360\274\254\210~N K[\241\3\211$n\201q\30\303\36\201g\177\223jZ\263}\37\215\336\243%\317\224]\7\207\342\16\277\16\10"t\244\370\354c\33\362n`K\261\12\2010\276I\\317s\3iqy\26\233\347\1067)\2110\27\15\206\213\327\302/\220\341\340\343\32/\264M\372\317\15#\307\344\353\242Dy\264\223<\353\252\244CjC j\373\236#&\342*\361"\25\352ECc\231\274tp\324O\257o{\337\272yx\363\4\341\251\367\351"\327s\35\200\210\277\270\223~\214\344\373\1HCo\1x\0\31\334H\370\169SM\223\213\11kO\3745\344Mi\3<\34\365:\343\235At\224\13\271qp\260rq \27\271t\30\217\337a7O\300\33\362sb:S,~\276\16k]\274\353R\13\245HnJ\262(cz\342\362n\373\227\350ws\357R*I\11h\37\217x\246\35188m\373@\330\214\255\323\361\24#*#T\233244\370\354c\33\362n`K\261\12\2010\276I\\317s\3iqy\26\233\347\1067)\2110\27\15\206\213\327\302/\220\341\340\343\32/\264M\372\317\15#\307\344\353\242Dy\264\223<\353\252\244CjC j\373\236#&\342*\361 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "i\12hH\36S\32\277\243\270\222\210\266z=\3278\246\0\337|9xdy\240\230`=\374\4ap\353\15\377})S'\323\243\211\212'\370O\200\202\363>\375\261\243\10\4hf\372\215M\235\204?l\14=I+\263\305\3364\213\33\14\267\226\262\25\33\365BL\210\360\312\4\254\207\21\4\301ZBdj\334\307\2H\5r2I\273\13\31-\34\3765\231\272~Wc\353\304h\341\328NQ\234\331\325\306\1\343=Qr\217\355\263\333j\370\237O\211\325wOfY\36(\255;G\333#\335\343\31\310\0\233S\342*f\252D-\371\332\2\215\26\1\25v\1xj0\37:8\0\21\360\274\254\210~N K[\241\3\211$n\201q\30\303\36\201g\177\223jZ\263}\37\215\336\243%\317\224]\7\207\342\16\277\16\10"t\244\370\354c\33\362n`K\261\12\2010\276I\\317s\3iqy\26\233\347\1067)\2110\27\15\206\213\327\302/\220\341\340\343\32/\264M\372\317\15#\307\344\353\242Dy\264\223<\353\252\244CjC j\373\236#&\342*\361"\25\352ECc\231\274tp\324O\257o{\337\272yx\363\4\341\251\367\351"\327s\35\200\210\277\270\223~\214\344\373\1HCo\1x\0\31\334H\370\169SM\223\213\11kO\3745\344Mi\3<\34\365:\343\235At\224\13\271qp\260rq \27\271t\30\217\337a7O\300\33\362sb:S,~\276\16k]\274\353R\13\245HnJ\262(cz\342\362n\373\227\350ws\357R*I\11h\37\217x\246\35188m\373@\330\214\255\323\361\24#*#T\23335\200\210\277\270\223~\214\344\373\1HCo\1x\0\31\334H\370\169SM\223\213\11kO\3745\344Mi\3<\34\365:\343\235At\224\13\271qp\260rq \27\271t\30\217\337a7O\300\33\362sb:S,~\276\16k]\274\353R\13\245HnJ\262(cz\342\362n\373\227\350ws\357R*I\11h\37\217x\246\35188m\373@\330\214\255\323\361\24#*#T\2330\373\260\311x0\227\357i\321\277am\351\15ok\266\350a:(\322H{\336\33\360[m\324\24W\371\366`\250\321\370`L\341\201\30", ) == 0x0
 00575   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (68, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (68, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (68, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00576   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\23\231\236\230 \267\337\374|\13\237{ \352\370S\33\225\331t=UQ,J\246\375\4\2\251Ib\24\2407S:\265\347aC\232\264\205\353|\265\323\337\336\262\366{\264\260\227o\376\204 \12B|\3270\361\207\2600\16+\0\\233\233zh\352\203\25\331\335\207\12\360\264\0\17h\326\223\340k\256;\326"\355\214\0\3\206\370S"\275\261\340f\201i\220\351\33]\353{\330{I\321\1\350\305j\33\323\262X\361)\260Y\205\363\214\177;\356}\346\252\261\271j\272\361\202\341\352\222|\36\371\213\200r{\376`\261\3548\267h\31\270*nX\271\12S\374\211\327\301\3112\216\35\226\277\271F\234\217\242\311M\215\215}p\31({E\255 \370\370$<\336\370tu\224y\244\6~\3040X{\36\211\242>\307\262\201w\371\327\307IY\267\25\211\367\230h\242J\34\221d\250\273\5\253\352\312r\4\342\22\362\237\302\310\4G\6\263\24P\257\270I?\352:|\240\376\254\325\307\233\5\252o-<\325n\343\304\364\373\326\30\11\24\2H\207\1\360\341-ss8;\303\372'\200\377\2402'/\226`\4\346\264H\346\353\231q\11\203\330\270\313H\366\33\252|\202$q\363\362\222Xo\260\277\244\310y\276\10^\343\365\22I\316\6\24?J\323\33\26\20\244q\247A\262\0\367\351\277\377\247\351\15\2U\264\370uf\2545"\235\4\3518\200\304\16\16\257\305\3 k=[&\303h\257*\3\354E\205oi\260|.\216\232\12\1\373\7\252\334T\22G\267\7\305G\254\243\261\3i\233\324\236G2\2ln\365\274\20{\355\2,\240K\244\30s\331\220\313\331\325{$O\321\230,G\355+\0\11.A\202;\270<\355?\371\33Sd\148f:F\373\242H\243\262\213\272\372Z\11\277Z\25v\13\25\274\3", ) \355\214\0\3\206\370S (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\23\231\236\230 \267\337\374|\13\237{ \352\370S\33\225\331t=UQ,J\246\375\4\2\251Ib\24\2407S:\265\347aC\232\264\205\353|\265\323\337\336\262\366{\264\260\227o\376\204 \12B|\3270\361\207\2600\16+\0\\233\233zh\352\203\25\331\335\207\12\360\264\0\17h\326\223\340k\256;\326"\355\214\0\3\206\370S"\275\261\340f\201i\220\351\33]\353{\330{I\321\1\350\305j\33\323\262X\361)\260Y\205\363\214\177;\356}\346\252\261\271j\272\361\202\341\352\222|\36\371\213\200r{\376`\261\3548\267h\31\270*nX\271\12S\374\211\327\301\3112\216\35\226\277\271F\234\217\242\311M\215\215}p\31({E\255 \370\370$<\336\370tu\224y\244\6~\3040X{\36\211\242>\307\262\201w\371\327\307IY\267\25\211\367\230h\242J\34\221d\250\273\5\253\352\312r\4\342\22\362\237\302\310\4G\6\263\24P\257\270I?\352:|\240\376\254\325\307\233\5\252o-<\325n\343\304\364\373\326\30\11\24\2H\207\1\360\341-ss8;\303\372'\200\377\2402'/\226`\4\346\264H\346\353\231q\11\203\330\270\313H\366\33\252|\202$q\363\362\222Xo\260\277\244\310y\276\10^\343\365\22I\316\6\24?J\323\33\26\20\244q\247A\262\0\367\351\277\377\247\351\15\2U\264\370uf\2545"\235\4\3518\200\304\16\16\257\305\3 k=[&\303h\257*\3\354E\205oi\260|.\216\232\12\1\373\7\252\334T\22G\267\7\305G\254\243\261\3i\233\324\236G2\2ln\365\274\20{\355\2,\240K\244\30s\331\220\313\331\325{$O\321\230,G\355+\0\11.A\202;\270<\355?\371\33Sd\148f:F\373\242H\243\262\213\272\372Z\11\277Z\25v\13\25\274\3", ) \235\4\3518\200\304\16\16\257\305\3 k=[&\303h\257*\3\354E\205oi\260|.\216\232\12\1\373\7\252\334T\22G\267\7\305G\254\243\261\3i\233\324\236G2\2ln\365\274\20{\355\2,\240K\244\30s\331\220\313\331\325{$O\321\230,G\355+\0\11.A\202;\270<\355?\371\33Sd\148f:F\373\242H\243\262\213\272\372Z\11\277Z\25v\13\25\274\3", ) == 0x0
 00577   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (68, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (68, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00578   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "~\36\177o\356\333\2411\260\22\260\314w\255\243\32\4\217\321'\270\324\24PwQ@\354D\203\344\36\244\241\351>\36'\242\234\211\360\334\1oF\374 \335\255\274\360Z\376J\17!\265\32~K\342+l2\201YP \345\276\212\2643\371\25\227e\212P:\212g\16z\370\262\216\344\260\245\4\310\332\310\203~\371\27\322\367\321\2630H\232\273|w\177\2778\245\376\240\213.\110\0Gg\3336{\204dH\25<\255 >\11j\25\372\313\12d\20\271\256\325\15+DYc\373 Ce\300\263\4n\262\32`\31\312p\303\15\25\253\311\276\224\0h\317\365\245<\371\254n\222\211\351\250I\2607\306\11\3538\232\336\6[\25_\333\341\220\206g\261\364\3\3430\273\211=\300f\23(\203\3421\373p\375\354\240\201\\205\273j8\\275\343\367`/\26\2611pk\342\350\377\311\E\5"\220\1l\207\313\321'\370\336z\323\310T\27\32\233\364K\34,8Lr\375\200\37\237\331\220\200\227\373g\25#8R\262\271\273\344\27e\351\244h>\320\360\0\240\317E$}W;\1\271\11Dz\252\342\273\200,\375\259y\361P%F\11T\200\37\350\24\344\274\345\2241\12t\233\364\254\213\21\322\333W\232{r\370\341Ey\253=H:\325I\332\263\362\213\203>\372\313.,\32\307\24\375\361\250`\264\236e#b\201:\206\254&a4\7.h\22\224*\372\3333\372\273\372C\274J\232\312\346\37\300J\217\2\3c\362\270$E\265\310\24\34\343\251\177\255\241\274\11\250\24G\336\315Q4\\263\275\375:\325+\220\231\354\2505\357\327b\251\321O~?\357\322\254E\26\350\362P\206\277\307u\236\376\213\271\325\373\362\242bS0\200\327\255_\2j\221\247\13B\243A=\223$\2\375\341\2506\246\354l(\14", ) \220\1l\207\313\321'\370\336z\323\310T\27\32\233\364K\34,8Lr\375\200\37\237\331\220\200\227\373g\25#8R\262\271\273\344\27e\351\244h>\320\360\0\240\317E$}W;\1\271\11Dz\252\342\273\200,\375\259y\361P%F\11T\200\37\350\24\344\274\345\2241\12t\233\364\254\213\21\322\333W\232{r\370\341Ey\253=H:\325I\332\263\362\213\203>\372\313.,\32\307\24\375\361\250`\264\236e#b\201:\206\254&a4\7.h\22\224*\372\3333\372\273\372C\274J\232\312\346\37\300J\217\2\3c\362\270$E\265\310\24\34\343\251\177\255\241\274\11\250\24G\336\315Q4\\263\275\375:\325+\220\231\354\2505\357\327b\251\321O~?\357\322\254E\26\350\362P\206\277\307u\236\376\213\271\325\373\362\242bS0\200\327\255_\2j\221\247\13B\243A=\223$\2\375\341\2506\246\354l(\14", ) == 0x0
 00579   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00580   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "jXON\317,\270\224\344\324\262\267}\233q@\270\251\367\343\316\2654\311t2:\344\267\2C\5\225\351\205\25\331\203\31N\263\234\13\300\3770\1\362\271\16&L\370\262\20;\227\321\315\257\212\3776\343~\270\370\200\377\212\7\320\14\340\201\6\372Q\367Q\373+\315?\210\305\32\2K"\2549\243\254\254*~g/\377\325\300x\352$\247\3679\344\236\14\331\275\4\254'\377\203\204\332\223\371\23\2437\353\251\265Q\226\330\205q\363\20\235\301AE\33|\177\300\3\0:\276\335\370\232 \342\362\254FhAM\11\34\271wF/\347P?\367eEm\205\312\220&c\374\350sg\203;\300c\301\250*\211\247\324V\360\347a\352\251\307\363\270v\231[FE5\245\32Y\341\274\320Gy\374\204JF\335\2\207y\374\37*\205\34\360p\362\373 I\273(\33\37\325+[S\224\20 \245\374\244\24\213\274t\262s\341\303KL2f\257g\365\274\30i\355\323\7\200o\213ua\361=_\177\36\246\212\346\214\35\211\14\5\367\327,SF\276\13\316\324\353|3\243\30u\3412\220\366\215\274\301\233}*\20~\260\O+A&\252\304\354;Dss\352\313T\305\3460\316x\213*\365\276\33a\205kY\30N\362\2!\341\243\10\313\251\7Q\331\325k\22\0\330\244\14s\341\315\266\263\213\274\30FB\370Pc\275\234a\247\3640[\234\254}\22H\243\373\270\22\303^\12q\273\7\232\251\206\232[PO\263~"\5\265\370@\233\242|\21\31A\261|\333D\307k\353\273\222\233!\220\237\6\210\201\316)\373\3059k\270|\326\302\255\233\204X\372\331\333\31>\341k\250wZ*\305H\200\326\15\320\366Aw\360 Y\366?\370\224\355E\222e9t\3\31\341\213\306\253\225'mr'\2308f)yN", ) \2549\243\254\254*~g/\377\325\300x\352$\247\3679\344\236\14\331\275\4\254'\377\203\204\332\223\371\23\2437\353\251\265Q\226\330\205q\363\20\235\301AE\33|\177\300\3\0:\276\335\370\232 \342\362\254FhAM\11\34\271wF/\347P?\367eEm\205\312\220&c\374\350sg\203;\300c\301\250*\211\247\324V\360\347a\352\251\307\363\270v\231[FE5\245\32Y\341\274\320Gy\374\204JF\335\2\207y\374\37*\205\34\360p\362\373 I\273(\33\37\325+[S\224\20 \245\374\244\24\213\274t\262s\341\303KL2f\257g\365\274\30i\355\323\7\200o\213ua\361=_\177\36\246\212\346\214\35\211\14\5\367\327,SF\276\13\316\324\353|3\243\30u\3412\220\366\215\274\301\233}*\20~\260\O+A&\252\304\354;Dss\352\313T\305\3460\316x\213*\365\276\33a\205kY\30N\362\2!\341\243\10\313\251\7Q\331\325k\22\0\330\244\14s\341\315\266\263\213\274\30FB\370Pc\275\234a\247\3640[\234\254}\22H\243\373\270\22\303^\12q\273\7\232\251\206\232[PO\263~ (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "jXON\317,\270\224\344\324\262\267}\233q@\270\251\367\343\316\2654\311t2:\344\267\2C\5\225\351\205\25\331\203\31N\263\234\13\300\3770\1\362\271\16&L\370\262\20;\227\321\315\257\212\3776\343~\270\370\200\377\212\7\320\14\340\201\6\372Q\367Q\373+\315?\210\305\32\2K"\2549\243\254\254*~g/\377\325\300x\352$\247\3679\344\236\14\331\275\4\254'\377\203\204\332\223\371\23\2437\353\251\265Q\226\330\205q\363\20\235\301AE\33|\177\300\3\0:\276\335\370\232 \342\362\254FhAM\11\34\271wF/\347P?\367eEm\205\312\220&c\374\350sg\203;\300c\301\250*\211\247\324V\360\347a\352\251\307\363\270v\231[FE5\245\32Y\341\274\320Gy\374\204JF\335\2\207y\374\37*\205\34\360p\362\373 I\273(\33\37\325+[S\224\20 \245\374\244\24\213\274t\262s\341\303KL2f\257g\365\274\30i\355\323\7\200o\213ua\361=_\177\36\246\212\346\214\35\211\14\5\367\327,SF\276\13\316\324\353|3\243\30u\3412\220\366\215\274\301\233}*\20~\260\O+A&\252\304\354;Dss\352\313T\305\3460\316x\213*\365\276\33a\205kY\30N\362\2!\341\243\10\313\251\7Q\331\325k\22\0\330\244\14s\341\315\266\263\213\274\30FB\370Pc\275\234a\247\3640[\234\254}\22H\243\373\270\22\303^\12q\273\7\232\251\206\232[PO\263~"\5\265\370@\233\242|\21\31A\261|\333D\307k\353\273\222\233!\220\237\6\210\201\316)\373\3059k\270|\326\302\255\233\204X\372\331\333\31>\341k\250wZ*\305H\200\326\15\320\366Aw\360 Y\366?\370\224\355E\222e9t\3\31\341\213\306\253\225'mr'\2308f)yN", ) , ) == 0x0
 00581   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (68, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00582   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\1\375B\30\25\273\332*Yd|\343\366\3\237\245\233\325\204\203\31s{\340\365\365\332\1a{0\355(\211\35znPDxv|]\353.\324DCn\316"\313\202\305\15\31\370\316\34=g\371\217\315TH\226~\3247f65t\353\33\343)\14{\360\273\25\247\374\48t8\324\333%!\317\360e\373\344\5\250t\237\370F.\263\11\301\260\303\267\3014\344\23t\337\363\271\255y\352Q\233\357\323\275\372\2052\233\342\35\212\234'\21347c\21<\341&{ \343V\213\177\310\353\244\242s\262\216\325i\204\262Eq\10\1\251xKWa\367\357\343\25\360w\20c\22c0i\3011m\337\354V\216E\13!\217\354\324\262~nr\265\340\335\245!\311\207o\1\30 \357$\13\227\150\3y$\233\336\37*\231\221\375\255\265DI\1\201!\353x\253\234z,\370\26\4\375\13\235\352\367!\35\262\2358K\375\205\\250\23\350\271E\372\11\254\330\220k\302\263\267\232G\31&\240\345\211\227\16\232*\225S\221\3\226eqL\177\230S|d\375\264\373\3731\277\267\242\3538!\337\33\203\5\211+\266\32@\323\257bt\345\353\30b\254\355\364\342\211\315\254\341|\315\10\15xz\265\251\2420\16\255\264\244\243\311\321\206\25\203\204\355dO\233\372\365\233\277\230D\20O-\353\~g8Sp\310\344\2173\306y\26\335\210\364\357\274\342\24\337\356\12\222Ky\33\4\243\233\363`\232-N\05\363\364\211\211i\205\375o\337\3363\24)\313\14I\370D\256}V\271sc\322Ga\250\253\158|\302~\302\232\340\263\307\232\255\244\217+\325\261sg\377\20\350Jxsf\363%\354\276\226\360\304\14\15\6y\4\200\3519P`\370\266\3;\323\361=:\366\360S#\3307\214\330j\10Dj\336\221\353", ) \313\202\305\15\31\370\316\34=g\371\217\315TH\226~\3247f65t\353\33\343)\14{\360\273\25\247\374\48t8\324\333%!\317\360e\373\344\5\250t\237\370F.\263\11\301\260\303\267\3014\344\23t\337\363\271\255y\352Q\233\357\323\275\372\2052\233\342\35\212\234'\21347c\21<\341&{ \343V\213\177\310\353\244\242s\262\216\325i\204\262Eq\10\1\251xKWa\367\357\343\25\360w\20c\22c0i\3011m\337\354V\216E\13!\217\354\324\262~nr\265\340\335\245!\311\207o\1\30 \357$\13\227\150\3y$\233\336\37*\231\221\375\255\265DI\1\201!\353x\253\234z,\370\26\4\375\13\235\352\367!\35\262\2358K\375\205\\250\23\350\271E\372\11\254\330\220k\302\263\267\232G\31&\240\345\211\227\16\232*\225S\221\3\226eqL\177\230S|d\375\264\373\3731\277\267\242\3538!\337\33\203\5\211+\266\32@\323\257bt\345\353\30b\254\355\364\342\211\315\254\341|\315\10\15xz\265\251\2420\16\255\264\244\243\311\321\206\25\203\204\355dO\233\372\365\233\277\230D\20O-\353\~g8Sp\310\344\2173\306y\26\335\210\364\357\274\342\24\337\356\12\222Ky\33\4\243\233\363`\232-N\05\363\364\211\211i\205\375o\337\3363\24)\313\14I\370D\256}V\271sc\322Ga\250\253\158|\302~\302\232\340\263\307\232\255\244\217+\325\261sg\377\20\350Jxsf\363%\354\276\226\360\304\14\15\6y\4\200\3519P`\370\266\3;\323\361=:\366\360S#\3307\214\330j\10Dj\336\221\353", ) == 0x0
 00583   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (68, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00584   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "x\336\243\223\20\320\354\15\221\21\317\3d\270\25\240\6\224p+R\335l?"C\235\335\305\11\322\2156\327r\10\220\361\305\323_4\307\367\246\336\223\363\204\272c4&\347\252$K\252\220w\235:\366O\311-\354\273\2004\6\306\177\1\353\373 \303D\212MyL+\25\375\235u\267\313T\271\366Of.\303\270\3660:\0|\232\336\232\341^8s\306\214\255\203;-0\357O[\200q\23\303\224\2078\12\255\342\314\142%OM\263\207\333\245\221\214F\353f\6\275\261\250\35\316\22\200\270bcpo\230Cu\362\373\21\213\207\201}\331\347\20\212\337\362\333\271mS\305\353ud\272\27J\242j\25;\32\277\262\243\13235\335\305\11\322\2156\327r\10\220\361\305\323_4\307\367\246\336\223\363\204\272c4&\347\252$K\252\220w\235:\366O\311-\354\273\2004\6\306\177\1\353\373 \303D\212MyL+\25\375\235u\267\313T\271\366Of.\303\270\3660:\0|\232\336\232\341^8s\306\214\255\203;-0\357O[\200q\23\303\224\2078\12\255\342\314\142%OM\263\207\333\245\221\214F\353f\6\275\261\250\35\316\22\200\270bcpo\230Cu\362\373\21\213\207\201}\331\347\20\212\337\362\333\271mS\305\353ud\272\27J\242j\25;\32\277\262\243\131\351\345.\325\361\203F\302\255\370\322q1\226\303=\252\253\371G\225]O\304S\266\343\207\261\235\10\335\6\246\16p\\225\364i\304\266uI\237G\240\241\254wFmg\241\35\37\30\326\226n\207\275\3+\220vC\325\325\300\267\207\20\365@\260\327\2?\29\240M\355r\262\336n8H\20\26\20E\227\203\324o\370\262\30z1# L\333Fr\332\13\264_\300\330\262bm\202\360\252B\350\264\233\315A\37\360j\273\205\1ou\215t\313\3\224\24\257\202Ob:D~\34l\300\203\3750\344d\237\265\360\206Nj0[\30\321\353Y9\32\213\217\372\315\10\22XV\3406\132;\26\365\213\4\223\207K\27\21\353\303']\302\2635\31\334vDm\371\377xf\7Qn\224\36\267\22R\216]\353t\237w\245Z\371\321\13\4I\7^\324k\224\31KYA\333PY\330\360p\1\326\301\201\2239\7{\31H\3\343\252\262\303*0\262\340\306\373\211\310`3\315\2010h\244\373\22\376\306\367\263zj\12\353T\200\12\15\362\375|\223\17\213zo\205\257\277e\270\235!", ) == 0x0
 00585   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00586   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "[\330\230\336\375\365['}\372\346\15\355\7'\254f\345\247\213\264\302[u\251l\246\13AGu\237\207\337\2047a\240pZ0)K\213\4\15\233\240Yb\302l%\372\372\4\20\312\261\4T\222}w5\350\11\255/\254\350\273j\207h\31+I\265)\323\275\324\20\32\32\206\353\375\363;\377h7\361\304\35\322\202\27P6M)}\371\11\266\366\337\244A\321\214a(\311|~\213\200y\346\24yQd4=\323\210\331\357\22\274n8\271\0F\227\342\213\373\36|d\221\302\257\37YH\2449\30\366\307m\236m\3201\306_xV_>\21S`\1\217p\276\332\375\377h`\254\342ut\201\265\315M\276\264$2\373\\24\34\217k0\262y\222\243\207q\270R/\375\213\270\212u\355\350\205\372u\211\236r\255T|\343\316N\200\250Bs\344\27\307\14\267\324\234\200h\217\213\31\34\302\213c\303\203(\333\355p\265\24g\217\213b\350D\234t=\2135\12\254,\321\234\321\374\365\250\363\366o\251\211=\37\2523\214\27QR\274\337k\252\\17\31e\360\260\360j\275\240\344}\370\215\334c\364\36[\324i\20\100);\352\352{\336[\272\34\260\376h\3651\302^b\313\233fxR\16\255\300\364(\207\231\357T\372<\365\213^79\216I\231\214\316\25E\6\335\1\232K\217\35\363m;\20\361\11/d\356l\213n\6\306\36<\351\233\373, ) , ) == 0x0
 00587   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (68, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00588   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "x\324;\274\350\303\216\334\226\314\375\15ap\261\241m%v\0e\200\314\364\152\232\263\324v\347\2\274\374%\32\254\360t\231\361\330\270\17\357j\227\353@\274T\35;\322\264\202\222c\255\257;\20\315\217c\251\2410\371\340\306\11cw$c4\332\220 \3246\344p\363K~\207\30o\324\177\375\205|-\343\245\6;\357\34\256\0\252\261\345|\300\301\264\270\234\272\235\17\17\255\362\0K:_TZ\357\257\20\277\352\36\265!\377\27~a\366\353\25'\230\257tV\220\347P\253\357\327\34$\\33\255\371\5\34Dr\315\310\3539\256\343\246&\214\304_<\371\244\360s\301\16\240[t\300\30\234]\343\300+\270u\261\261\211\275\211a{[.rk\373+\327i\30\222b\300\372\320\303\240\261d\17i\30\33\367\300\2005x>\323\227;\355p\3\360\242\345P\301y\262\22\314\177\13\220\23\347\200\310\17\216\273\230\222Y9\312:\224\350L\2523&\320a\376\7S\306\373@ZcB\317\331KQ%\202o\370i\233*$\203\213\241n/#@yO\260J\302NrJ\215\235\375r\373\310\255F\336\2367\207\224\335\261u\305L\261\227\366\366\257\10\305'\177"v\347\212\233I\223\340\320\351\340\212\213\16r\374&\244\326\253\223N\337\231\346\265\247\374m\276\262\213l8Z\3y\234k\332\6\376\273\4!&\265\10c\365&e2o\227\20\177\347\250\342o\325Y~\331\224\14C\262\265\277.\363\3170!\214x\350*\361\326\255\326\5\336ma\376i[\310\26\277\13\343\376N\312\331\231\364\27\224\354\336\257\36J;\205\15\366g\363\15R/\23\17\251\357\365\313p$\227iO\374\231W=w\224r\315\14@\07\367C\11\375\21\7\30\365\250h\214\235\213\266\257}\1g\343x\1kx\356\340\3344R\200", ) v\347\212\233I\223\340\320\351\340\212\213\16r\374&\244\326\253\223N\337\231\346\265\247\374m\276\262\213l8Z\3y\234k\332\6\376\273\4!&\265\10c\365&e2o\227\20\177\347\250\342o\325Y~\331\224\14C\262\265\277.\363\3170!\214x\350*\361\326\255\326\5\336ma\376i[\310\26\277\13\343\376N\312\331\231\364\27\224\354\336\257\36J;\205\15\366g\363\15R/\23\17\251\357\365\313p$\227iO\374\231W=w\224r\315\14@\07\367C\11\375\21\7\30\365\250h\214\235\213\266\257}\1g\343x\1kx\356\340\3344R\200", ) == 0x0
 00589   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00590   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "H\14\245\205\15\277L\6p\215;\22n"\270sD".\242\5\315\212C\365\373R\6z\26\2602\337\213^/\306\3\213\373\34[\315\31\333\350\255\353\220\217_\377\7\6\267\16K[%\12P\264H\177\373\372\210\0kH\305\213\337\253Kx\242\241}0\267\236\361`\200\10n\5cN\235\227\217\177,\231\316\21`\16\257\341\6\375\223\376X\13\37\321\251W~\244\33\200|\275=_o\267\12\24\213\317\232\32\241\254\250\24\242\340\10?Y\302\207|\201\226\37\330\214x0\14\263\351P\202\13("\330\220\223\266\304gMVo\212\224'\267\350\6]h*\204\265\5\323\243\266\15\221\240\25\32\223\20\242\17\340\312\356N/{)\3502\10H\226\372y\4\36\333\35\0\17Ay\307\30xz\314\223\244\257\323\201)\206Yt-\371\255\247Cy1\21\310,\273\14\20\324k\213s\250\347\341U\274\257\237=>c\364T\310\33w\334h\347\3O\6\275~\276<\250_X\322\344\224\327\304\216\301\375\3663%\327\233.\360M}\361\13j\263)\3y\371y6\177\1\341n\314Q!\12!\226M\336,J\262\316xD\275\22{\341\212\237\325\324\223\367\362_\363\316\263\337\370#C%\34\310\366Akv[\241m\367\15\341\303\4\373\265\346w\251\343a$\110n\33\4\231\376\311\0\240\1\241\253\361\301\2255\31"\13\350H\273\357\230\260,\343j\263\370\36\310B\2436\251\341\351\300\231s\202x\235\210\213\241C\250Oc\341\261\3462\241\3442\353P~\370?K`\262yAb\22|\315\247(|\322@\323\217\240pc=\375\323\17m\312'D\250M\273\260\303\177\350x8\354\340\376\260\3701{\374t\254\224.\376\261\1\26\357-|O\325X\0\37r\202]\1\345\366\354z\15\232\361\260\272wk\204\217\263\", ) \270sD (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "H\14\245\205\15\277L\6p\215;\22n"\270sD".\242\5\315\212C\365\373R\6z\26\2602\337\213^/\306\3\213\373\34[\315\31\333\350\255\353\220\217_\377\7\6\267\16K[%\12P\264H\177\373\372\210\0kH\305\213\337\253Kx\242\241}0\267\236\361`\200\10n\5cN\235\227\217\177,\231\316\21`\16\257\341\6\375\223\376X\13\37\321\251W~\244\33\200|\275=_o\267\12\24\213\317\232\32\241\254\250\24\242\340\10?Y\302\207|\201\226\37\330\214x0\14\263\351P\202\13("\330\220\223\266\304gMVo\212\224'\267\350\6]h*\204\265\5\323\243\266\15\221\240\25\32\223\20\242\17\340\312\356N/{)\3502\10H\226\372y\4\36\333\35\0\17Ay\307\30xz\314\223\244\257\323\201)\206Yt-\371\255\247Cy1\21\310,\273\14\20\324k\213s\250\347\341U\274\257\237=>c\364T\310\33w\334h\347\3O\6\275~\276<\250_X\322\344\224\327\304\216\301\375\3663%\327\233.\360M}\361\13j\263)\3y\371y6\177\1\341n\314Q!\12!\226M\336,J\262\316xD\275\22{\341\212\237\325\324\223\367\362_\363\316\263\337\370#C%\34\310\366Akv[\241m\367\15\341\303\4\373\265\346w\251\343a$\110n\33\4\231\376\311\0\240\1\241\253\361\301\2255\31"\13\350H\273\357\230\260,\343j\263\370\36\310B\2436\251\341\351\300\231s\202x\235\210\213\241C\250Oc\341\261\3462\241\3442\353P~\370?K`\262yAb\22|\315\247(|\322@\323\217\240pc=\375\323\17m\312'D\250M\273\260\303\177\350x8\354\340\376\260\3701{\374t\254\224.\376\261\1\26\357-|O\325X\0\37r\202]\1\345\366\354z\15\232\361\260\272wk\204\217\263\", ) \330\220\223\266\304gMVo\212\224'\267\350\6]h*\204\265\5\323\243\266\15\221\240\25\32\223\20\242\17\340\312\356N/{)\3502\10H\226\372y\4\36\333\35\0\17Ay\307\30xz\314\223\244\257\323\201)\206Yt-\371\255\247Cy1\21\310,\273\14\20\324k\213s\250\347\341U\274\257\237=>c\364T\310\33w\334h\347\3O\6\275~\276<\250_X\322\344\224\327\304\216\301\375\3663%\327\233.\360M}\361\13j\263)\3y\371y6\177\1\341n\314Q!\12!\226M\336,J\262\316xD\275\22{\341\212\237\325\324\223\367\362_\363\316\263\337\370#C%\34\310\366Akv[\241m\367\15\341\303\4\373\265\346w\251\343a$\110n\33\4\231\376\311\0\240\1\241\253\361\301\2255\31 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "H\14\245\205\15\277L\6p\215;\22n"\270sD".\242\5\315\212C\365\373R\6z\26\2602\337\213^/\306\3\213\373\34[\315\31\333\350\255\353\220\217_\377\7\6\267\16K[%\12P\264H\177\373\372\210\0kH\305\213\337\253Kx\242\241}0\267\236\361`\200\10n\5cN\235\227\217\177,\231\316\21`\16\257\341\6\375\223\376X\13\37\321\251W~\244\33\200|\275=_o\267\12\24\213\317\232\32\241\254\250\24\242\340\10?Y\302\207|\201\226\37\330\214x0\14\263\351P\202\13("\330\220\223\266\304gMVo\212\224'\267\350\6]h*\204\265\5\323\243\266\15\221\240\25\32\223\20\242\17\340\312\356N/{)\3502\10H\226\372y\4\36\333\35\0\17Ay\307\30xz\314\223\244\257\323\201)\206Yt-\371\255\247Cy1\21\310,\273\14\20\324k\213s\250\347\341U\274\257\237=>c\364T\310\33w\334h\347\3O\6\275~\276<\250_X\322\344\224\327\304\216\301\375\3663%\327\233.\360M}\361\13j\263)\3y\371y6\177\1\341n\314Q!\12!\226M\336,J\262\316xD\275\22{\341\212\237\325\324\223\367\362_\363\316\263\337\370#C%\34\310\366Akv[\241m\367\15\341\303\4\373\265\346w\251\343a$\110n\33\4\231\376\311\0\240\1\241\253\361\301\2255\31"\13\350H\273\357\230\260,\343j\263\370\36\310B\2436\251\341\351\300\231s\202x\235\210\213\241C\250Oc\341\261\3462\241\3442\353P~\370?K`\262yAb\22|\315\247(|\322@\323\217\240pc=\375\323\17m\312'D\250M\273\260\303\177\350x8\354\340\376\260\3701{\374t\254\224.\376\261\1\26\357-|O\325X\0\37r\202]\1\345\366\354z\15\232\361\260\272wk\204\217\263\", ) , ) == 0x0
 00591   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00592   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\10\267\250!G\302\223\264\361\372\306B*\255\273D\177\370\323t+\267\324t\177\236\361\14\243\234}\4\177\301\223\220\307\262'<\350\335\354\310T\261Y^\12e8\233)\241\223\364(0\325(\27\260\274\240\303\247\344\5\30\346x\3jR\372Dn\272\250\316l0{Hj\372\325\30k\307\224\313\311\323h\7\273+:AAy \204/\3\264\231\3532\271:K\274\346\7\262\22\236MG\216\264\306`\35\374\201(\271\207\3\2351\352+(u\273|\3\271\376\232\177\370,\254\373nAJl\266\26\357:\244f*\20\326\341\274\230n\263%\333\225\260O\324\266\221\233\13&\364\24/\315\270Km\25\325\13/\351\2238\330\356y\215\357\272\242\24/\35c\14\23\375\242S.\361\13\11Rl,S^\274\210\35\251\251hSw\226\3103gn\215\204\377\246{E\303\246\344a\3271\306/>\361CE\263\226a\267\247\215\345\303\344\366\204tD\300!_.\5\366\30\4m\372\232Fh\223H\323~0\220p\225\263w\205C\375p\360\256\367\30h\236\267\246\13\331\11\1\351\336\261\271\3\372I \222\371\2434k\256\210\217\226\377T\0:\31\262i\331\251\302\3>\235\326T\1776\300Tk\3312*\323 \36\279\301\240\344\34\257y&l\341\246Pz\216\346\1\3367\241\27\220\212p\354\307\363\215\347T\252\320\20{k\261E[m\340T\213\7\217S\243\350\337\351\321\254\346`\255\342\2\264\245{\30KH&\334\260\372>pj\353[\2\240\276\14\367A\0\314\4k\276hH\177\332\372.(\260\10821\266\244a\341\354\242o\2\274\2&\214\240\257#\372\324\2\311_\350h\0\34\327pp\340T\3\304\325y\360R\16\264\4xi\262\3\271\364\264\266g\371\260\10w\372z\226_\372\360 xD5M", ) , ) == 0x0
 00593   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00594   424   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\361\271\240\214i\345\240\205\340\250\253\27\253\302\3748:\330UR\6^\346\210\233G\263|\241\225.\11K\247 \346p9uh\235\366\235\330{\310\0F\200\5\374\15\17\362\313\301g\371h\17W\363\366\21\257\357\354k\221\331\326Av\370dk#j\272\345\210\378a\4!\273+`\225\6\214IG\240\201i[[\301\324\370\326@\327 \233v\345\367h\262K\271\277\21\333\311(\315!\313\375\263\207\334+@\23\3676\14\2424\242\226C\261\276\13O\271s@{\274:\2612\3421|\17\363\271\221\b\265\20\314\350\343\360\326:\2\11"\362\354B\254\372\256\357\334\365v\217\225\273\340\261\357\323\354\203\128\362\20\341\2\226\364c{\32\211QH\334\26\317w\242\14M\212\201\353\374\373+\11\5\335\240s\252\327\312\266R\244\236Y\347\313\327\20\260\215\340\5\330\363\231\370\331\360{\352|M\177:g\335\253B;\363\344\20c\357\264Mm\250\234\2o=\317dn\222\244\6-] \11}\3622\242\0\337\256#2\344\262=\2035(\5\212lS8{\342\251\263n\266\304\242\201\353&\260x\320\205\26P\341\266\234=\234\213;\257\233\374\20\347\352\23\10\13J\210$\307\336\241I#a\333\4e\311\300\232F\202\241nf\21\320\300\350\230\200\211D\325i\214\262\211\244\2\227\367\223\250s;\350\33770.-d\214\322\236.\257\341\21o\347\277\22)\365\366@\24\253\2C\241\363\2\14\266G\270\322\333[\343\344\6\375\334Y\250R\366\16\351\340\3%\366\366\22\336X\215{F\272\225\2706g\231/)I\4\12Ag\241p\340\12\305\361\315Gn\15\2\11\250\214s\177\375AN\223\253Fh c\350\237z\300B\1C\233\15\11\214\316#\226\246%\274\224b\244h\222\252K\324\20\234\351\352x\335\3\246\4", ) \362\354B\254\372\256\357\334\365v\217\225\273\340\261\357\323\354\203\128\362\20\341\2\226\364c{\32\211QH\334\26\317w\242\14M\212\201\353\374\373+\11\5\335\240s\252\327\312\266R\244\236Y\347\313\327\20\260\215\340\5\330\363\231\370\331\360{\352|M\177:g\335\253B;\363\344\20c\357\264Mm\250\234\2o=\317dn\222\244\6-] \11}\3622\242\0\337\256#2\344\262=\2035(\5\212lS8{\342\251\263n\266\304\242\201\353&\260x\320\205\26P\341\266\234=\234\213;\257\233\374\20\347\352\23\10\13J\210$\307\336\241I#a\333\4e\311\300\232F\202\241nf\21\320\300\350\230\200\211D\325i\214\262\211\244\2\227\367\223\250s;\350\33770.-d\214\322\236.\257\341\21o\347\277\22)\365\366@\24\253\2C\241\363\2\14\266G\270\322\333[\343\344\6\375\334Y\250R\366\16\351\340\3%\366\366\22\336X\215{F\272\225\2706g\231/)I\4\12Ag\241p\340\12\305\361\315Gn\15\2\11\250\214s\177\375AN\223\253Fh c\350\237z\300B\1C\233\15\11\214\316#\226\246%\274\224b\244h\222\252K\324\20\234\351\352x\335\3\246\4", ) == 0x0
 00595   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (68, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00596   424   NtReadFile  (56, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (56, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "+\262\260\0;\262\260\0\17\242\260\0\37\242\260\0\217\220\260\0\237\220\260\0o\223\260\0g\223\260\0\177\223\260\0w\223\260\0O\223\260\0G\223\260\0_\223\260\0W\223\260\0/\223\260\0'\223\260\0\313\223\260\0\337\223\260\0\263\223\260\0w\222\260\0;\222\260\0\303\222\260\0\273\222\260\0{\225\260\0\373\225\260\0\203\225\260\0\357\227\260\0\233\226\260\0[\211\260\0\177\210\260\0\313\210\260\0\37\212\260\0\27\214\260\0/\216\260\0C\201\260\0\243\201\260\0#\200\260\0\343\200\260\0\27\203\260\0\367\203\260\0\253\203\260\0\233\203\260\0\363\272\265\0\213\272\265\0\274\320\267\0\200\320\267\0i\323\267\0q\323\267\0_\323\267\0%\323\267\0\2\323\267\0\357\323\267\0\313\323\267\0\322\323\267\0\277\323\267\0\203\323\267\0\225\323\267\0y\322\267\0C\322\267\0*\322\267\0;\322\267\0\26\322\267\0\375\322\267\0\334\322\267\0\272\322\267\0\223\322\267\0p\325\267\0!\325\267\0\4\325\267\0\371\325\267\0\252\325\267\0\212\325\267\0o\324\267\0R\324\267\0\14\324\267\0\27\324\267\0\371\324\267\0\301\324\267\0\253\324\267\0\275\324\267\0\207\324\267\0j\327\267\0q\327\267\0D\327\267\0/\327\267\05\327\267\0\22\327\267\0\357\327\267\0\341\327\267\0\370\327\267\0\364\327\267\0w\371\246\0|\371\251\0\177\371\250\0~\371\252\0o\371\263\0c\371\267\0m\371\265\0@\371\253\0v\371\256\0O\371\220\0C\371\232\0B\371\221\0H\371\222\0t\371\225\0M\371\227\0x\371\241\0y\371\274\0{\371\276\0d\371\275\0`\371\272\0b\371\234\0k\371\262\0j\371\236\0F\371\260\0k\371\260\0k\371\260\0k\371\260@O\201\300$Z\313\376m\36\235\300@?\267\375U/\251\260@O\201\300$Z\314\376m", ) , ) == 0x0
 00597   424   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00598   424   NtClose  (68, ... ) == 0x0
 00599   424   NtClose  (56, ... ) == 0x0
 00600   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.tmp"}, 1242420, ... ) }, 1242420, ... ) == 0x0
 00601   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.tmp"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00602   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 68, ) == 0x0
 00603   424   NtClose  (56, ... ) == 0x0
 00604   424   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 176128, ) == 0x0
 00605   424   NtClose  (68, ... ) == 0x0
 00606   424   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00607   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00608   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00609   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.tmp"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00610   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 56, ) == 0x0
 00611   424   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00612   424   NtClose  (68, ... ) == 0x0
 00613   424   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x910000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00614   424   NtMapViewOfSection  (56, -1, (0x910000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00615   424   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00616   424   NtClose  (56, ... ) == 0x0
 00617   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 8, ) == 0x0
 00618   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 8, ... (0x982000), 4096, 4, ) == 0x0
 00619   424   NtFlushInstructionCache  (-1, 9969664, 4096, ... ) == 0x0
 00620   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00621   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00622   424   NtFlushInstructionCache  (-1, 9969664, 4096, ... ) == 0x0
 00623   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00624   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00625   424   NtFlushInstructionCache  (-1, 9969664, 4096, ... ) == 0x0
 00626   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00627   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00628   424   NtFlushInstructionCache  (-1, 9969664, 4096, ... ) == 0x0
 00629   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 56, ) }, ... 56, ) == 0x0
 00630   424   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00631   424   NtClose  (56, ... ) == 0x0
 00632   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00633   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00634   424   NtFlushInstructionCache  (-1, 9969664, 4096, ... ) == 0x0
 00635   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00636   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00637   424   NtFlushInstructionCache  (-1, 9969664, 4096, ... ) == 0x0
 00638   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00639   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00640   424   NtFlushInstructionCache  (-1, 9969664, 4096, ... ) == 0x0
 00641   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00642   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00643   424   NtFlushInstructionCache  (-1, 9969664, 4096, ... ) == 0x0
 00644   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00645   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00646   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00647   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == 0x0
 00648   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00649   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 68, ) == 0x0
 00650   424   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00651   424   NtClose  (56, ... ) == 0x0
 00652   424   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00653   424   NtClose  (68, ... ) == 0x0
 00654   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00655   424   NtProtectVirtualMemory  (-1, (0x982000), 4096, 4, ... (0x982000), 4096, 4, ) == 0x0
 00656   424   NtFlushInstructionCache  (-1, 9969664, 4096, ... ) == 0x0
 00657   424   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 68, ) == 0x0
 00658   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00659   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 72, ) }, ... 72, ) == 0x0
 00660   424   NtNotifyChangeKey  (72, 56, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00661   424   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00662   424   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00663   424   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 80, ) == 0x0
 00664   424   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00665   424   NtQueryVirtualMemory  (-1, 0x12f674, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00666   424   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00667   424   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 10027008, 1048576, ) == 0x0
 00668   424   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00669   424   NtAllocateVirtualMemory  (-1, 10027008, 0, 16384, 4096, 4, ... 10027008, 16384, ) == 0x0
 00670   424   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00671   424   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00672   424   NtOpenKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   424   NtOpenKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   424   NtOpenProcessToken  (-1, 0x8, ... 84, ) == 0x0
 00675   424   NtQueryInformationToken  (84, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00676   424   NtClose  (84, ... ) == 0x0
 00677   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00678   424   NtReleaseMutant  (16, ...
 00679   424   NtContinue  (-104226680, 0, ...
 00678   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00680   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.ENU"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.ENU"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00682   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.ENU.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00683   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.EN"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00684   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.EN"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00685   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.EN.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00686   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00687   424   NtReleaseMutant  (16, ...
 00688   424   NtContinue  (-104226680, 0, ...
 00687   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00689   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00690   424   NtReleaseMutant  (16, ...
 00691   424   NtContinue  (-104226680, 0, ...
 00690   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00692   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00693   424   NtReleaseMutant  (16, ...
 00694   424   NtContinue  (-104226680, 0, ...
 00693   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00695   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00696   424   NtReleaseMutant  (16, ...
 00697   424   NtContinue  (-104226680, 0, ...
 00696   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00698   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00699   424   NtReleaseMutant  (16, ...
 00700   424   NtContinue  (-104226680, 0, ...
 00699   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00701   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00702   424   NtReleaseMutant  (16, ...
 00703   424   NtContinue  (-104226680, 0, ...
 00702   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00704   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00705   424   NtReleaseMutant  (16, ...
 00706   424   NtContinue  (-104226680, 0, ...
 00705   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00707   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00708   424   NtReleaseMutant  (16, ...
 00709   424   NtContinue  (-104226680, 0, ...
 00708   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00710   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00711   424   NtReleaseMutant  (16, ...
 00712   424   NtContinue  (-104226680, 0, ...
 00711   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00713   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00714   424   NtReleaseMutant  (16, ...
 00715   424   NtContinue  (-104226680, 0, ...
 00714   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00716   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00717   424   NtReleaseMutant  (16, ...
 00718   424   NtContinue  (-104226680, 0, ...
 00717   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00719   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00720   424   NtReleaseMutant  (16, ...
 00721   424   NtContinue  (-104226680, 0, ...
 00720   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00722   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00723   424   NtReleaseMutant  (16, ...
 00724   424   NtContinue  (-104226680, 0, ...
 00723   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00725   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00726   424   NtReleaseMutant  (16, ...
 00727   424   NtContinue  (-104226680, 0, ...
 00726   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00728   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00729   424   NtReleaseMutant  (16, ...
 00730   424   NtContinue  (-104226680, 0, ...
 00729   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00731   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00732   424   NtReleaseMutant  (16, ...
 00733   424   NtContinue  (-104226680, 0, ...
 00732   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00734   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00735   424   NtReleaseMutant  (16, ...
 00736   424   NtContinue  (-104226680, 0, ...
 00735   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00737   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00738   424   NtReleaseMutant  (16, ...
 00739   424   NtContinue  (-104226680, 0, ...
 00738   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00740   424   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 84, ) == 0x0
 00741   424   NtUserGetDC  (0, ... ) == 0x1010051
 00742   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00743   424   NtUserGetDC  (0, ... ) == 0x1010051
 00744   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00745   424   NtGdiCreatePaletteInternal  (1241872, 16, ... ) == 0x160803fe
 00746   424   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00747   424   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00748   424   NtUserFindExistingCursorIcon  (1242268, 1242284, 1242852, ... ) == 0x10003
 00749   424   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\01\0A\00\0", 28, 1242804, ... ) , 28, 1242804, ... ) == 0x0
 00750   424   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\09\01\00\00\00\00\00\00\00\00\00\01\0A\08\0", 52, 1242804, ... ) , 52, 1242804, ... ) == 0x0
 00751   424   NtUserSystemParametersInfo  (104, 0, 10032252, 0, ... ) == 0x1
 00752   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00753   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10023
 00754   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00755   424   NtUserGetDC  (0, ... ) == 0x1010051
 00756   424   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x9050409
 00757   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00758   424   NtGdiSelectBitmap  (335610825, 151323657, ... ) == 0x185000f
 00759   424   NtGdiGetDCforBitmap  (151323657, ... ) == 0x140103c9
 00760   424   NtGdiSaveDC  (335610825, ... ) == 0x1
 00761   424   NtGdiSelectBitmap  (335610825, 151323657, ... ) == 0x9050409
 00762   424   NtGdiGetDCObject  (335610825, 524288, ... ) == 0x188000b
 00763   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00764   424   NtGdiSetDIBitsToDeviceInternal  (335610825, 0, 0, 32, 64, 0, 0, 0, 64, 9909772, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00765   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00766   424   NtGdiSelectBitmap  (335610825, 151323657, ... ) == 0x9050409
 00767   424   NtGdiRestoreDC  (335610825, -1, ... ) == 0x1
 00768   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0x9050409
 00769   424   NtGdiCreateCompatibleDC  (335610825, ... ) == 0x31010406
 00770   424   NtGdiExtGetObjectW  (151323657, 24, 1241324, ... ) == 0x18
 00771   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x170503df
 00772   424   NtGdiSelectBitmap  (335610825, 151323657, ... ) == 0x185000f
 00773   424   NtGdiSelectBitmap  (822150150, 386204639, ... ) == 0x185000f
 00774   424   NtGdiBitBlt  (822150150, 0, 0, 32, 64, 335610825, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00775   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0x9050409
 00776   424   NtGdiSelectBitmap  (822150150, 25493519, ... ) == 0x170503df
 00777   424   NtGdiDeleteObjectApp  (151323657, ... ) == 0x1
 00778   424   NtGdiDeleteObjectApp  (822150150, ... ) == 0x1
 00779   424   NtUserCallOneParam  (0, 33, ... ) == 0x20075
 00780   424   NtUserSetCursorIconData  (131189, 1241432, 1241448, 1242028, ... ) == 0x1
 00781   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10029
 00782   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10027
 00783   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10025
 00784   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00785   424   NtUserGetDC  (0, ... ) == 0x1010051
 00786   424   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xc050404
 00787   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00788   424   NtGdiSelectBitmap  (335610825, 201655300, ... ) == 0x185000f
 00789   424   NtGdiGetDCforBitmap  (201655300, ... ) == 0x140103c9
 00790   424   NtGdiSaveDC  (335610825, ... ) == 0x1
 00791   424   NtGdiSelectBitmap  (335610825, 201655300, ... ) == 0xc050404
 00792   424   NtGdiGetDCObject  (335610825, 524288, ... ) == 0x188000b
 00793   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00794   424   NtGdiSetDIBitsToDeviceInternal  (335610825, 0, 0, 32, 64, 0, 0, 0, 64, 9910080, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00795   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00796   424   NtGdiSelectBitmap  (335610825, 201655300, ... ) == 0xc050404
 00797   424   NtGdiRestoreDC  (335610825, -1, ... ) == 0x1
 00798   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0xc050404
 00799   424   NtGdiCreateCompatibleDC  (335610825, ... ) == 0xb010409
 00800   424   NtGdiExtGetObjectW  (201655300, 24, 1241324, ... ) == 0x18
 00801   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x180503dd
 00802   424   NtGdiSelectBitmap  (335610825, 201655300, ... ) == 0x185000f
 00803   424   NtGdiSelectBitmap  (184615945, 402981853, ... ) == 0x185000f
 00804   424   NtGdiBitBlt  (184615945, 0, 0, 32, 64, 335610825, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00805   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0xc050404
 00806   424   NtGdiSelectBitmap  (184615945, 25493519, ... ) == 0x180503dd
 00807   424   NtGdiDeleteObjectApp  (201655300, ... ) == 0x1
 00808   424   NtGdiDeleteObjectApp  (184615945, ... ) == 0x1
 00809   424   NtUserCallOneParam  (0, 33, ... ) == 0x4008d
 00810   424   NtUserSetCursorIconData  (262285, 1241432, 1241448, 1242028, ... ) == 0x1
 00811   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00812   424   NtUserGetDC  (0, ... ) == 0x1010051
 00813   424   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x33050406
 00814   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00815   424   NtGdiSelectBitmap  (335610825, 855966726, ... ) == 0x185000f
 00816   424   NtGdiGetDCforBitmap  (855966726, ... ) == 0x140103c9
 00817   424   NtGdiSaveDC  (335610825, ... ) == 0x1
 00818   424   NtGdiSelectBitmap  (335610825, 855966726, ... ) == 0x33050406
 00819   424   NtGdiGetDCObject  (335610825, 524288, ... ) == 0x188000b
 00820   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00821   424   NtGdiSetDIBitsToDeviceInternal  (335610825, 0, 0, 32, 64, 0, 0, 0, 64, 9910388, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00822   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00823   424   NtGdiSelectBitmap  (335610825, 855966726, ... ) == 0x33050406
 00824   424   NtGdiRestoreDC  (335610825, -1, ... ) == 0x1
 00825   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0x33050406
 00826   424   NtGdiCreateCompatibleDC  (335610825, ... ) == 0xe010404
 00827   424   NtGdiExtGetObjectW  (855966726, 24, 1241324, ... ) == 0x18
 00828   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x80503ff
 00829   424   NtGdiSelectBitmap  (335610825, 855966726, ... ) == 0x185000f
 00830   424   NtGdiSelectBitmap  (234947588, 134546431, ... ) == 0x185000f
 00831   424   NtGdiBitBlt  (234947588, 0, 0, 32, 64, 335610825, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00832   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0x33050406
 00833   424   NtGdiSelectBitmap  (234947588, 25493519, ... ) == 0x80503ff
 00834   424   NtGdiDeleteObjectApp  (855966726, ... ) == 0x1
 00835   424   NtGdiDeleteObjectApp  (234947588, ... ) == 0x1
 00836   424   NtUserCallOneParam  (0, 33, ... ) == 0x400a5
 00837   424   NtUserSetCursorIconData  (262309, 1241432, 1241448, 1242028, ... ) == 0x1
 00838   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00839   424   NtUserGetDC  (0, ... ) == 0x1010051
 00840   424   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xd050409
 00841   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00842   424   NtGdiSelectBitmap  (335610825, 218432521, ... ) == 0x185000f
 00843   424   NtGdiGetDCforBitmap  (218432521, ... ) == 0x140103c9
 00844   424   NtGdiSaveDC  (335610825, ... ) == 0x1
 00845   424   NtGdiSelectBitmap  (335610825, 218432521, ... ) == 0xd050409
 00846   424   NtGdiGetDCObject  (335610825, 524288, ... ) == 0x188000b
 00847   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00848   424   NtGdiSetDIBitsToDeviceInternal  (335610825, 0, 0, 32, 64, 0, 0, 0, 64, 9910696, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00849   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00850   424   NtGdiSelectBitmap  (335610825, 218432521, ... ) == 0xd050409
 00851   424   NtGdiRestoreDC  (335610825, -1, ... ) == 0x1
 00852   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0xd050409
 00853   424   NtGdiCreateCompatibleDC  (335610825, ... ) == 0x35010406
 00854   424   NtGdiExtGetObjectW  (218432521, 24, 1241324, ... ) == 0x18
 00855   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x80503f9
 00856   424   NtGdiSelectBitmap  (335610825, 218432521, ... ) == 0x185000f
 00857   424   NtGdiSelectBitmap  (889259014, 134546425, ... ) == 0x185000f
 00858   424   NtGdiBitBlt  (889259014, 0, 0, 32, 64, 335610825, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00859   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0xd050409
 00860   424   NtGdiSelectBitmap  (889259014, 25493519, ... ) == 0x80503f9
 00861   424   NtGdiDeleteObjectApp  (218432521, ... ) == 0x1
 00862   424   NtGdiDeleteObjectApp  (889259014, ... ) == 0x1
 00863   424   NtUserCallOneParam  (0, 33, ... ) == 0x300a3
 00864   424   NtUserSetCursorIconData  (196771, 1241432, 1241448, 1242028, ... ) == 0x1
 00865   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00866   424   NtUserGetDC  (0, ... ) == 0x1010051
 00867   424   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x10050404
 00868   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00869   424   NtGdiSelectBitmap  (335610825, 268764164, ... ) == 0x185000f
 00870   424   NtGdiGetDCforBitmap  (268764164, ... ) == 0x140103c9
 00871   424   NtGdiSaveDC  (335610825, ... ) == 0x1
 00872   424   NtGdiSelectBitmap  (335610825, 268764164, ... ) == 0x10050404
 00873   424   NtGdiGetDCObject  (335610825, 524288, ... ) == 0x188000b
 00874   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00875   424   NtGdiSetDIBitsToDeviceInternal  (335610825, 0, 0, 32, 64, 0, 0, 0, 64, 9911004, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00876   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00877   424   NtGdiSelectBitmap  (335610825, 268764164, ... ) == 0x10050404
 00878   424   NtGdiRestoreDC  (335610825, -1, ... ) == 0x1
 00879   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0x10050404
 00880   424   NtGdiCreateCompatibleDC  (335610825, ... ) == 0xf010409
 00881   424   NtGdiExtGetObjectW  (268764164, 24, 1241324, ... ) == 0x18
 00882   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x60503f7
 00883   424   NtGdiSelectBitmap  (335610825, 268764164, ... ) == 0x185000f
 00884   424   NtGdiSelectBitmap  (251724809, 100991991, ... ) == 0x185000f
 00885   424   NtGdiBitBlt  (251724809, 0, 0, 32, 64, 335610825, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00886   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0x10050404
 00887   424   NtGdiSelectBitmap  (251724809, 25493519, ... ) == 0x60503f7
 00888   424   NtGdiDeleteObjectApp  (268764164, ... ) == 0x1
 00889   424   NtGdiDeleteObjectApp  (251724809, ... ) == 0x1
 00890   424   NtUserCallOneParam  (0, 33, ... ) == 0x300a1
 00891   424   NtUserSetCursorIconData  (196769, 1241432, 1241448, 1242028, ... ) == 0x1
 00892   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00893   424   NtUserGetDC  (0, ... ) == 0x1010051
 00894   424   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x37050406
 00895   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00896   424   NtGdiSelectBitmap  (335610825, 923075590, ... ) == 0x185000f
 00897   424   NtGdiGetDCforBitmap  (923075590, ... ) == 0x140103c9
 00898   424   NtGdiSaveDC  (335610825, ... ) == 0x1
 00899   424   NtGdiSelectBitmap  (335610825, 923075590, ... ) == 0x37050406
 00900   424   NtGdiGetDCObject  (335610825, 524288, ... ) == 0x188000b
 00901   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00902   424   NtGdiSetDIBitsToDeviceInternal  (335610825, 0, 0, 32, 64, 0, 0, 0, 64, 9911620, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00903   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00904   424   NtGdiSelectBitmap  (335610825, 923075590, ... ) == 0x37050406
 00905   424   NtGdiRestoreDC  (335610825, -1, ... ) == 0x1
 00906   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0x37050406
 00907   424   NtGdiCreateCompatibleDC  (335610825, ... ) == 0x12010404
 00908   424   NtGdiExtGetObjectW  (923075590, 24, 1241324, ... ) == 0x18
 00909   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x90503fb
 00910   424   NtGdiSelectBitmap  (335610825, 923075590, ... ) == 0x185000f
 00911   424   NtGdiSelectBitmap  (302056452, 151323643, ... ) == 0x185000f
 00912   424   NtGdiBitBlt  (302056452, 0, 0, 32, 64, 335610825, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00913   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0x37050406
 00914   424   NtGdiSelectBitmap  (302056452, 25493519, ... ) == 0x90503fb
 00915   424   NtGdiDeleteObjectApp  (923075590, ... ) == 0x1
 00916   424   NtGdiDeleteObjectApp  (302056452, ... ) == 0x1
 00917   424   NtUserCallOneParam  (0, 33, ... ) == 0x30067
 00918   424   NtUserSetCursorIconData  (196711, 1241432, 1241448, 1242028, ... ) == 0x1
 00919   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00920   424   NtUserGetDC  (0, ... ) == 0x1010051
 00921   424   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x11050409
 00922   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00923   424   NtGdiSelectBitmap  (335610825, 285541385, ... ) == 0x185000f
 00924   424   NtGdiGetDCforBitmap  (285541385, ... ) == 0x140103c9
 00925   424   NtGdiSaveDC  (335610825, ... ) == 0x1
 00926   424   NtGdiSelectBitmap  (335610825, 285541385, ... ) == 0x11050409
 00927   424   NtGdiGetDCObject  (335610825, 524288, ... ) == 0x188000b
 00928   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00929   424   NtGdiSetDIBitsToDeviceInternal  (335610825, 0, 0, 32, 64, 0, 0, 0, 64, 9911312, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00930   424   NtUserSelectPalette  (335610825, 25690123, 0, ... ) == 0x188000b
 00931   424   NtGdiSelectBitmap  (335610825, 285541385, ... ) == 0x11050409
 00932   424   NtGdiRestoreDC  (335610825, -1, ... ) == 0x1
 00933   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0x11050409
 00934   424   NtGdiCreateCompatibleDC  (335610825, ... ) == 0x39010406
 00935   424   NtGdiExtGetObjectW  (285541385, 24, 1241324, ... ) == 0x18
 00936   424   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x50503f8
 00937   424   NtGdiSelectBitmap  (335610825, 285541385, ... ) == 0x185000f
 00938   424   NtGdiSelectBitmap  (956367878, 84214776, ... ) == 0x185000f
 00939   424   NtGdiBitBlt  (956367878, 0, 0, 32, 64, 335610825, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00940   424   NtGdiSelectBitmap  (335610825, 25493519, ... ) == 0x11050409
 00941   424   NtGdiSelectBitmap  (956367878, 25493519, ... ) == 0x50503f8
 00942   424   NtGdiDeleteObjectApp  (285541385, ... ) == 0x1
 00943   424   NtGdiDeleteObjectApp  (956367878, ... ) == 0x1
 00944   424   NtUserCallOneParam  (0, 33, ... ) == 0x3009f
 00945   424   NtUserSetCursorIconData  (196767, 1241432, 1241448, 1242028, ... ) == 0x1
 00946   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10015
 00947   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10019
 00948   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001f
 00949   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001b
 00950   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10021
 00951   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001d
 00952   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10013
 00953   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10017
 00954   424   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00955   424   NtUserCallOneParam  (0, 39, ... ) == 0x4090409
 00956   424   NtUserGetDC  (0, ... ) == 0x1010051
 00957   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00958   424   NtUserEnumDisplayMonitors  (0, 0, 9634404, 10032832, ... ) == 0x1
 00959   424   NtUserSystemParametersInfo  (31, 60, 1241588, 0, ... ) == 0x1
 00960   424   NtGdiHfontCreate  (1241984, 356, 0, 0, 1327520, ... ) == 0x3a0a0406
 00961   424   NtGdiExtGetObjectW  (973734918, 420, 1241808, ... ) == 0x164
 00962   424   NtUserSystemParametersInfo  (41, 0, 1241788, 0, ... ) == 0x1
 00963   424   NtGdiHfontCreate  (1241984, 356, 0, 0, 1327512, ... ) == 0x140a0404
 00964   424   NtGdiExtGetObjectW  (336200708, 420, 1241808, ... ) == 0x164
 00965   424   NtGdiHfontCreate  (1241984, 356, 0, 0, 1327504, ... ) == 0x120a0409
 00966   424   NtGdiExtGetObjectW  (302646281, 420, 1241808, ... ) == 0x164
 00967   424   NtUserFindExistingCursorIcon  (1241896, 1241912, 1242480, ... ) == 0x0
 00968   424   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 3604480, 4096, ) == 0x0
 00969   424   NtUserGetKeyboardLayoutList  (64, 1242468, ... ) == 0x1
 00970   424   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc0cc
 00971   424   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc0cd
 00972   424   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   424   NtUserSetWindowsHookEx  (9502720, 1243796, 0, 4, 9510588, 2, ... ) == 0x3009d
 00974   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00975   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00976   424   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 00977   424   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "b1790f4c06f035c083b712e3f4f6a1a8c30c"}, 0, ... 88, ) }, 0, ... 88, ) == 0x0
 00978   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238196, ... ) }, 1238196, ... ) == 0x0
 00982   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00983   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 96, ) == 0x0
 00984   424   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00985   424   NtClose  (92, ... ) == 0x0
 00986   424   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00987   424   NtClose  (96, ... ) == 0x0
 00988   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00990   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1238196, ... ) }, 1238196, ... ) == 0x0
 00992   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00993   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 92, ) == 0x0
 00994   424   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00995   424   NtClose  (96, ... ) == 0x0
 00996   424   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 00997   424   NtClose  (92, ... ) == 0x0
 00998   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00999   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01000   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237392, ... ) }, 1237392, ... ) == 0x0
 01002   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01003   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 96, ) == 0x0
 01004   424   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01005   424   NtClose  (92, ... ) == 0x0
 01006   424   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01007   424   NtClose  (96, ... ) == 0x0
 01008   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01009   424   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3735552, 262144, ) == 0x0
 01010   424   NtAllocateVirtualMemory  (-1, 3735552, 0, 4096, 4096, 4, ... 3735552, 4096, ) == 0x0
 01011   424   NtAllocateVirtualMemory  (-1, 3739648, 0, 8192, 4096, 4, ... 3739648, 8192, ) == 0x0
 01012   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01013   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01014   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 96, ) }, ... 96, ) == 0x0
 01015   424   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 01016   424   NtClose  (96, ... ) == 0x0
 01017   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 96, ) }, ... 96, ) == 0x0
 01018   424   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 01019   424   NtClose  (96, ... ) == 0x0
 01020   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 96, ) }, ... 96, ) == 0x0
 01021   424   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 01022   424   NtClose  (96, ... ) == 0x0
 01023   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   424   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 01025   424   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01026   424   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01027   424   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01028   424   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1238328, 0,  (0x1f0003, {24, 52, 0x80, 1238328, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01029   424   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 96, ) }, ... 96, ) == 0x0
 01030   424   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 01031   424   NtCreateKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 92, 2, ) }, 0, 0x0, 0, ... 92, 2, ) == 0x0
 01032   424   NtQueryDefaultUILanguage  (1236564, ...
 01033   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01034   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482052, ) == 0x0
 01035   424   NtQueryInformationToken  (-2147482052, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01036   424   NtClose  (-2147482052, ... ) == 0x0
 01037   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482052, ) }, ... -2147482052, ) == 0x0
 01038   424   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   424   NtOpenKey  (0x80000000, {24, -2147482052, 0x640, 0, 0,  (0x80000000, {24, -2147482052, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482056, ) }, ... -2147482056, ) == 0x0
 01040   424   NtQueryValueKey  (-2147482056,  (-2147482056, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   424   NtClose  (-2147482056, ... ) == 0x0
 01042   424   NtClose  (-2147482052, ... ) == 0x0
 01032   424   NtQueryDefaultUILanguage  ... ) == 0x0
 01043   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 100, {status=0x0, info=1}, ) }, 1, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 01045   424   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 100, ... 104, ) == 0x0
 01046   424   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa90000), 0x0, 593920, ) == 0x0
 01047   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   424   NtQueryDefaultLocale  (1, 1234600, ... ) == 0x0
 01049   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   424   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1d\0\0\0\377\377\377\377\0\0\0\0P\275\260\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 424, 1500, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1d\0\0\0\377\377\377\377\0\0\0\0P\275\260\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 416, 424, 1500, 0}  (24, {128, 156, new_msg, 0, 1235456, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1d\0\0\0\377\377\377\377\0\0\0\0P\275\260\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 424, 1500, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1d\0\0\0\377\377\377\377\0\0\0\0P\275\260\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\341\22\0\0\0\0\0" )  ) == 0x0
 01051   424   NtClose  (100, ... ) == 0x0
 01052   424   NtClose  (104, ... ) == 0x0
 01053   424   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01054   424   NtUnmapViewOfSection  (-1, 0x12e100, ... ) == STATUS_NOT_MAPPED_VIEW
 01055   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01056   424   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01057   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01058   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01059   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233140, ... ) }, 1233140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01060   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01061   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01062   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01063   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233732, ... ) }, 1233732, ... ) == 0x0
 01064   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 104, {status=0x0, info=1}, ) }, 3, 33, ... 104, {status=0x0, info=1}, ) == 0x0
 01065   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01066   424   NtCreateKey  (0x2001f, {24, 64, 0x40, 0, 0,  (0x2001f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 01067   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01068   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01069   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == 0x0
 01071   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01072   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 112, ) == 0x0
 01073   424   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01074   424   NtClose  (108, ... ) == 0x0
 01075   424   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01076   424   NtClose  (112, ... ) == 0x0
 01077   424   NtAllocateVirtualMemory  (-1, 3293184, 0, 8192, 4096, 4, ... 3293184, 8192, ) == 0x0
 01078   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01079   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 01080   424   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01081   424   NtClose  (112, ... ) == 0x0
 01082   424   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 112, ) }, ... 112, ) == 0x0
 01083   424   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01084   424   NtClose  (112, ... ) == 0x0
 01085   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 112, ) }, ... 112, ) == 0x0
 01086   424   NtQueryValueKey  (112,  (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01087   424   NtQueryValueKey  (112,  (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01088   424   NtQueryValueKey  (112,  (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01089   424   NtQueryValueKey  (112,  (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01090   424   NtClose  (112, ... ) == 0x0
 01091   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 112, ) }, ... 112, ) == 0x0
 01092   424   NtQueryValueKey  (112,  (112, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01093   424   NtQueryValueKey  (112,  (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01094   424   NtQueryValueKey  (112,  (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01095   424   NtQueryValueKey  (112,  (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01096   424   NtQueryValueKey  (112,  (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01097   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237776, ... ) }, 1237776, ... ) == 0x0
 01098   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01099   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 116, ) == 0x0
 01100   424   NtClose  (108, ... ) == 0x0
 01101   424   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa90000), 0x0, 135168, ) == 0x0
 01102   424   NtClose  (116, ... ) == 0x0
 01103   424   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01104   424   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 01105   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238664, ... ) }, 1238664, ... ) == 0x0
 01106   424   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1239332, ... ) }, 1239332, ... ) == 0x0
 01107   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239188,  (0x80100080, {24, 0, 0x40, 0, 1239188, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 01108   424   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 116, ... 108, ) == 0x0
 01109   424   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa90000), {0, 0}, 135168, ) == 0x0
 01110   424   NtQueryDefaultLocale  (1, 1238996, ... ) == 0x0
 01111   424   NtQueryVirtualMemory  (-1, 0xa90000, Basic, 28, ... {BaseAddress=0xa90000,AllocationBase=0xa90000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01112   424   NtQueryVirtualMemory  (-1, 0xa90000, Basic, 28, ... {BaseAddress=0xa90000,AllocationBase=0xa90000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01113   424   NtReadFile  (116, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (116, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01114   424   NtQueryInformationFile  (116, 1239240, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01115   424   NtSetInformationFile  (116, 1239240, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01116   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01117   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01118   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01119   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01120   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01121   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01122   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01123   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01124   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01125   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01126   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01127   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01128   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01129   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01130   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01131   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01132   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01133   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01134   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01135   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01136   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01137   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01138   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01139   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01140   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01141   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01142   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01143   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01144   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01145   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01146   424   NtReadFile  (116, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (116, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01147   424   NtQueryInformationFile  (116, 1239240, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01148   424   NtSetInformationFile  (116, 1239240, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01149   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01150   424   NtReadFile  (116, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (116, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 01151   424   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01152   424   NtClose  (108, ... ) == 0x0
 01153   424   NtClose  (116, ... ) == 0x0
 01154   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237720, ... ) }, 1237720, ... ) == 0x0
 01155   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 01156   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 116, ... 108, ) == 0x0
 01157   424   NtClose  (116, ... ) == 0x0
 01158   424   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa90000), 0x0, 135168, ) == 0x0
 01159   424   NtClose  (108, ... ) == 0x0
 01160   424   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01161   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238036, ... ) }, 1238036, ... ) == 0x0
 01162   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01163   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 116, ) == 0x0
 01164   424   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01165   424   NtClose  (108, ... ) == 0x0
 01166   424   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 01167   424   NtClose  (116, ... ) == 0x0
 01168   424   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01169   424   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01170   424   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01171   424   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01172   424   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01173   424   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01174   424   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01175   424   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01176   424   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01177   424   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01178   424   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01179   424   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01180   424   NtAllocateVirtualMemory  (-1, 1368064, 0, 20480, 4096, 4, ... 1368064, 20480, ) == 0x0
 01181   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01182   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01183   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01184   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01185   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01186   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01187   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01188   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01189   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01190   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01191   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01192   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01193   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01194   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01195   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01196   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01197   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01198   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01199   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01200   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01201   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01202   424   NtQueryDefaultLocale  (1, 1236888, ... ) == 0x0
 01203   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236988, ... ) }, 1236988, ... ) == 0x0
 01204   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237720,  (0x80100080, {24, 0, 0x40, 0, 1237720, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 01205   424   NtQueryVolumeInformationFile  (116, 1237880, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01206   424   NtQueryInformationFile  (116, 1237772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01207   424   NtQueryInformationFile  (116, 1238064, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01208   424   NtClose  (116, ... ) == 0x0
 01209   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236480, ... ) }, 1236480, ... ) == 0x0
 01210   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237212,  (0x80100080, {24, 0, 0x40, 0, 1237212, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 01211   424   NtQueryVolumeInformationFile  (116, 1237372, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01212   424   NtQueryInformationFile  (116, 1237264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01213   424   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 116, ... 108, ) == 0x0
 01214   424   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa90000), {0, 0}, 135168, ) == 0x0
 01215   424   NtQueryDefaultLocale  (1, 1237352, ... ) == 0x0
 01216   424   NtQueryVirtualMemory  (-1, 0xa90000, Basic, 28, ... {BaseAddress=0xa90000,AllocationBase=0xa90000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01217   424   NtQueryVirtualMemory  (-1, 0xa90000, Basic, 28, ... {BaseAddress=0xa90000,AllocationBase=0xa90000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01218   424   NtQueryDefaultLocale  (1, 1237352, ... ) == 0x0
 01219   424   NtQueryVirtualMemory  (-1, 0xa90000, Basic, 28, ... {BaseAddress=0xa90000,AllocationBase=0xa90000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01220   424   NtQueryVirtualMemory  (-1, 0xa90000, Basic, 28, ... {BaseAddress=0xa90000,AllocationBase=0xa90000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01221   424   NtReadFile  (116, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (116, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01222   424   NtQueryInformationFile  (116, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01223   424   NtSetInformationFile  (116, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01224   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01225   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01226   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01227   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01228   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01229   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01230   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01231   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01232   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01233   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01234   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01235   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01236   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01237   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01238   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01239   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01240   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01241   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01242   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01243   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01244   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01245   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01246   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01247   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01248   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01249   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01250   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01251   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01252   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01253   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01254   424   NtReadFile  (116, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (116, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01255   424   NtQueryInformationFile  (116, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01256   424   NtSetInformationFile  (116, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01257   424   NtQueryInformationFile  (116, 1237600, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01258   424   NtSetInformationFile  (116, 1237600, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01259   424   NtReadFile  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (116, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01260   424   NtReadFile  (116, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (116, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01261   424   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01262   424   NtClose  (108, ... ) == 0x0
 01263   424   NtClose  (116, ... ) == 0x0
 01264   424   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01265   424   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 116, ) }, ... 116, ) == 0x0
 01266   424   NtQueryValueKey  (116,  (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01267   424   NtQueryValueKey  (116,  (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01268   424   NtQueryValueKey  (116,  (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01269   424   NtQueryValueKey  (116,  (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01270   424   NtClose  (116, ... ) == 0x0
 01271   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   424   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01273   424   NtOpenProcessToken  (-1, 0x8, ... 116, ) == 0x0
 01274   424   NtQueryInformationToken  (116, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01275   424   NtClose  (116, ... ) == 0x0
 01276   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 116, {status=0x0, info=0}, ) }, 7, 16, ... 116, {status=0x0, info=0}, ) == 0x0
 01277   424   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_\244(\36x\214C"Ys\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... Ys\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01278   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01279   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01280   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01281   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01282   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01283   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01284   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01285   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01286   424   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "Q2\340\376u\360F>K\275\32Ew\260aj\324\376\340j\270\200\210HL\264*\147\256\33\210v\333\231ka[m\275k\14\262\222\327\372\0&\211\212\366\257\204 \274c\263+\354\300\375S\5(\250\233\322Vc")\343\326\377\251\2644\346\227b", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "Q2\340\376u\360F>K\275\32Ew\260aj\324\376\340j\270\200\210HL\264*\147\256\33\210v\333\231ka[m\275k\14\262\222\327\372\0&\211\212\366\257\204 \274c\263+\354\300\375S\5(\250\233\322Vc")\343\326\377\251\2644\346\227b", 80, ... ) )\343\326\377\251\2644\346\227b", 80, ... ) == 0x0
 01287   424   NtClose  (-2147482052, ... ) == 0x0
 01277   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "(0\230D\312\317@\202\357\2262\310~M\356'\252\37\202\214\350d\10\206\276\3306\3369et\322v\366c\374\2245\357\332\307P\350\15\317\226Xmv\32\276\364E~\265\254\311\353\237\2\365A,\247\222o8\227\365\205\362^I\361\235\363H\357\334c\4\216\235-\271\314\336q<\370\346sWN\227-\327e\256\331\246C\220\235\340-\13\\13\341\327t\305S\254-\317\370\7\243\270v\3624a\314\216hh\35,\241\3364\10\4\353^\231;\33n\345\343v\337"P(\224y}\264\272\210g\227\23AV\30s\327\4zG\315\335.<\327\334"4\227PG\321t\267\15\217yN\26b\\221\253\22X\237*y?-\17\205R\247\2125A\323\205(R\374\267\31\274\216"*\237\337\326\343\ZS\352\211\312Q\34\244\17\376\273\376\202\350\217`\310\375\245a\237}I\7\241]^\1\226\3\32\322|3", ) P(\224y}\264\272\210g\227\23AV\30s\327\4zG\315\335.<\327\334 ... {status=0x0, info=256}, "(0\230D\312\317@\202\357\2262\310~M\356'\252\37\202\214\350d\10\206\276\3306\3369et\322v\366c\374\2245\357\332\307P\350\15\317\226Xmv\32\276\364E~\265\254\311\353\237\2\365A,\247\222o8\227\365\205\362^I\361\235\363H\357\334c\4\216\235-\271\314\336q<\370\346sWN\227-\327e\256\331\246C\220\235\340-\13\\13\341\327t\305S\254-\317\370\7\243\270v\3624a\314\216hh\35,\241\3364\10\4\353^\231;\33n\345\343v\337"P(\224y}\264\272\210g\227\23AV\30s\327\4zG\315\335.<\327\334"4\227PG\321t\267\15\217yN\26b\\221\253\22X\237*y?-\17\205R\247\2125A\323\205(R\374\267\31\274\216"*\237\337\326\343\ZS\352\211\312Q\34\244\17\376\273\376\202\350\217`\310\375\245a\237}I\7\241]^\1\226\3\32\322|3", ) *\237\337\326\343\ZS\352\211\312Q\34\244\17\376\273\376\202\350\217`\310\375\245a\237}I\7\241]^\1\226\3\32\322|3", ) == 0x0
 01288   424   NtClose  (112, ... ) == 0x0
 01289   424   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_\344B\310\6\226\366lQ~\271\267\217\15\2365\236\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01290   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01291   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01292   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01293   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01294   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01295   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01296   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01297   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01298   424   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\333\325\235\307M\265\361\313,\14d\2067u\17\327Z5\355\215\20\203q\312\232\316\372\275\303\234\224\327, 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\333\325\235\307M\265\361\313,\14d\2067u\17\327Z5\355\215\20\203q\312\232\316\372\275\303\234\224\327, 80, ... ) , 80, ... ) == 0x0
 01299   424   NtClose  (-2147482052, ... ) == 0x0
 01289   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, ".B\201\12Vq:\300\341\326\262,]\235\241\365\10\33Y\11\234M\241&\374WR\1d\316\267Z\263)\217<\306\310g\302\316SS\315j9\211\224\364p\216h\264\6\251\256%\356\272\177\2179\203\301\344\3\242\16\370'\374\306\373:9_\233\351\31\202\203\345\3138\202\363\373\11c\352\241&\330\26\355\3\207\305=\371\32P5\313W\205\2241\3172\276E\353\3146\327 \311w\311\244\260\224p1\246\20\362\12\216/\362>x\305\375\351LDFu\275LG/\237vo\201\33\26\10\247X\4\325\317\252l#\236+--\224\6`\333.B\34\214\22j|3\11}|;\356\322\30\310\305u\241\346\266Aa\241p\215\37\320\32u\275\373\375\342m\355\316\242\310\23fl\360>\217@++}\342\355\251^\353l\344\13\362\221\377\376\0S\350\210L\303NW\20\362\242\246\210~-+*r\300\225j<\213\0\306U", ) , ) == 0x0
 01300   424   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_\344B\310\6\226\366l\21\24o\311\225\270\320=\223\271\267\217\15\2365\236\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01301   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01302   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01303   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01304   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01305   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01306   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01307   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01308   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01309   424   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "V\235p\356l\272\14]\315r\344\3\314\223v=\255'g\334x\351xE\25yD\261\16\366\344\303\224\376Z\354"\200\347\25\21\331g\242W\10\324\204/\4\311.@\273\357\266\23\300\256Q\250\317\24\270\227:\352(3\335-\347\3449\223f;_3q", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "V\235p\356l\272\14]\315r\344\3\314\223v=\255'g\334x\351xE\25yD\261\16\366\344\303\224\376Z\354"\200\347\25\21\331g\242W\10\324\204/\4\311.@\273\357\266\23\300\256Q\250\317\24\270\227:\352(3\335-\347\3449\223f;_3q", 80, ... ) \200\347\25\21\331g\242W\10\324\204/\4\311.@\273\357\266\23\300\256Q\250\317\24\270\227:\352(3\335-\347\3449\223f;_3q", 80, ... ) == 0x0
 01310   424   NtClose  (-2147482052, ... ) == 0x0
 01300   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\352\211\353\231e\257Bu\351=6\24270}k\263\223\22\320k\313C\237\376r\267\342\331\316\205\322>\345\275whP\365^\4\353d:\310)xJB~%\262\12\240IY\305\322#\234@\253\271\246\223 j7\3511\304\310\3509@i\36\204\306\204\275\353<\307\261 cX0\305\214/\3605)\253\361\206$\210k}W\263\364?AD[\31C\320\15o\346\11\247\224Z\323\3vv\23\314F\325s\246\316i\13\371\336e:2v\\2(\273,\201\232D\30b\255\305\374\346\355\326\375\227\226\376\374\270\203\7\274\234\276\311\324k\242\33T\366WT{\205n\177g\31\25D`b\222~\6\265\312\206E\305\207{I\272~\362\205g\3312\224a$\263\215\31\207B\334L\353\363\334!2\214\361\252ku\30h\354\214\314\352\27\225\201\276S\251w\177O0\240\267\32\20\235\264T\303P\30Ru\277\337S\303\370\255", ) , ) == 0x0
 01311   424   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_\344B\310\6\226\366l\21\24o\311\225\270\320}\371o\311\225\270\320=\223\271\267\217\15\2365\236\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01312   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01313   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01314   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01315   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01316   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01317   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01318   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01319   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01320   424   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\264\323\205\327\242\375\304x\2758{\300\347$\202\69\227\212\302\257nf\341\221\260.\240!\376\322\243?\350\323I\216\215\323uyj(\221"M\314\351\6\341\263\373\332M\303w\177\241D2*\223\5\333\S\24\3o[\14\307\240\211\316\331\24\316Ba", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\264\323\205\327\242\375\304x\2758{\300\347$\202\69\227\212\302\257nf\341\221\260.\240!\376\322\243?\350\323I\216\215\323uyj(\221"M\314\351\6\341\263\373\332M\303w\177\241D2*\223\5\333\S\24\3o[\14\307\240\211\316\331\24\316Ba", 80, ... ) M\314\351\6\341\263\373\332M\303w\177\241D2*\223\5\333\S\24\3o[\14\307\240\211\316\331\24\316Ba", 80, ... ) == 0x0
 01321   424   NtClose  (-2147482052, ... ) == 0x0
 01311   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\341\355\202%\233-\217G\237\364\320~\203U\256t-\343\372\365\330\334^[\263Fe0v\247\26\351\271\260sR6\316\244\37\14\360\25\235\276R\255\311|C\256D\267.\31\230\263\206\207\226j\266#y\317A\330\274J\333P\300cr\220M\10\320=\333\263\215\340\204\275\270\222\334\204#\374\370\337}\222\34\4i*\327\336\232"/\244@V\342L\23\330yJ\31KW\365\307\257\246\276/L\5\222\332\3|(\25\267\17X\301\215\256\210l(\316g|r\242\231p\300\306i\35\261n\332\316a=\311%\16\23\304\321\24\251;\302\251\276;T\14g\313eR\366\20l\324\7\304S\262\314z\364\374\277\36\307g\314\33\211\361A\17\340\277\246\272/U\317 5\74\212qh\307\270\213\16b\15\267j\321\310\351w\260\33\32\262\26\220!\224m\362\240\221\262_G\21\235\237D\0\305\343\11iS3\241Sxt\337\250\11", ) /\244@V\342L\23\330yJ\31KW\365\307\257\246\276/L\5\222\332\3|(\25\267\17X\301\215\256\210l(\316g|r\242\231p\300\306i\35\261n\332\316a=\311%\16\23\304\321\24\251;\302\251\276;T\14g\313eR\366\20l\324\7\304S\262\314z\364\374\277\36\307g\314\33\211\361A\17\340\277\246\272/U\317 5\74\212qh\307\270\213\16b\15\267j\321\310\351w\260\33\32\262\26\220!\224m\362\240\221\262_G\21\235\237D\0\305\343\11iS3\241Sxt\337\250\11", ) == 0x0
 01322   424   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_\344B\310\6\226\366l\21\24o\311\225\270\320}\371o\311\225\270\320}\371o\311\225\270\320=\223\271\267\217\15\2365\236\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01323   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01324   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01325   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01326   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01327   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01328   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01329   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01330   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01331   424   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "(\257 i\330\301\337\35e\276?\210\301fo\231\355\2\0F\35'V\6C\242$\375\264K\367\213g\222~C\345\323\270\375\221j\27\323H\5k\333\337\3575zb\344\200W@\316}\272\236\37\213\345\326\261\233\363\7*c\243\325^\250)5\316\352", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "(\257 i\330\301\337\35e\276?\210\301fo\231\355\2\0F\35'V\6C\242$\375\264K\367\213g\222~C\345\323\270\375\221j\27\323H\5k\333\337\3575zb\344\200W@\316}\272\236\37\213\345\326\261\233\363\7*c\243\325^\250)5\316\352", 80, ... ) , 80, ... ) == 0x0
 01332   424   NtClose  (-2147482052, ... ) == 0x0
 01322   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\251\332\305T\353\266l\256\223\254\272\344)I\370ARk\211\322_\5\245\353\254z\3775\322\37\225\1\255{\312\334'\364\214\35\323\356I \7\216h\324\270\3D\24\336n\355\354%\221\35\337\330\5\241l\213\326\272{\250\332\2kXk\256\246\244\201\367/\256\264\270&S\206\17\330~\316\2655JtQ;:\232\15\252\256\236\11\214\270\2\256\333\305\351PS\314IHL\374\3706K#\3111\326\372p\242\373U\313fGO\11\36\253x\327\221n\33 7q}i\201\242\30\22\371\370\36\256\233`Zs\177\223\322\252\240i\370",\364\270\26#\341\371\317v\256\352\223o\366Z\262\13\2\10\320\312\350\273\230\305y\200I(K]Av\210\3470i\332p|7R\12\307vH\363\360(2p\211\0\27$\305\334\35jb]w\276\246?\207)\375\1 e364\270\26#\341\371\317v\256\352\223o\366Z\262\13\2\10\320\312\350\273\230\305y\200I(K]Av\210\3470i\332p|7R\12\307vH\363\360(2p\211\0\27$\305\334\35jb]w\276\246?\207)\375\1 e35\16aw\363\365\341\14\237^\15\371+b\24}", ) == 0x0
 01333   424   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_\344B\310\6\226\366l\21\24o\311\225\270\320}\371o\311\225\270\320}\371o\311\225\270\320}\371o\311\225\270\320=\223\271\267\217\15\2365\236\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01334   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01335   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01336   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01337   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01338   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01339   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01340   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01341   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01342   424   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "-\307\266\220\346]\336\13_7\336L%F\276\345F\33\35\2177\26\4\364\252\216\373\336\311\255Y\3104%K\203!\264\333F\325\342\363\356\227~?\360\241\7\374-\230\245\272\315\277\301\244C\347\25\215\217\224m\244{\314\20\6-6\313\374\256e8d\354", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "-\307\266\220\346]\336\13_7\336L%F\276\345F\33\35\2177\26\4\364\252\216\373\336\311\255Y\3104%K\203!\264\333F\325\342\363\356\227~?\360\241\7\374-\230\245\272\315\277\301\244C\347\25\215\217\224m\244{\314\20\6-6\313\374\256e8d\354", 80, ... ) , 80, ... ) == 0x0
 01343   424   NtClose  (-2147482052, ... ) == 0x0
 01333   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "J\300X\26(a\314\263\31zx\352\377\22\366\32~\247\370\230\300fC\253\375\4\206DD1\310C\376]\1a2P\232\235\24'I\246\320t\11\22D\2566\276\362\301\234\\346\363\325\250d\\211Z7a\27r\247\202\214\305 \200v\332\251\277\201_\346\275\235\345\211\275\270\325\361NB\347W#\342\227\143P\203\311a\277L\16\13\345U\251FLpZ\27\261L\375p\273Nn\266i\214\231\b\35\240\346\364\15\235K\\7\10\22W\365\370\346~\214&\275!\313\222\225\217\275lk\357S\3738\320\302\1u\13)-\332\274\13\16\6\05\2\300\277xIhr(\362\351*\227SgG\306\242<\252\212\27sZ\354L\242\345\360\7=\2106\366\0\330\246o\356\274J\12_]\200-}\372:Z\2454\275\367\375\353\221\241s\2176\264\251\262\304\276-\32\364 \221\255\207\31\247\334\2\302)\4.\256,\336", ) , ) == 0x0
 01344   424   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_\344B\310\6\226\366l\21\24o\311\225\270\320}\371o\311\225\270\320}\371o\311\225\270\320}\371o\311\225\270\320}\371o\311\225\270\320=\223\271\267\217\15\2365\236\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01345   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01346   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01347   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01348   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01349   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01350   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01351   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01352   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01353   424   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "qv_\3307\313r\300&A\234\\344\312\352\257\363\265*\226\222\260\377\215\261\314A\20\272\262\33\342=9\222\341\314\302\270@\273k\7\230\315x\301{\3132/\2559\26\5\273o#\20!h\366Uyw\3379\361\333\2064\274qke\246;\370\252[", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "qv_\3307\313r\300&A\234\\344\312\352\257\363\265*\226\222\260\377\215\261\314A\20\272\262\33\342=9\222\341\314\302\270@\273k\7\230\315x\301{\3132/\2559\26\5\273o#\20!h\366Uyw\3379\361\333\2064\274qke\246;\370\252[", 80, ... ) , 80, ... ) == 0x0
 01354   424   NtClose  (-2147482052, ... ) == 0x0
 01344   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "&S\21D\371E\243?\316u\16\366m\177J\245n\276\2\230\0\3548\3\211\342 \267C\325\342\300\356\310HW\372,:22u\2\377]Zg1d\23l\220\2\331\377\262\35\26\352OUS\306~\200q[\254=\23\266I0\350\301\255<\232AK\351\322\211\374\270\26\213\272\25\6$\247\7\340\212w\237\22\21\2p\240kz\303\202v\366\313\367\307\371\245T\351`A\202|\371\254\33\306\331\221K\226\231\35EU\230=\200\\332\6\256\7&4\300\16k\261\322(ukVz\230w\367@{\255We\251\304\313#\35K}5\2\255>G\346\356E\203\31\257\326\3022R\264R\345\155X\374e\16U\214\352\0\25\343\24\35\11\25\202\260\213'\340\247\224\302\37\215\26q\332\322\350\376\216\337\210:L\34\241\252\300\343\217\222\223 \33:;n\224v\201\262\207\237,, ) , ) == 0x0
 01355   424   NtDeviceIoControlFile  (116, 0, 0x0, 0x0, 0x390008,  (116, 0, 0x0, 0x0, 0x390008, "%k[\360\221~_\344B\310\6\226\366l\21\24o\311\225\270\320}\371o\311\225\270\320}\371o\311\225\270\320}\371o\311\225\270\320}\371o\311\225\270\320}\371o\311\225\270\320=\223\271\267\217\15\2365\236\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01356   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01357   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01358   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01359   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01360   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01361   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01362   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01363   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482052, 2, ) }, 0, 0x0, 0, ... -2147482052, 2, ) == 0x0
 01364   424   NtSetValueKey  (-2147482052,  (-2147482052, "Seed", 0, 3, "\240\275:\203\261\371="\3545\352\275\307\244BI\26\236\371\16\25\36S\223\30\202\251J\13\226\216c\335k.\1\332\344t\354x^\3438r\24\364\257\263\255\336J\25\24J\25k\340\337N\17_\361\243)\340\251\277\364\22\204 S\246\26\21\216\270\1772", 80, ... ) , 0, 3,  (-2147482052, "Seed", 0, 3, "\240\275:\203\261\371="\3545\352\275\307\244BI\26\236\371\16\25\36S\223\30\202\251J\13\226\216c\335k.\1\332\344t\354x^\3438r\24\364\257\263\255\336J\25\24J\25k\340\337N\17_\361\243)\340\251\277\364\22\204 S\246\26\21\216\270\1772", 80, ... ) \3545\352\275\307\244BI\26\236\371\16\25\36S\223\30\202\251J\13\226\216c\335k.\1\332\344t\354x^\3438r\24\364\257\263\255\336J\25\24J\25k\340\337N\17_\361\243)\340\251\277\364\22\204 S\246\26\21\216\270\1772", 80, ... ) == 0x0
 01365   424   NtClose  (-2147482052, ... ) == 0x0
 01355   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\365V\177\315: \15X\332\320m\271d|F2\303\17\4\375v*\356:\310\37-\321\211q\333vw\371G&\334\270\217\3714\213\3228\365\245\374\344\254\321\331jJ\252\350\364\377\264B\306\362\200\223?\254K\226%\237\231, ) , ) == 0x0
 01366   424   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 112, {status=0x0, info=1}, ) }, 3, 33, ... 112, {status=0x0, info=1}, ) == 0x0
 01367   424   NtQueryVolumeInformationFile  (112, 1238968, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01368   424   NtClose  (12, ... ) == 0x0
 01369   424   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238188,  (0x80100080, {24, 0, 0x40, 0, 1238188, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 01371   424   NtQueryInformationFile  (12, 1239124, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01372   424   NtQueryInformationFile  (12, 1239096, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01373   424   NtQueryInformationFile  (12, 1239048, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01374   424   NtAllocateVirtualMemory  (-1, 1392640, 0, 8192, 4096, 4, ... 1392640, 8192, ) == 0x0
 01375   424   NtQueryInformationFile  (12, 1391904, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01376   424   NtQueryInformationFile  (12, 1237592, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01377   424   NtQueryInformationFile  (12, 1237436, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01378   424   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1237444,  (0x40110080, {24, 0, 0x40, 0, 1237444, "\??\C:\WINDOWS\System32\Isass.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01379   424   NtClose  (-2147482052, ... ) == 0x0
 01378   424   NtCreateFile  ... 108, {status=0x0, info=2}, ) == 0x0
 01380   424   NtQueryVolumeInformationFile  (108, 1236816, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01381   424   NtQueryInformationFile  (108, 1236776, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01382   424   NtQueryVolumeInformationFile  (12, 1236816, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01383   424   NtQueryVolumeInformationFile  (12, 1236500, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01384   424   NtSetInformationFile  (108, 1236604, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01385   424   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 120, ) == 0x0
 01386   424   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa90000), {0, 0}, 225280, ) == 0x0
 01387   424   NtClose  (120, ... ) == 0x0
 01388   424   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\360\19F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\260\0\0\0\20\0\0\0`\1\0\00\2\0\0p\1\0\0 \2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\2\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0 \2\0\220\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0`\1\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01389   424   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\266\233\252\347-\275\271V\262;\7\227\10\2614\347xy\3136\316\364 \6\275\310r\204\6\307\26C\363;\251\305\341\322C\330\336:`\7\22\212\37sG\257\346:#\247\15P0\165\302\353\364No\326\315f\31v\372\230NS\3209{[\355\302\30 \356\305\226\217\310\6H\334\313\210=\217/`m\267\261\276\310\36\271\303\266\273H\22Ac\222@\304@l\200\34\13L\235\257\347\362+<\37\222\254\360\351\370\375H\231\215\376zXe\312\266D/\274r\377s\353\15\20u\315$K\311h,\250g\350\214\275\327\304\207;\314.\112\367\334\34\31\15\24\34"\211\370`\3438\254\10|;+\17\376\203\323X\10\250\270\220|\255R\5\22\357\17u@\327\233\344{'';\233\205\332\350{\367\d\16\367\346f\355\16\262\251h\357\17uY\10rx\204\23\312\224\212\30\227\371\243\214\366S\277\1o\3633\353\222\200\372\354\330\373\225A8\373\12\244\340\3&1hTA\224\27|e"\20\20\350\270Zx\205\24d}\37\1\340\3618\235Z\22\12@g\226\214x(\201\206LIa\274\233\252\355\340\201\366\31\267gj\274\374\12\33?\6\300\216SYw\5\275\3705E\323\17vh\377+s#\351`\1\25\202j\12zT\262\306\11\271\2718\307\24\324$_\212\370\231\321\215%fV},\6\363!f{\240C\373(\371\366\234\2233\11PK\363\221p\375\321\351\206,uZt\3\340YM\3653"\375\24h\242\313\216\357<*\3246\303/\233rO\266l\345\355\253\216\236\236\307\337]5\330\241=\265\222\326\1\376\34."\224Fh-\376R|_G\331\222\204\256\12@o\355\224!\333\264\2400n\2023L B, 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \211\370`\3438\254\10|;+\17\376\203\323X\10\250\270\220|\255R\5\22\357\17u@\327\233\344{'';\233\205\332\350{\367\d\16\367\346f\355\16\262\251h\357\17uY\10rx\204\23\312\224\212\30\227\371\243\214\366S\277\1o\3633\353\222\200\372\354\330\373\225A8\373\12\244\340\3&1hTA\224\27|e (108, 0, 0, 0, "\266\233\252\347-\275\271V\262;\7\227\10\2614\347xy\3136\316\364 \6\275\310r\204\6\307\26C\363;\251\305\341\322C\330\336:`\7\22\212\37sG\257\346:#\247\15P0\165\302\353\364No\326\315f\31v\372\230NS\3209{[\355\302\30 \356\305\226\217\310\6H\334\313\210=\217/`m\267\261\276\310\36\271\303\266\273H\22Ac\222@\304@l\200\34\13L\235\257\347\362+<\37\222\254\360\351\370\375H\231\215\376zXe\312\266D/\274r\377s\353\15\20u\315$K\311h,\250g\350\214\275\327\304\207;\314.\112\367\334\34\31\15\24\34"\211\370`\3438\254\10|;+\17\376\203\323X\10\250\270\220|\255R\5\22\357\17u@\327\233\344{'';\233\205\332\350{\367\d\16\367\346f\355\16\262\251h\357\17uY\10rx\204\23\312\224\212\30\227\371\243\214\366S\277\1o\3633\353\222\200\372\354\330\373\225A8\373\12\244\340\3&1hTA\224\27|e"\20\20\350\270Zx\205\24d}\37\1\340\3618\235Z\22\12@g\226\214x(\201\206LIa\274\233\252\355\340\201\366\31\267gj\274\374\12\33?\6\300\216SYw\5\275\3705E\323\17vh\377+s#\351`\1\25\202j\12zT\262\306\11\271\2718\307\24\324$_\212\370\231\321\215%fV},\6\363!f{\240C\373(\371\366\234\2233\11PK\363\221p\375\321\351\206,uZt\3\340YM\3653"\375\24h\242\313\216\357<*\3246\303/\233rO\266l\345\355\253\216\236\236\307\337]5\330\241=\265\222\326\1\376\34."\224Fh-\376R|_G\331\222\204\256\12@o\355\224!\333\264\2400n\2023L B, 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \375\24h\242\313\216\357<*\3246\303/\233rO\266l\345\355\253\216\236\236\307\337]5\330\241=\265\222\326\1\376\34. (108, 0, 0, 0, "\266\233\252\347-\275\271V\262;\7\227\10\2614\347xy\3136\316\364 \6\275\310r\204\6\307\26C\363;\251\305\341\322C\330\336:`\7\22\212\37sG\257\346:#\247\15P0\165\302\353\364No\326\315f\31v\372\230NS\3209{[\355\302\30 \356\305\226\217\310\6H\334\313\210=\217/`m\267\261\276\310\36\271\303\266\273H\22Ac\222@\304@l\200\34\13L\235\257\347\362+<\37\222\254\360\351\370\375H\231\215\376zXe\312\266D/\274r\377s\353\15\20u\315$K\311h,\250g\350\214\275\327\304\207;\314.\112\367\334\34\31\15\24\34"\211\370`\3438\254\10|;+\17\376\203\323X\10\250\270\220|\255R\5\22\357\17u@\327\233\344{'';\233\205\332\350{\367\d\16\367\346f\355\16\262\251h\357\17uY\10rx\204\23\312\224\212\30\227\371\243\214\366S\277\1o\3633\353\222\200\372\354\330\373\225A8\373\12\244\340\3&1hTA\224\27|e"\20\20\350\270Zx\205\24d}\37\1\340\3618\235Z\22\12@g\226\214x(\201\206LIa\274\233\252\355\340\201\366\31\267gj\274\374\12\33?\6\300\216SYw\5\275\3705E\323\17vh\377+s#\351`\1\25\202j\12zT\262\306\11\271\2718\307\24\324$_\212\370\231\321\215%fV},\6\363!f{\240C\373(\371\366\234\2233\11PK\363\221p\375\321\351\206,uZt\3\340YM\3653"\375\24h\242\313\216\357<*\3246\303/\233rO\266l\345\355\253\216\236\236\307\337]5\330\241=\265\222\326\1\376\34."\224Fh-\376R|_G\331\222\204\256\12@o\355\224!\333\264\2400n\2023L B, 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01390   424   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\234s\340\365\347\3343\340b:\277\10\373\365y\220H\314\260\23\110\215\303\302\366\321P\354\335\213~\7\362\314~i\251\315\252\377\22\244\237_\204\201J;7y\14\17\251t_\370\272\341`\341\277\3736\177\225\10\310\34q\16^ \325:\220d\371,\35X\322\364\1\346\361_n\360\266\224%X'\212g\36\220\17\3719\11\2z&\15\302\226yZ\12\251\303ru@\345\360U|\306\224,n\215\220vw\323\343-\37D\247\265W\12\277\200\262q%4\37\2052$\332\271\327\306vK0.@\202\3523\10T\317D\360t\375\10\346<7\277\321\314nE\30\213\213^[\336P4\36\230\232hp7\274;=\5\13E\33\222\205b\37\241\233V,\320Y\332\275\343\37\377Np\223!\342\365w+6\3469\30\370\23\350\244\222\311\341Gk?1`Y\357\273\354\366-\213\350^\365\257om\207\342\263VN\264k\325\305\232\11\337\256;7\33s\356QdZ\274:\250\26p\12\311x8\15~\301k\233\200&\270\371\26\201[\30l\311\334X/Ar\37z6B<0\320\270\2W\205\204\350\374]\313\7B\305\241\2135q\237\10Qa\371\302(H\235\221o\13\24\324B\335\203\212\203\15\313@\335\254\23>\330\225\271\14\357\266\224\257nJ\237X|\362\214\31w\260\220B\256\262FQv\335\222\217 \315\11\3\\333SM\340q\27&sIm\204t3\256S[\330\262\330\331\272\22\79\271\221\3\263y\375\4(\253\257\10\370~\2622\234\25\270\1&q\\246\265\351r=V\302\0\220\366\275\272<\0\232\341\351|J\243\16y\361\375=\253-y\16R\345\276\3511\271J\37\325\177q\2739\262WC\15x\370D\26h3\5\207]"2z\205\245t\177\344f\212\215\16\305'\340\211\213\360", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) 2z\205\245t\177\344f\212\215\16\305'\340\211\213\360", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01391   424   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\217A\363\260\305HY\221|\220um\257)hcEr\0\36\254\205\243\260JX\1!\311(dF\262\236\253R1\225\233[t\232\270i$\355Pw\322\262\216\225\251\332{sJ\320A\332\253\205?\250\335v i<\177\33\2\3513e{/`"\3 \322AK\323\256\14\231\231\369H\252\254R\242\271\263\2006\177\373$\317\365y\11\347B\353\223\17\235H]!\360\337\355\352\21\317\271s\376<\13\311\32\317\204\347e h\364i\330\344)\367\202h\16m\330\3\243\260\226h\16H/|\333i!\240\3\276\330\2\3706%h\16\215\23\370U\16\254hI\352\322\321o?.]\262\351\23\345~\2222Pcg\14\4\331\234\304\240?\213\362'\212.\345\366c\350=\22\350\311\267\230-\320\230T+H!5\214@\17\250S\331\253jw\36\240\177`\224\7\252g3Z\16\322\263\0\3533s&\267Z\360\340tw\330kH\234\333\330\227\16\270\264a\232\377Ts\316\221\340\30\340\376\246\14h\357\265\360+\351/h{\3454^\121\23\\324Q\216\232p\16\315Pdk\273\344\7\253>+k\T\13\262\223\220\24x\375\263\330{K\217\224i\322d6\353\365\321k{\361\243\220h!\260\18y\260`n\333\224\3\375\326\275\204D0\20\22V\374\324\205n\13\233\0h\355x\226\371\326\243\4Tm4\15\13\272\262+\277\222\263\330k\313\240\10x\370%@e\231\343\200k\346\241;a\373\351\201\221;\264\0*\310\256\37\6i\263\250\13K\1\334\32\222\340\207S\375\345\312\265\332qVzE\313K\355\255\340\2H\367\267\34\252Y\2135*d\366\242\177\332\21"\6\267Kx\345\376\346\350\342\255:\373\340\355\212\2715w", 38872, 0x0, 0, ... {status=0x0, info=38872}, ) \3 \322AK\323\256\14\231\231\369H\252\254R\242\271\263\2006\177\373$\317\365y\11\347B\353\223\17\235H]!\360\337\355\352\21\317\271s\376<\13\311\32\317\204\347e h\364i\330\344)\367\202h\16m\330\3\243\260\226h\16H/|\333i!\240\3\276\330\2\3706%h\16\215\23\370U\16\254hI\352\322\321o?.]\262\351\23\345~\2222Pcg\14\4\331\234\304\240?\213\362'\212.\345\366c\350=\22\350\311\267\230-\320\230T+H!5\214@\17\250S\331\253jw\36\240\177`\224\7\252g3Z\16\322\263\0\3533s&\267Z\360\340tw\330kH\234\333\330\227\16\270\264a\232\377Ts\316\221\340\30\340\376\246\14h\357\265\360+\351/h{\3454^\121\23\\324Q\216\232p\16\315Pdk\273\344\7\253>+k\T\13\262\223\220\24x\375\263\330{K\217\224i\322d6\353\365\321k{\361\243\220h!\260\18y\260`n\333\224\3\375\326\275\204D0\20\22V\374\324\205n\13\233\0h\355x\226\371\326\243\4Tm4\15\13\272\262+\277\222\263\330k\313\240\10x\370%@e\231\343\200k\346\241;a\373\351\201\221;\264\0*\310\256\37\6i\263\250\13K\1\334\32\222\340\207S\375\345\312\265\332qVzE\313K\355\255\340\2H\367\267\34\252Y\2135*d\366\242\177\332\21276\275\312\341r\342\213F\321\357\35\367,\221\370M\250 (108, 0, 0, 0, "\217A\363\260\305HY\221|\220um\257)hcEr\0\36\254\205\243\260JX\1!\311(dF\262\236\253R1\225\233[t\232\270i$\355Pw\322\262\216\225\251\332{sJ\320A\332\253\205?\250\335v i<\177\33\2\3513e{/`"\3 \322AK\323\256\14\231\231\369H\252\254R\242\271\263\2006\177\373$\317\365y\11\347B\353\223\17\235H]!\360\337\355\352\21\317\271s\376<\13\311\32\317\204\347e h\364i\330\344)\367\202h\16m\330\3\243\260\226h\16H/|\333i!\240\3\276\330\2\3706%h\16\215\23\370U\16\254hI\352\322\321o?.]\262\351\23\345~\2222Pcg\14\4\331\234\304\240?\213\362'\212.\345\366c\350=\22\350\311\267\230-\320\230T+H!5\214@\17\250S\331\253jw\36\240\177`\224\7\252g3Z\16\322\263\0\3533s&\267Z\360\340tw\330kH\234\333\330\227\16\270\264a\232\377Ts\316\221\340\30\340\376\246\14h\357\265\360+\351/h{\3454^\121\23\\324Q\216\232p\16\315Pdk\273\344\7\253>+k\T\13\262\223\220\24x\375\263\330{K\217\224i\322d6\353\365\321k{\361\243\220h!\260\18y\260`n\333\224\3\375\326\275\204D0\20\22V\374\324\205n\13\233\0h\355x\226\371\326\243\4Tm4\15\13\272\262+\277\222\263\330k\313\240\10x\370%@e\231\343\200k\346\241;a\373\351\201\221;\264\0*\310\256\37\6i\263\250\13K\1\334\32\222\340\207S\375\345\312\265\332qVzE\313K\355\255\340\2H\367\267\34\252Y\2135*d\366\242\177\332\21"\6\267Kx\345\376\346\350\342\255:\373\340\355\212\2715w", 38872, 0x0, 0, ... {status=0x0, info=38872}, ) , 38872, 0x0, 0, ... {status=0x0, info=38872}, ) == 0x0
 01392   424   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01393   424   NtSetInformationFile  (108, 1239048, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01394   424   NtClose  (12, ... ) == 0x0
 01395   424   NtClose  (108, ... ) == 0x0
 01396   424   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 7, 2113568, ... 108, {status=0x0, info=1}, ) }, 7, 2113568, ... 108, {status=0x0, info=1}, ) == 0x0
 01397   424   NtSetInformationFile  (108, 1239248, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01398   424   NtClose  (108, ... ) == 0x0
 01399   424   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 7, 2113568, ... 108, {status=0x0, info=1}, ) }, 7, 2113568, ... 108, {status=0x0, info=1}, ) == 0x0
 01400   424   NtSetInformationFile  (108, 1239248, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01401   424   NtClose  (108, ... ) == 0x0
 01402   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238952,  (0x80100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 01403   424   NtQueryInformationFile  (108, 1239004, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01404   424   NtClose  (108, ... ) == 0x0
 01405   424   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238952,  (0x40100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\System32\Isass.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 01406   424   NtSetInformationFile  (108, 1239004, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01407   424   NtClose  (108, ... ) == 0x0
 01408   424   NtOpenFile  (0x10080, {24, 112, 0x40, 0, 0,  (0x10080, {24, 112, 0x40, 0, 0, "zufbj.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409   424   NtCreateFile  (0x40100080, {24, 112, 0x40, 0, 1239200,  (0x40100080, {24, 112, 0x40, 0, 1239200, "zufbj.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 108, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 108, {status=0x0, info=2}, ) == 0x0
 01410   424   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del zufbj.bat\15\12", 121, 0x0, 0, ... {status=0x0, info=121}, ) , 121, 0x0, 0, ... {status=0x0, info=121}, ) == 0x0
 01411   424   NtClose  (108, ... ) == 0x0
 01412   424   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01413   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232540, ... ) }, 1232540, ... ) == 0x0
 01414   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01415   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 12, ) == 0x0
 01416   424   NtClose  (108, ... ) == 0x0
 01417   424   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa90000), 0x0, 262144, ) == 0x0
 01418   424   NtClose  (12, ... ) == 0x0
 01419   424   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01420   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01421   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01422   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01423   424   NtAllocateVirtualMemory  (-1, 1400832, 0, 16384, 4096, 4, ... 1400832, 16384, ) == 0x0
 01424   424   NtUserRegisterClassExWOW  (1234624, 1234704, 1234688, 1234720, 0, 384, 0, ... ) == 0x810fc038
 01425   424   NtUserGetAtomName  (49208, 1233388, ... ) == 0x15
 01426   424   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01427   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230912, ... ) }, 1230912, ... ) == 0x0
 01428   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01429   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 108, ) == 0x0
 01430   424   NtClose  (12, ... ) == 0x0
 01431   424   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa90000), 0x0, 204800, ) == 0x0
 01432   424   NtClose  (108, ... ) == 0x0
 01433   424   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 01434   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231228, ... ) }, 1231228, ... ) == 0x0
 01435   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01436   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 12, ) == 0x0
 01437   424   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01438   424   NtClose  (108, ... ) == 0x0
 01439   424   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01440   424   NtClose  (12, ... ) == 0x0
 01441   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01442   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01443   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01444   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01445   424   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01446   424   NtClose  (12, ... ) == 0x0
 01447   424   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01448   424   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01449   424   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 108, ) }, ... 108, ) == 0x0
 01450   424   NtQueryValueKey  (108,  (108, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451   424   NtClose  (108, ... ) == 0x0
 01452   424   NtClose  (12, ... ) == 0x0
 01453   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01454   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01455   424   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01456   424   NtClose  (12, ... ) == 0x0
 01457   424   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01458   424   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 01459   424   NtQueryValueKey  (108,  (108, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460   424   NtClose  (108, ... ) == 0x0
 01461   424   NtClose  (12, ... ) == 0x0
 01462   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01463   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1230728, ... ) }, 1230728, ... ) == 0x0
 01465   424   NtUserGetProcessWindowStation  (... ) == 0x28
 01466   424   NtUserGetObjectInformation  (40, 2, 0, 0, 1233024, ... ) == 0x0
 01467   424   NtUserGetObjectInformation  (40, 2, 1356272, 16, 1233024, ... ) == 0x1
 01468   424   NtUserGetGUIThreadInfo  (424, 1232980, ... ) == 0x1
 01469   424   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232800, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232800, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 01470   424   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 416, 424, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 416, 424, 1503, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 416, 424, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01471   424   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 416, 424, 1504, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 416, 424, 1504, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 416, 424, 1504, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01472   424   NtUserCallNoParam  (29, ...
 01473   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230272, ... ) }, 1230272, ... ) == 0x0
 01472   424   NtUserCallNoParam  ... ) == 0x0
 01474   424   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01475   424   NtGdiHfontCreate  (1232352, 356, 0, 0, 1327496, ... ) == 0xc0a03da
 01476   424   NtGdiHfontCreate  (1232352, 356, 0, 0, 1327488, ... ) == 0x70a03d8
 01477   424   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 416, 424, 1505, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 416, 424, 1505, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 416, 424, 1505, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01478   424   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa90000), {0, 0}, 331776, ) == 0x0
 01479   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01480   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01481   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01482   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01483   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01484   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01485   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01486   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01487   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01488   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01489   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01490   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01491   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01492   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01493   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01494   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01495   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01496   424   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x61003dc
 01497   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01498   424   NtUserCallNoParam  (29, ...
 01499   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229716, ... ) }, 1229716, ... ) == 0x0
 01498   424   NtUserCallNoParam  ... ) == 0x0
 01500   424   NtUserCallNoParam  (29, ...
 01501   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229712, ... ) }, 1229712, ... ) == 0x0
 01500   424   NtUserCallNoParam  ... ) == 0x0
 01502   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ska1.tmp"}, 1230888, ... ) }, 1230888, ... ) == 0x0
 01503   424   NtUserMessageCall  (0x100c8, WM_NCCREATE, 0x0, 0x12d198, 0, 670, 0, ... ) == 0x1
 01504   424   NtUserMessageCall  (0x100c8, WM_NCCALCSIZE, 0x0, 0x12d1c0, 0, 670, 0, ... ) == 0x0
 01505   424   NtUserSetProp  (65736, 43288, -1, ... ) == 0x1
 01426   424   NtUserCreateWindowEx  ... ) == 0x100c8
 01506   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 120, ) }, ... 120, ) == 0x0
 01507   424   NtQueryValueKey  (120,  (120, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01508   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 124, ) }, ... 124, ) == 0x0
 01509   424   NtQueryValueKey  (124,  (124, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01510   424   NtClose  (124, ... ) == 0x0
 01511   424   NtClose  (120, ... ) == 0x0
 01512   424   NtAllocateVirtualMemory  (-1, 1417216, 0, 24576, 4096, 4, ... 1417216, 24576, ) == 0x0
 01513   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01514   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01515   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 120, ) }, ... 120, ) == 0x0
 01516   424   NtQueryValueKey  (120,  (120, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517   424   NtClose  (120, ... ) == 0x0
 01518   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 01520   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 01521   424   NtQuerySystemTime  (... {1746778146, 29889274}, ) == 0x0
 01522   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 01523   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01525   424   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01526   424   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01527   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 132, ) == 0x0
 01528   424   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 136, ) == 0x0
 01529   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 01530   424   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "ActiveComputerName"}, ... 144, ) }, ... 144, ) == 0x0
 01531   424   NtQueryValueKey  (144,  (144, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (144, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (144, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01532   424   NtClose  (144, ... ) == 0x0
 01533   424   NtClose  (140, ... ) == 0x0
 01534   424   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 140, ) == 0x0
 01535   424   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 144, ) == 0x0
 01536   424   NtDuplicateObject  (-1, 140, -1, 0x0, 0, 2, ... 148, ) == 0x0
 01537   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01538   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01539   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01540   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01541   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233152,  (0xc0100080, {24, 0, 0x40, 0, 1233152, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01542   424   NtSetInformationFile  (156, 1233208, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01543   424   NtSetInformationFile  (156, 1233200, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01544   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01545   424   NtWriteFile  (156, 133, 0, 0,  (156, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01546   424   NtReadFile  (156, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (156, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\351!\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01547   424   NtFsControlFile  (156, 133, 0x0, 0x0, 0x11c017,  (156, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\351!\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (156, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\351!\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01548   424   NtClose  (152, ... ) == 0x0
 01549   424   NtClose  (156, ... ) == 0x0
 01550   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1233196, ... ) }, 1233196, ... ) == 0x0
 01551   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01552   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01553   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "zufbj.bat"}, 1233016, ... ) }, 1233016, ... ) == 0x0
 01554   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01555   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01556   424   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1365368, 0,  (0x1f0003, {24, 52, 0x80, 1365368, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 156, ) }, 0, 2147483647, ... 156, ) == STATUS_OBJECT_NAME_EXISTS
 01557   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 01558   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 01559   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01561   424   NtQueryValueKey  (152,  (152, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01562   424   NtClose  (152, ... ) == 0x0
 01563   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 01564   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 01565   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01566   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01567   424   NtQueryValueKey  (152,  (152, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568   424   NtClose  (152, ... ) == 0x0
 01569   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 01570   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 01571   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01573   424   NtQueryValueKey  (152,  (152, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574   424   NtClose  (152, ... ) == 0x0
 01575   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 01576   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 01577   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01578   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01579   424   NtQueryValueKey  (152,  (152, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01580   424   NtClose  (152, ... ) == 0x0
 01581   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 152, ) }, ... 152, ) == 0x0
 01582   424   NtEnumerateKey  (152, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (152, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 01583   424   NtOpenKey  (0x20019, {24, 152, 0x40, 0, 0,  (0x20019, {24, 152, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 160, ) }, ... 160, ) == 0x0
 01584   424   NtQueryValueKey  (160,  (160, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585   424   NtClose  (160, ... ) == 0x0
 01586   424   NtEnumerateKey  (152, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (152, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 01587   424   NtOpenKey  (0x20019, {24, 152, 0x40, 0, 0,  (0x20019, {24, 152, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 160, ) }, ... 160, ) == 0x0
 01588   424   NtQueryValueKey  (160,  (160, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589   424   NtClose  (160, ... ) == 0x0
 01590   424   NtEnumerateKey  (152, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (152, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 01591   424   NtOpenKey  (0x20019, {24, 152, 0x40, 0, 0,  (0x20019, {24, 152, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 160, ) }, ... 160, ) == 0x0
 01592   424   NtQueryValueKey  (160,  (160, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   424   NtClose  (160, ... ) == 0x0
 01594   424   NtEnumerateKey  (152, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (152, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 01595   424   NtOpenKey  (0x20019, {24, 152, 0x40, 0, 0,  (0x20019, {24, 152, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 160, ) }, ... 160, ) == 0x0
 01596   424   NtQueryValueKey  (160,  (160, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01597   424   NtClose  (160, ... ) == 0x0
 01598   424   NtEnumerateKey  (152, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01599   424   NtClose  (152, ... ) == 0x0
 01600   424   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601   424   NtOpenProcessToken  (-1, 0x8, ... 152, ) == 0x0
 01602   424   NtQueryInformationToken  (152, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01603   424   NtClose  (152, ... ) == 0x0
 01604   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01605   424   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 152, 2, ) }, 0, 0x0, 0, ... 152, 2, ) == 0x0
 01606   424   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0, ""}, ... 160, ) == 0x0
 01607   424   NtCreateKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "SessionInfo\00000000000091ac"}, 0, 0x0, 1, ... 164, 2, ) }, 0, 0x0, 1, ... 164, 2, ) == 0x0
 01608   424   NtClose  (160, ... ) == 0x0
 01609   424   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01610   424   NtClose  (164, ... ) == 0x0
 01611   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01612   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01613   424   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01614   424   NtClose  (164, ... ) == 0x0
 01615   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 164, ) }, ... 164, ) == 0x0
 01616   424   NtSetInformationObject  (166, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01617   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01618   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01619   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 160, ) }, ... 160, ) == 0x0
 01620   424   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01621   424   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ... 1441792, 4096, ) == 0x0
 01622   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01623   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01624   424   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01625   424   NtClose  (168, ... ) == 0x0
 01626   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01627   424   NtQueryValueKey  (162,  (162, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01628   424   NtClose  (162, ... ) == 0x0
 01629   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01630   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 160, ) }, ... 160, ) == 0x0
 01632   424   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01633   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01634   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01635   424   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01636   424   NtClose  (168, ... ) == 0x0
 01637   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01638   424   NtQueryValueKey  (162,  (162, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01639   424   NtClose  (162, ... ) == 0x0
 01640   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01641   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01642   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 160, ) }, ... 160, ) == 0x0
 01643   424   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01644   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01645   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01646   424   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01647   424   NtClose  (168, ... ) == 0x0
 01648   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01649   424   NtQueryValueKey  (162,  (162, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (162, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01650   424   NtClose  (162, ... ) == 0x0
 01651   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01652   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 01653   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01654   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 160, ) }, ... 160, ) == 0x0
 01655   424   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01656   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01657   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01658   424   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01659   424   NtClose  (168, ... ) == 0x0
 01660   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01661   424   NtQueryValueKey  (162, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (162, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01662   424   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01663   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01664   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01665   424   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01666   424   NtClose  (168, ... ) == 0x0
 01667   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01668   424   NtQueryValueKey  (162,  (162, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01669   424   NtClose  (162, ... ) == 0x0
 01670   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 01671   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 01672   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01673   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 160, ) }, ... 160, ) == 0x0
 01674   424   NtQueryValueKey  (160,  (160, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01675   424   NtClose  (160, ... ) == 0x0
 01676   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "appHelp.dll"}, ... 160, ) }, ... 160, ) == 0x0
 01677   424   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01678   424   NtClose  (160, ... ) == 0x0
 01679   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 160, ) }, ... 160, ) == 0x0
 01680   424   NtQueryValueKey  (160,  (160, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01681   424   NtClose  (160, ... ) == 0x0
 01682   424   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 160, ) }, ... 160, ) == 0x0
 01683   424   NtQueryValueKey  (160, " (160, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (160, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 01684   424   NtClose  (160, ... ) == 0x0
 01685   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01686   424   NtQueryVolumeInformationFile  (160, 1233336, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01687   424   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 168, ) }, ... 168, ) == 0x0
 01688   424   NtWaitForSingleObject  (168, 0, {-1000000, -1}, ... ) == 0x0
 01689   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 172, ) }, ... 172, ) == 0x0
 01690   424   NtMapViewOfSection  (172, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 57344, ) == 0x0
 01691   424   NtQueryInformationFile  (160, 1233300, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01692   424   NtQueryInformationFile  (160, 1233340, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01693   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01694   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01695   424   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01696   424   NtClose  (176, ... ) == 0x0
 01697   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01698   424   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 01699   424   NtClose  (160, ... ) == 0x0
 01700   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 160, ) }, ... 160, ) == 0x0
 01701   424   NtQueryValueKey  (160,  (160, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01702   424   NtClose  (160, ... ) == 0x0
 01703   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01704   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1231088, ... ) }, 1231088, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01705   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "CLBCATQ.DLL"}, 1231088, ... ) }, 1231088, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01706   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1231088, ... ) }, 1231088, ... ) == 0x0
 01707   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01708   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 160, ... 176, ) == 0x0
 01709   424   NtQuerySection  (176, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01710   424   NtClose  (160, ... ) == 0x0
 01711   424   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 01712   424   NtClose  (176, ... ) == 0x0
 01713   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01714   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1230284, ... ) }, 1230284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01715   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "COMRes.dll"}, 1230284, ... ) }, 1230284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01716   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1230284, ... ) }, 1230284, ... ) == 0x0
 01717   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 176, {status=0x0, info=1}, ) }, 5, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 01718   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 176, ... 160, ) == 0x0
 01719   424   NtQuerySection  (160, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01720   424   NtClose  (176, ... ) == 0x0
 01721   424   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 01722   424   NtClose  (160, ... ) == 0x0
 01723   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 160, ) }, ... 160, ) == 0x0
 01724   424   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01725   424   NtClose  (160, ... ) == 0x0
 01726   424   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01727   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01728   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 160, ) }, ... 160, ) == 0x0
 01729   424   NtQueryValueKey  (160,  (160, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01730   424   NtQueryValueKey  (160,  (160, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01731   424   NtClose  (160, ... ) == 0x0
 01732   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1231116, ... ) }, 1231116, ... ) == 0x0
 01733   424   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01734   424   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01735   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 160, ) }, ... 160, ) == 0x0
 01736   424   NtQueryValueKey  (160,  (160, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01737   424   NtClose  (160, ... ) == 0x0
 01738   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 160, ) }, ... 160, ) == 0x0
 01739   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01740   424   NtNotifyChangeKey  (160, 176, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01741   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 180, ) }, ... 180, ) == 0x0
 01742   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01743   424   NtNotifyChangeKey  (180, 184, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01744   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 188, ) == 0x0
 01745   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 192, ) }, ... 192, ) == 0x0
 01746   424   NtSetInformationObject  (192, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01747   424   NtNotifyChangeKey  (192, 188, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01748   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 196, ) }, ... 196, ) == 0x0
 01749   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01750   424   NtNotifyChangeKey  (196, 200, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01751   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01752   424   NtNotifyChangeKey  (192, 204, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01753   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 208, ) }, ... 208, ) == 0x0
 01754   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 212, ) == 0x0
 01755   424   NtNotifyChangeKey  (208, 212, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01756   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 216, ) }, ... 216, ) == 0x0
 01757   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 220, ) == 0x0
 01758   424   NtNotifyChangeKey  (216, 220, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01759   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 224, ) }, ... 224, ) == 0x0
 01760   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 228, ) == 0x0
 01761   424   NtNotifyChangeKey  (224, 228, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01762   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 232, ) }, ... 232, ) == 0x0
 01763   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 236, ) == 0x0
 01764   424   NtNotifyChangeKey  (232, 236, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01765   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 240, ) }, ... 240, ) == 0x0
 01766   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 244, ) == 0x0
 01767   424   NtNotifyChangeKey  (240, 244, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01768   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 248, ) == 0x0
 01769   424   NtNotifyChangeKey  (192, 248, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01770   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 252, ) }, ... 252, ) == 0x0
 01771   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 256, ) == 0x0
 01772   424   NtNotifyChangeKey  (252, 256, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01773   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 260, ) }, ... 260, ) == 0x0
 01774   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 264, ) == 0x0
 01775   424   NtNotifyChangeKey  (260, 264, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01776   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 268, ) }, ... 268, ) == 0x0
 01777   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 272, ) == 0x0
 01778   424   NtNotifyChangeKey  (268, 272, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01779   424   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01780   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 276, ) }, ... 276, ) == 0x0
 01781   424   NtQueryValueKey  (276,  (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01782   424   NtClose  (276, ... ) == 0x0
 01783   424   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ... 1445888, 4096, ) == 0x0
 01784   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01785   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01786   424   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 276, ) }, ... 276, ) == 0x0
 01787   424   NtMapViewOfSection  (276, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3f0000), {0, 0}, 24576, ) == 0x0
 01788   424   NtAllocateVirtualMemory  (-1, 3301376, 0, 8192, 4096, 4, ... 3301376, 8192, ) == 0x0
 01789   424   NtAllocateVirtualMemory  (-1, 3309568, 0, 8192, 4096, 4, ... 3309568, 8192, ) == 0x0
 01790   424   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01791   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 280, ) }, ... 280, ) == 0x0
 01792   424   NtQueryValueKey  (280,  (280, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (280, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01793   424   NtClose  (280, ... ) == 0x0
 01794   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01795   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01796   424   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 11468800, 65536, ) == 0x0
 01797   424   NtAllocateVirtualMemory  (-1, 11468800, 0, 4096, 4096, 4, ... 11468800, 4096, ) == 0x0
 01798   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01799   424   NtOpenKey  (0x20019, {24, 166, 0x40, 0, 0,  (0x20019, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01800   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 01801   424   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01802   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01803   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01804   424   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01805   424   NtClose  (284, ... ) == 0x0
 01806   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01807   424   NtOpenKey  (0x1, {24, 282, 0x40, 0, 0,  (0x1, {24, 282, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   424   NtClose  (282, ... ) == 0x0
 01809   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01810   424   NtOpenKey  (0x20019, {24, 166, 0x40, 0, 0,  (0x20019, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01811   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 01812   424   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01813   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01814   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01815   424   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01816   424   NtClose  (284, ... ) == 0x0
 01817   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01818   424   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocServer32"}, ... 284, ) }, ... 284, ) == 0x0
 01819   424   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ... 1449984, 4096, ) == 0x0
 01820   424   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01821   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01822   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01823   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01824   424   NtClose  (288, ... ) == 0x0
 01825   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01826   424   NtQueryValueKey  (286,  (286, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01827   424   NtClose  (286, ... ) == 0x0
 01828   424   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01829   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01830   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01831   424   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01832   424   NtClose  (284, ... ) == 0x0
 01833   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01834   424   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01835   424   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01836   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01837   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01838   424   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01839   424   NtClose  (284, ... ) == 0x0
 01840   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01841   424   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01842   424   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01843   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01844   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01845   424   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01846   424   NtClose  (284, ... ) == 0x0
 01847   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01848   424   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocServer32"}, ... 284, ) }, ... 284, ) == 0x0
 01849   424   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01850   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01851   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01852   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01853   424   NtClose  (288, ... ) == 0x0
 01854   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01855   424   NtQueryValueKey  (286, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (286, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01856   424   NtClose  (286, ... ) == 0x0
 01857   424   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01858   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01859   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01860   424   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01861   424   NtClose  (284, ... ) == 0x0
 01862   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01863   424   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01864   424   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01865   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01866   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01867   424   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01868   424   NtClose  (284, ... ) == 0x0
 01869   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01870   424   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01871   424   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01872   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01873   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01874   424   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01875   424   NtClose  (284, ... ) == 0x0
 01876   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01877   424   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01878   424   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01879   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01880   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01881   424   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01882   424   NtClose  (284, ... ) == 0x0
 01883   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01884   424   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01885   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01886   424   NtOpenKey  (0x20019, {24, 166, 0x40, 0, 0,  (0x20019, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01887   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 284, ) }, ... 284, ) == 0x0
 01888   424   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01889   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01890   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01891   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01892   424   NtClose  (288, ... ) == 0x0
 01893   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01894   424   NtQueryValueKey  (286,  (286, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01895   424   NtClose  (286, ... ) == 0x0
 01896   424   NtClose  (282, ... ) == 0x0
 01897   424   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {416, 0}, ... 280, ) == 0x0
 01898   424   NtQueryInformationProcess  (280, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01899   424   NtClose  (280, ... ) == 0x0
 01900   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01901   424   NtOpenKey  (0x20019, {24, 166, 0x40, 0, 0,  (0x20019, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01902   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 01903   424   NtClose  (282, ... ) == 0x0
 01904   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 01905   424   NtOpenKey  (0x20019, {24, 166, 0x40, 0, 0,  (0x20019, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01906   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 01907   424   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01908   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01909   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01910   424   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01911   424   NtClose  (284, ... ) == 0x0
 01912   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01913   424   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocServer32"}, ... 284, ) }, ... 284, ) == 0x0
 01914   424   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01915   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01916   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01917   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01918   424   NtClose  (288, ... ) == 0x0
 01919   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01920   424   NtQueryValueKey  (286,  (286, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (286, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 01921   424   NtClose  (286, ... ) == 0x0
 01922   424   NtClose  (282, ... ) == 0x0
 01923   424   NtAllocateVirtualMemory  (-1, 1454080, 0, 8192, 4096, 4, ... 1454080, 8192, ) == 0x0
 01924   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01925   424   NtOpenKey  (0x20019, {24, 166, 0x40, 0, 0,  (0x20019, {24, 166, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01926   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 280, ) }, ... 280, ) == 0x0
 01927   424   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01928   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01929   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01930   424   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01931   424   NtClose  (284, ... ) == 0x0
 01932   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01933   424   NtOpenKey  (0x1, {24, 282, 0x40, 0, 0,  (0x1, {24, 282, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01934   424   NtClose  (282, ... ) == 0x0
 01935   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227508, ... ) }, 1227508, ... ) == 0x0
 01936   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01937   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 280, ... 284, ) == 0x0
 01938   424   NtClose  (280, ... ) == 0x0
 01939   424   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb00000), 0x0, 1339392, ) == 0x0
 01940   424   NtClose  (284, ... ) == 0x0
 01941   424   NtUnmapViewOfSection  (-1, 0xb00000, ... ) == 0x0
 01942   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227824, ... ) }, 1227824, ... ) == 0x0
 01943   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 01944   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 280, ) == 0x0
 01945   424   NtQuerySection  (280, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01946   424   NtClose  (284, ... ) == 0x0
 01947   424   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 01948   424   NtClose  (280, ... ) == 0x0
 01949   424   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 01950   424   NtQueryDefaultUILanguage  (1226188, ...
 01951   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01952   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482056, ) == 0x0
 01953   424   NtQueryInformationToken  (-2147482056, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01954   424   NtClose  (-2147482056, ... ) == 0x0
 01955   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482056, ) }, ... -2147482056, ) == 0x0
 01956   424   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01957   424   NtOpenKey  (0x80000000, {24, -2147482056, 0x640, 0, 0,  (0x80000000, {24, -2147482056, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482060, ) }, ... -2147482060, ) == 0x0
 01958   424   NtQueryValueKey  (-2147482060,  (-2147482060, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01959   424   NtClose  (-2147482060, ... ) == 0x0
 01960   424   NtClose  (-2147482056, ... ) == 0x0
 01950   424   NtQueryDefaultUILanguage  ... ) == 0x0
 01961   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01962   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 280, {status=0x0, info=1}, ) }, 1, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01963   424   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 280, ... 284, ) == 0x0
 01964   424   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xb00000), 0x0, 1339392, ) == 0x0
 01965   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01966   424   NtQueryDefaultLocale  (1, 1224224, ... ) == 0x0
 01967   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01968   424   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1225080, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1225080, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\30\1\0\0\377\377\377\377\0\0\0\0\10\340\273\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0x\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 424, 1506, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\30\1\0\0\377\377\377\377\0\0\0\0\10\340\273\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0x\270\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 416, 424, 1506, 0}  (24, {128, 156, new_msg, 0, 1225080, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\30\1\0\0\377\377\377\377\0\0\0\0\10\340\273\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0x\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 424, 1506, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\30\1\0\0\377\377\377\377\0\0\0\0\10\340\273\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0x\270\22\0\0\0\0\0" )  ) == 0x0
 01969   424   NtClose  (280, ... ) == 0x0
 01970   424   NtClose  (284, ... ) == 0x0
 01971   424   NtUnmapViewOfSection  (-1, 0xb00000, ... ) == 0x0
 01972   424   NtUnmapViewOfSection  (-1, 0x12b878, ... ) == STATUS_NOT_MAPPED_VIEW
 01973   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01974   424   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01975   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01976   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01977   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1222764, ... ) }, 1222764, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01978   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01979   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01980   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01981   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1223356, ... ) }, 1223356, ... ) == 0x0
 01982   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 284, {status=0x0, info=1}, ) }, 3, 33, ... 284, {status=0x0, info=1}, ) == 0x0
 01983   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01984   424   NtUserFindExistingCursorIcon  (1227308, 1227324, 1227892, ... ) == 0x10011
 01985   424   NtUserRegisterClassExWOW  (1227760, 1227840, 1227824, 1227856, 0, 384, 0, ... ) == 0x810f0000
 01986   424   NtUserGetClassInfo  (1905590272, 1227924, 1227876, 1227952, 0, ... ) == 0xc05f
 01987   424   NtGdiCreateHalftonePalette  (0, ... ) == 0x90803e5
 01988   424   NtGdiDoPalette  (151520229, 0, 256, 1227016, 2, 0, ... ) == 0x100
 01989   424   NtGdiDeleteObjectApp  (151520229, ... ) == 0x1
 01990   424   NtGdiCreateCompatibleDC  (0, ... ) == 0xa0103e5
 01991   424   NtGdiCreatePaletteInternal  (1227012, 256, ... ) == 0x70803ea
 01992   424   NtGdiDeleteObjectApp  (167838693, ... ) == 0x1
 01993   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 01994   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01995   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 280, ) }, ... 280, ) == 0x0
 01996   424   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 01997   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01998   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01999   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02000   424   NtClose  (288, ... ) == 0x0
 02001   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02002   424   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02003   424   NtClose  (282, ... ) == 0x0
 02004   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02005   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02006   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 280, ) }, ... 280, ) == 0x0
 02007   424   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02008   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02009   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02010   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02011   424   NtClose  (288, ... ) == 0x0
 02012   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02013   424   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02014   424   NtClose  (282, ... ) == 0x0
 02015   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02016   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02017   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 280, ) }, ... 280, ) == 0x0
 02018   424   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02019   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02020   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02021   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02022   424   NtClose  (288, ... ) == 0x0
 02023   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02024   424   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02025   424   NtClose  (282, ... ) == 0x0
 02026   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02027   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02028   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 280, ) }, ... 280, ) == 0x0
 02029   424   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02030   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02031   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02032   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02033   424   NtClose  (288, ... ) == 0x0
 02034   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02035   424   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02036   424   NtClose  (282, ... ) == 0x0
 02037   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02038   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02039   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 280, ) }, ... 280, ) == 0x0
 02040   424   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02041   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02042   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02043   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02044   424   NtClose  (288, ... ) == 0x0
 02045   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02046   424   NtQueryValueKey  (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (282, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02047   424   NtClose  (282, ... ) == 0x0
 02048   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02049   424   NtAllocateVirtualMemory  (-1, 1462272, 0, 12288, 4096, 4, ... 1462272, 12288, ) == 0x0
 02050   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02051   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02052   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 280, ) }, ... 280, ) == 0x0
 02053   424   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02054   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02055   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02056   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02057   424   NtClose  (288, ... ) == 0x0
 02058   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02059   424   NtQueryValueKey  (282,  (282, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02060   424   NtClose  (282, ... ) == 0x0
 02061   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02062   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02063   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 280, ) }, ... 280, ) == 0x0
 02064   424   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 02065   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02066   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02067   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02068   424   NtClose  (288, ... ) == 0x0
 02069   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02070   424   NtQueryValueKey  (282,  (282, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02071   424   NtClose  (282, ... ) == 0x0
 02072   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02073   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02074   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 280, ) }, ... 280, ) == 0x0
 02075   424   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 02076   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02077   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02078   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02079   424   NtClose  (288, ... ) == 0x0
 02080   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02081   424   NtQueryValueKey  (282,  (282, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02082   424   NtClose  (282, ... ) == 0x0
 02083   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02084   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02085   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 280, ) }, ... 280, ) == 0x0
 02086   424   NtQueryKey  (282, Name, 392, ... {Name= (282, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02087   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02088   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 02089   424   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02090   424   NtClose  (288, ... ) == 0x0
 02091   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02092   424   NtQueryValueKey  (282,  (282, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02093   424   NtClose  (282, ... ) == 0x0
 02094   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 280, ) }, ... 280, ) == 0x0
 02095   424   NtEnumerateValueKey  (280, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (280, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (280, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 02096   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02097   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02098   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 288, ) }, ... 288, ) == 0x0
 02099   424   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02100   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02101   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 02102   424   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02103   424   NtClose  (292, ... ) == 0x0
 02104   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02105   424   NtQueryValueKey  (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 02106   424   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02107   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02108   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 292, ) == 0x0
 02109   424   NtQueryInformationToken  (292, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02110   424   NtClose  (292, ... ) == 0x0
 02111   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02112   424   NtQueryValueKey  (290,  (290, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02113   424   NtClose  (290, ... ) == 0x0
 02114   424   NtEnumerateValueKey  (280, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02115   424   NtClose  (280, ... ) == 0x0
 02116   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02117   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02118   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\zufbj.bat"}, 1232468, ... ) }, 1232468, ... ) == 0x0
 02119   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02120   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02121   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 280, ) }, ... 280, ) == 0x0
 02122   424   NtQueryValueKey  (280,  (280, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (280, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (280, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 02123   424   NtClose  (280, ... ) == 0x0
 02124   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02125   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02126   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\zufbj.bat"}, 1233496, ... ) }, 1233496, ... ) == 0x0
 02127   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02128   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02129   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 280, ) }, ... 280, ) == 0x0
 02130   424   NtQueryValueKey  (280,  (280, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02131   424   NtQueryValueKey  (280,  (280, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (280, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 02132   424   NtClose  (280, ... ) == 0x0
 02133   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02134   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 280, ) }, ... 280, ) == 0x0
 02135   424   NtQueryValueKey  (280,  (280, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02136   424   NtClose  (280, ... ) == 0x0
 02137   424   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02138   424   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02139   424   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02140   424   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02141   424   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02142   424   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02143   424   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02144   424   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02145   424   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02146   424   NtQueryDefaultLocale  (1, 1233784, ... ) == 0x0
 02147   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 280, ) }, ... 280, ) == 0x0
 02148   424   NtEnumerateKey  (280, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (280, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02149   424   NtOpenKey  (0x20019, {24, 280, 0x40, 0, 0,  (0x20019, {24, 280, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 288, ) }, ... 288, ) == 0x0
 02150   424   NtQueryValueKey  (288,  (288, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (288, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02151   424   NtQueryValueKey  (288,  (288, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (288, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02152   424   NtClose  (288, ... ) == 0x0
 02153   424   NtEnumerateKey  (280, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02154   424   NtClose  (280, ... ) == 0x0
 02155   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02156   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02158   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02159   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02160   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02161   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02162   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02163   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02164   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02165   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02166   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02167   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02168   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02169   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02170   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02171   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02172   424   NtClose  (280, ... ) == 0x0
 02173   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02174   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02175   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02176   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02177   424   NtClose  (280, ... ) == 0x0
 02178   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02179   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02180   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02181   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02182   424   NtClose  (280, ... ) == 0x0
 02183   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02184   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02185   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02186   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02187   424   NtClose  (280, ... ) == 0x0
 02188   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02189   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02190   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02191   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02192   424   NtClose  (280, ... ) == 0x0
 02193   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02195   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02196   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02197   424   NtClose  (280, ... ) == 0x0
 02198   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02199   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02200   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02201   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02202   424   NtClose  (280, ... ) == 0x0
 02203   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02204   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02205   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02206   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02207   424   NtClose  (280, ... ) == 0x0
 02208   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02210   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02211   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02212   424   NtClose  (280, ... ) == 0x0
 02213   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02214   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02215   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02216   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02217   424   NtClose  (280, ... ) == 0x0
 02218   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02219   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02220   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02221   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02222   424   NtClose  (280, ... ) == 0x0
 02223   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02224   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02225   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02226   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02227   424   NtClose  (280, ... ) == 0x0
 02228   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02229   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02230   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02231   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02232   424   NtClose  (280, ... ) == 0x0
 02233   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02234   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02235   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02236   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02237   424   NtClose  (280, ... ) == 0x0
 02238   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02239   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02240   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02241   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02242   424   NtClose  (280, ... ) == 0x0
 02243   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02244   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 280, ) }, ... 280, ) == 0x0
 02245   424   NtQueryValueKey  (280,  (280, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (280, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (280, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02246   424   NtClose  (280, ... ) == 0x0
 02247   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02248   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 02249   424   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02250   424   NtClose  (280, ... ) == 0x0
 02251   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02252   424   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02253   424   NtOpenProcessToken  (-1, 0xa, ... 280, ) == 0x0
 02254   424   NtDuplicateToken  (280, 0xc, {24, 0, 0x0, 0, 1234304, 0x0}, 0, 2, ... 288, ) == 0x0
 02255   424   NtClose  (280, ... ) == 0x0
 02256   424   NtAccessCheck  (1464072, 288, 0x1, 1234432, 1234376, 56, 1234460, ... (0x1), ) == 0x0
 02257   424   NtClose  (288, ... ) == 0x0
 02258   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 288, ) }, ... 288, ) == 0x0
 02259   424   NtQueryValueKey  (288,  (288, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (288, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02260   424   NtClose  (288, ... ) == 0x0
 02261   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234320,  (0x80100080, {24, 0, 0x40, 0, 1234320, "\??\u:\work\zufbj.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 288, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 288, {status=0x0, info=1}, ) == 0x0
 02262   424   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 280, ) }, ... 280, ) == 0x0
 02263   424   NtQuerySymbolicLinkObject  (280, ...  (280, ... "\Device\WinDfs\U:00000000000091ac", 66, ) , 66, ) == 0x0
 02264   424   NtClose  (280, ... ) == 0x0
 02265   424   NtQueryInformationFile  (288, 1232764, 528, Name, ... {status=0x0, info=70}, ) == 0x0
 02266   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02267   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02268   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\zufbj.bat"}, 1231444, ... ) }, 1231444, ... ) == 0x0
 02269   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 02270   424   NtQueryDirectoryFile  (280, 0, 0, 0, 1230804, 616, BothDirectory, 1,  (280, 0, 0, 0, 1230804, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02271   424   NtClose  (280, ... ) == 0x0
 02272   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 02273   424   NtQueryDirectoryFile  (280, 0, 0, 0, 1230804, 616, BothDirectory, 1,  (280, 0, 0, 0, 1230804, 616, BothDirectory, 1, "zufbj.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02274   424   NtClose  (280, ... ) == 0x0
 02275   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02276   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02277   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02278   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 1232176, ... ) }, 1232176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02279   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "WINTRUST.dll"}, 1232176, ... ) }, 1232176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02280   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 1232176, ... ) }, 1232176, ... ) == 0x0
 02281   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 02282   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 280, ... 292, ) == 0x0
 02283   424   NtQuerySection  (292, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02284   424   NtClose  (280, ... ) == 0x0
 02285   424   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 02286   424   NtClose  (292, ... ) == 0x0
 02287   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 292, ) }, ... 292, ) == 0x0
 02288   424   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 02289   424   NtClose  (292, ... ) == 0x0
 02290   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02291   424   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11534336, 262144, ) == 0x0
 02292   424   NtAllocateVirtualMemory  (-1, 11534336, 0, 4096, 4096, 4, ... 11534336, 4096, ) == 0x0
 02293   424   NtAllocateVirtualMemory  (-1, 11538432, 0, 8192, 4096, 4, ... 11538432, 8192, ) == 0x0
 02294   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02295   424   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11796480, 1048576, ) == 0x0
 02296   424   NtAllocateVirtualMemory  (-1, 11796480, 0, 1048576, 4096, 4, ... 11796480, 1048576, ) == 0x0
 02297   424   NtCreateMutant  (0x1f0001, 0x0, 0, ... 292, ) == 0x0
 02298   424   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 280, ) == 0x0
 02299   424   NtCreateMutant  (0x1f0001, 0x0, 0, ... 296, ) == 0x0
 02300   424   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 300, ) == 0x0
 02301   424   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 304, ) == 0x0
 02302   424   NtSetEvent  (304, ... 0x0, ) == 0x0
 02303   424   NtSetInformationFile  (288, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02304   424   NtReadFile  (288, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (288, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "@e", ) , ) == 0x0
 02305   424   NtWaitForSingleObject  (292, 0, 0x0, ... ) == 0x0
 02306   424   NtClearEvent  (280, ... ) == 0x0
 02307   424   NtReleaseMutant  (292, ... 0x0, ) == 0x0
 02308   424   NtWaitForSingleObject  (292, 0, 0x0, ... ) == 0x0
 02309   424   NtSetEvent  (280, ... 0x0, ) == 0x0
 02310   424   NtReleaseMutant  (292, ... 0x0, ) == 0x0
 02311   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02312   424   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02313   424   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0
 02314   424   NtClose  (308, ... ) == 0x0
 02315   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02316   424   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02317   424   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02318   424   NtClose  (308, ... ) == 0x0
 02319   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02320   424   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02321   424   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0
 02322   424   NtClose  (308, ... ) == 0x0
 02323   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02324   424   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02325   424   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0
 02326   424   NtClose  (308, ... ) == 0x0
 02327   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02328   424   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02329   424   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0
 02330   424   NtClose  (308, ... ) == 0x0
 02331   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02332   424   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02333   424   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0
 02334   424   NtClose  (308, ... ) == 0x0
 02335   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02336   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 308, ) }, ... 308, ) == 0x0
 02337   424   NtQueryValueKey  (308,  (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02338   424   NtQueryValueKey  (308,  (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0
 02339   424   NtClose  (308, ... ) == 0x0
 02340   424   NtWaitForMultipleObjects  (2, (292, 280, ), 0, 0, 0x0, ... ) == 0x0
 02341   424   NtReleaseMutant  (292, ... 0x0, ) == 0x0
 02342   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02343   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 308, ) == 0x0
 02344   424   NtQueryInformationToken  (308, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02345   424   NtClose  (308, ... ) == 0x0
 02346   424   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 02347   424   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02348   424   NtClose  (308, ... ) == 0x0
 02349   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 308, ) }, ... 308, ) == 0x0
 02350   424   NtQueryValueKey  (308,  (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02351   424   NtQueryValueKey  (308,  (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02352   424   NtQueryValueKey  (308,  (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02353   424   NtQueryValueKey  (308,  (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02354   424   NtClose  (308, ... ) == 0x0
 02355   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 308, ) }, ... 308, ) == 0x0
 02356   424   NtQueryValueKey  (308,  (308, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02357   424   NtQueryValueKey  (308,  (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02358   424   NtQueryValueKey  (308,  (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02359   424   NtQueryValueKey  (308,  (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02360   424   NtQueryValueKey  (308,  (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02361   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1231492, ... ) }, 1231492, ... ) == 0x0
 02362   424   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 312, ) }, ... 312, ) == 0x0
 02363   424   NtQueryValueKey  (312,  (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02364   424   NtQueryValueKey  (312,  (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02365   424   NtQueryValueKey  (312,  (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02366   424   NtQueryValueKey  (312,  (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02367   424   NtClose  (312, ... ) == 0x0
 02368   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02369   424   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02370   424   NtOpenProcessToken  (-1, 0x8, ... 312, ) == 0x0
 02371   424   NtQueryInformationToken  (312, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 02372   424   NtClose  (312, ... ) == 0x0
 02373   424   NtClose  (308, ... ) == 0x0
 02374   424   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02375   424   NtOpenProcessToken  (-1, 0x8, ... 308, ) == 0x0
 02376   424   NtQueryInformationToken  (308, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02377   424   NtClose  (308, ... ) == 0x0
 02378   424   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 02379   424   NtCreateKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 312, 2, ) }, 0, 0x0, 0, ... 312, 2, ) == 0x0
 02380   424   NtClose  (308, ... ) == 0x0
 02381   424   NtQueryValueKey  (312,  (312, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0
 02382   424   NtClose  (312, ... ) == 0x0
 02383   424   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02384   424   NtOpenProcessToken  (-1, 0x8, ... 312, ) == 0x0
 02385   424   NtQueryInformationToken  (312, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02386   424   NtClose  (312, ... ) == 0x0
 02387   424   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 312, ) }, ... 312, ) == 0x0
 02388   424   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 308, ) }, ... 308, ) == 0x0
 02389   424   NtClose  (312, ... ) == 0x0
 02390   424   NtQueryValueKey  (308,  (308, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0
 02391   424   NtClose  (308, ... ) == 0x0
 02392   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02393   424   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02394   424   NtOpenProcessToken  (-1, 0x8, ... 308, ) == 0x0
 02395   424   NtQueryInformationToken  (308, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02396   424   NtClose  (308, ... ) == 0x0
 02397   424   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 02398   424   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02399   424   NtClose  (308, ... ) == 0x0
 02400   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02401   424   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 288, ... 308, ) == 0x0
 02402   424   NtMapViewOfSection  (308, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xc40000), {0, 0}, 4096, ) == 0x0
 02403   424   NtClose  (308, ... ) == 0x0
 02404   424   NtQueryInformationFile  (288, 1233708, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02405   424   NtUnmapViewOfSection  (-1, 0xc40000, ... ) == 0x0
 02406   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 308, ) }, ... 308, ) == 0x0
 02407   424   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "EncodingType 0"}, ... 312, ) }, ... 312, ) == 0x0
 02408   424   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 316, ) }, ... 316, ) == 0x0
 02409   424   NtEnumerateKey  (316, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (316, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02410   424   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 320, ) }, ... 320, ) == 0x0
 02411   424   NtQueryKey  (320, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02412   424   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02413   424   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02414   424   NtClose  (320, ... ) == 0x0
 02415   424   NtEnumerateKey  (316, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02416   424   NtClose  (316, ... ) == 0x0
 02417   424   NtClose  (312, ... ) == 0x0
 02418   424   NtClose  (308, ... ) == 0x0
 02419   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 308, ) }, ... 308, ) == 0x0
 02420   424   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "EncodingType 0"}, ... 312, ) }, ... 312, ) == 0x0
 02421   424   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 316, ) }, ... 316, ) == 0x0
 02422   424   NtEnumerateKey  (316, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (316, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02423   424   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 320, ) }, ... 320, ) == 0x0
 02424   424   NtQueryKey  (320, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02425   424   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02426   424   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02427   424   NtClose  (320, ... ) == 0x0
 02428   424   NtEnumerateKey  (316, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (316, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02429   424   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 320, ) }, ... 320, ) == 0x0
 02430   424   NtQueryKey  (320, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02431   424   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02432   424   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02433   424   NtClose  (320, ... ) == 0x0
 02434   424   NtEnumerateKey  (316, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (316, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02435   424   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 320, ) }, ... 320, ) == 0x0
 02436   424   NtQueryKey  (320, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02437   424   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02438   424   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02439   424   NtClose  (320, ... ) == 0x0
 02440   424   NtEnumerateKey  (316, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (316, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02441   424   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 320, ) }, ... 320, ) == 0x0
 02442   424   NtQueryKey  (320, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02443   424   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02444   424   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02445   424   NtClose  (320, ... ) == 0x0
 02446   424   NtEnumerateKey  (316, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02447   424   NtClose  (316, ... ) == 0x0
 02448   424   NtClose  (312, ... ) == 0x0
 02449   424   NtClose  (308, ... ) == 0x0
 02450   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 308, ) }, ... 308, ) == 0x0
 02451   424   NtEnumerateKey  (308, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (308, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02452   424   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "EncodingType 0"}, ... 312, ) }, ... 312, ) == 0x0
 02453   424   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 316, ) }, ... 316, ) == 0x0
 02454   424   NtEnumerateKey  (316, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (316, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02455   424   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 320, ) }, ... 320, ) == 0x0
 02456   424   NtQueryKey  (320, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02457   424   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02458   424   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02459   424   NtClose  (320, ... ) == 0x0
 02460   424   NtEnumerateKey  (316, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02461   424   NtClose  (316, ... ) == 0x0
 02462   424   NtClose  (312, ... ) == 0x0
 02463   424   NtEnumerateKey  (308, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (308, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02464   424   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "EncodingType 1"}, ... 312, ) }, ... 312, ) == 0x0
 02465   424   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02466   424   NtClose  (312, ... ) == 0x0
 02467   424   NtEnumerateKey  (308, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02468   424   NtClose  (308, ... ) == 0x0
 02469   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231236, ... ) }, 1231236, ... ) == 0x0
 02470   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02471   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 308, ... 312, ) == 0x0
 02472   424   NtClose  (308, ... ) == 0x0
 02473   424   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc40000), 0x0, 16384, ) == 0x0
 02474   424   NtClose  (312, ... ) == 0x0
 02475   424   NtUnmapViewOfSection  (-1, 0xc40000, ... ) == 0x0
 02476   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231552, ... ) }, 1231552, ... ) == 0x0
 02477   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02478   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 308, ) == 0x0
 02479   424   NtQuerySection  (308, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02480   424   NtClose  (312, ... ) == 0x0
 02481   424   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x70eb0000), 0x0, 28672, ) == 0x0
 02482   424   NtClose  (308, ... ) == 0x0
 02483   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPT32.dll"}, 1230812, ... ) }, 1230812, ... ) == 0x0
 02484   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 308, ) == 0x0
 02485   424   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12976128, 1048576, ) == 0x0
 02486   424   NtAllocateVirtualMemory  (-1, 14016512, 0, 8192, 4096, 4, ... 14016512, 8192, ) == 0x0
 02487   424   NtProtectVirtualMemory  (-1, (0xd5e000), 4096, 260, ... (0xd5e000), 4096, 4, ) == 0x0
 02488   424   NtCreateThread  (0x1f03ff, 0x0, -1, 1232760, 1233476, 1, ... 312, {416, 1024}, ) == 0x0
 02489   424   NtQueryInformationThread  (312, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=416,Tid=1024,}, 0x0, ) == 0x0
 02490   424   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\08\1\0\0\240\1\0\0\0\4\0\0" ... {28, 56, reply, 0, 416, 424, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\08\1\0\0\240\1\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 416, 424, 1507, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\08\1\0\0\240\1\0\0\0\4\0\0" ... {28, 56, reply, 0, 416, 424, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\08\1\0\0\240\1\0\0\0\4\0\0" )  ) == 0x0
 02491   424   NtResumeThread  (312, ... 1, ) == 0x0
 02492   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 316, ) }, ... 316, ) == 0x0
 02493   424   NtEnumerateKey  (316, 0, Basic, 288, ...
 02494  1024   NtTestAlert  (... ) == 0x0
 02495  1024   NtContinue  (14023984, 1, ...
 02496  1024   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02497  1024   NtWaitForMultipleObjects  (1, (308, ), 1, 0, {-150000000, -1}, ...
 02493   424   NtEnumerateKey  ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02498   424   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "EncodingType 0"}, ... 320, ) }, ... 320, ) == 0x0
 02499   424   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 324, ) }, ... 324, ) == 0x0
 02500   424   NtEnumerateKey  (324, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (324, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02501   424   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 328, ) }, ... 328, ) == 0x0
 02502   424   NtQueryKey  (328, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02503   424   NtEnumerateValueKey  (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02504   424   NtEnumerateValueKey  (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02505   424   NtClose  (328, ... ) == 0x0
 02506   424   NtEnumerateKey  (324, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (324, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02507   424   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 328, ) }, ... 328, ) == 0x0
 02508   424   NtQueryKey  (328, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02509   424   NtEnumerateValueKey  (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02510   424   NtEnumerateValueKey  (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02511   424   NtClose  (328, ... ) == 0x0
 02512   424   NtEnumerateKey  (324, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (324, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02513   424   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 328, ) }, ... 328, ) == 0x0
 02514   424   NtQueryKey  (328, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02515   424   NtEnumerateValueKey  (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02516   424   NtEnumerateValueKey  (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02517   424   NtClose  (328, ... ) == 0x0
 02518   424   NtEnumerateKey  (324, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (324, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02519   424   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 328, ) }, ... 328, ) == 0x0
 02520   424   NtQueryKey  (328, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02521   424   NtEnumerateValueKey  (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (328, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02522   424   NtEnumerateValueKey  (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (328, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02523   424   NtClose  (328, ... ) == 0x0
 02524   424   NtEnumerateKey  (324, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02525   424   NtClose  (324, ... ) == 0x0
 02526   424   NtClose  (320, ... ) == 0x0
 02527   424   NtEnumerateKey  (316, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (316, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02528   424   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "EncodingType 1"}, ... 320, ) }, ... 320, ) == 0x0
 02529   424   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02530   424   NtClose  (320, ... ) == 0x0
 02531   424   NtEnumerateKey  (316, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02532   424   NtClose  (316, ... ) == 0x0
 02533   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSISIP.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02534   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSISIP.DLL"}, 1231544, ... ) }, 1231544, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02535   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "MSISIP.DLL"}, 1231544, ... ) }, 1231544, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02536   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 1231544, ... ) }, 1231544, ... ) == 0x0
 02537   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02538   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 320, ) == 0x0
 02539   424   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02540   424   NtClose  (316, ... ) == 0x0
 02541   424   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x605f0000), 0x0, 53248, ) == 0x0
 02542   424   NtClose  (320, ... ) == 0x0
 02543   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02544   424   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 12845056, 65536, ) == 0x0
 02545   424   NtAllocateVirtualMemory  (-1, 12845056, 0, 4096, 4096, 4, ... 12845056, 4096, ) == 0x0
 02546   424   NtAllocateVirtualMemory  (-1, 12849152, 0, 8192, 4096, 4, ... 12849152, 8192, ) == 0x0
 02547   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1231132, ... ) }, 1231132, ... ) == 0x0
 02548   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02549   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 316, ) == 0x0
 02550   424   NtClose  (320, ... ) == 0x0
 02551   424   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd60000), 0x0, 262144, ) == 0x0
 02552   424   NtClose  (316, ... ) == 0x0
 02553   424   NtUnmapViewOfSection  (-1, 0xd60000, ... ) == 0x0
 02554   424   NtAllocateLocallyUniqueId  (... {66263, 0}, ) == 0x0
 02555   424   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02556   424   NtOpenProcessToken  (-1, 0x20008, ... 316, ) == 0x0
 02557   424   NtQueryInformationToken  (316, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 02558   424   NtClose  (316, ... ) == 0x0
 02559   424   NtCreateSection  (0xf0007, {24, 52, 0x80, 1232452, 0,  (0xf0007, {24, 52, 0x80, 1232452, 0, "DfSharedHeap102D7"}, {4194304, 0}, 4, 67108864, 0, ... 316, ) }, {4194304, 0}, 4, 67108864, 0, ... 316, ) == 0x0
 02560   424   NtMapViewOfSection  (316, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xd60000), {0, 0}, 4194304, ) == 0x0
 02561   424   NtAllocateVirtualMemory  (-1, 14024704, 0, 16376, 4096, 4, ... 14024704, 16384, ) == 0x0
 02562   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1229968,  (0x80100080, {24, 0, 0x40, 0, 1229968, "\??\UNC\missouri\binaries\work\zufbj.bat"}, 0x0, 128, 3, 1, 2144, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 2144, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 02563   424   NtReadFile  (320, 0, 0, 1232672, 512, {0, 0}, 0, ... {status=0x0, info=121},  (320, 0, 0, 1232672, 512, {0, 0}, 0, ... {status=0x0, info=121}, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del zufbj.bat\15\12", ) , ) == 0x0
 02564   424   NtClose  (320, ... ) == 0x0
 02565   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231236, ... ) }, 1231236, ... ) == 0x0
 02566   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02567   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 324, ) == 0x0
 02568   424   NtClose  (320, ... ) == 0x0
 02569   424   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1160000), 0x0, 69632, ) == 0x0
 02570   424   NtClose  (324, ... ) == 0x0
 02571   424   NtUnmapViewOfSection  (-1, 0x1160000, ... ) == 0x0
 02572   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231552, ... ) }, 1231552, ... ) == 0x0
 02573   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02574   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 320, ) == 0x0
 02575   424   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02576   424   NtClose  (324, ... ) == 0x0
 02577   424   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74ea0000), 0x0, 65536, ) == 0x0
 02578   424   NtClose  (320, ... ) == 0x0
 02579   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 320, ) }, ... 320, ) == 0x0
 02580   424   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02581   424   NtClose  (320, ... ) == 0x0
 02582   424   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02583   424   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02584   424   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02585   424   NtProtectVirtualMemory  (-1, (0x74eaa000), 672, 4, ... (0x74eaa000), 4096, 2, ) == 0x0
 02586   424   NtProtectVirtualMemory  (-1, (0x74eaa000), 4096, 2, ... (0x74eaa000), 4096, 4, ) == 0x0
 02587   424   NtFlushInstructionCache  (-1, 1961533440, 672, ... ) == 0x0
 02588   424   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02589   424   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02590   424   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02591   424   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02592   424   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02593   424   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02594   424   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02595   424   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02596   424   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02597   424   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02598   424   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02599   424   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02600   424   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02601   424   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02602   424   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02603   424   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02604   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02605   424   NtReleaseMutant  (16, ...
 02606   424   NtContinue  (-104226680, 0, ...
 02605   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02607   424   NtQueryDefaultLocale  (1, 1230232, ... ) == 0x0
 02608   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228224, ... ) }, 1228224, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02609   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228540, ... ) }, 1228540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02610   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02611   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02612   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02613   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02614   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02615   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02616   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02617   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02618   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02619   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228224, ... ) }, 1228224, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02620   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228540, ... ) }, 1228540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02621   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02622   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02623   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02624   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02625   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02626   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02627   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02628   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02629   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02630   424   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02631   424   NtReleaseMutant  (16, ...
 02632   424   NtContinue  (-104226680, 0, ...
 02631   424   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02633   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228224, ... ) }, 1228224, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02634   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228540, ... ) }, 1228540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02635   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02636   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02637   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02638   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02639   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02640   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02641   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02642   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02643   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228532, ... ) }, 1228532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02644   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02645   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02646   424   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02647   424   NtClose  (320, ... ) == 0x0
 02648   424   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 320, ) }, ... 320, ) == 0x0
 02649   424   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 324, ) }, ... 324, ) == 0x0
 02650   424   NtClose  (320, ... ) == 0x0
 02651   424   NtQueryValueKey  (324,  (324, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02652   424   NtQueryValueKey  (324,  (324, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (324, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02653   424   NtClose  (324, ... ) == 0x0
 02654   424   NtClose  (288, ... ) == 0x0
 02655   424   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 18219008, 4096, ) == 0x0
 02656   424   NtAllocateVirtualMemory  (-1, 18219008, 0, 4096, 4096, 4, ... 18219008, 4096, ) == 0x0
 02657   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 288, ) }, ... 288, ) == 0x0
 02658   424   NtQueryValueKey  (288,  (288, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02659   424   NtClose  (288, ... ) == 0x0
 02660   424   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02661   424   NtOpenThreadToken  (-2, 0x2000a, 1, ... ) == STATUS_NO_TOKEN
 02662   424   NtOpenProcessToken  (-1, 0x2000a, ... 288, ) == 0x0
 02663   424   NtQueryInformationToken  (288, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02664   424   NtQueryInformationToken  (288, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02665   424   NtClose  (288, ... ) == 0x0
 02666   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02667   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 02668   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 02669   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02670   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 288, ) }, ... 288, ) == 0x0
 02671   424   NtQueryValueKey  (288,  (288, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02672   424   NtClose  (288, ... ) == 0x0
 02673   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 02674   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 02675   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02676   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 288, ) }, ... 288, ) == 0x0
 02677   424   NtQueryValueKey  (288,  (288, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02678   424   NtClose  (288, ... ) == 0x0
 02679   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 02680   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02681   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 288, ) }, ... 288, ) == 0x0
 02682   424   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02683   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02684   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02685   424   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02686   424   NtClose  (324, ... ) == 0x0
 02687   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02688   424   NtQueryValueKey  (290, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (290, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02689   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1230840, ... ) }, 1230840, ... ) == 0x0
 02690   424   NtClose  (290, ... ) == 0x0
 02691   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02692   424   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 288, {status=0x0, info=1}, ) }, 3, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 02693   424   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 324, ) }, ... 324, ) == 0x0
 02694   424   NtQuerySymbolicLinkObject  (324, ...  (324, ... "\Device\WinDfs\U:00000000000091ac", 66, ) , 66, ) == 0x0
 02695   424   NtClose  (324, ... ) == 0x0
 02696   424   NtQueryVolumeInformationFile  (288, 1234192, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02697   424   NtClose  (288, ... ) == 0x0
 02698   424   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 02699   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 288, ) }, ... 288, ) == 0x0
 02700   424   NtOpenKey  (0x20019, {24, 288, 0x40, 0, 0,  (0x20019, {24, 288, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 324, ) }, ... 324, ) == 0x0
 02701   424   NtQueryValueKey  (324,  (324, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02702   424   NtQueryValueKey  (324,  (324, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02703   424   NtClose  (324, ... ) == 0x0
 02704   424   NtOpenKey  (0x20019, {24, 288, 0x40, 0, 0,  (0x20019, {24, 288, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 02705   424   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02706   424   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02707   424   NtQueryValueKey  (324,  (324, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02708   424   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02709   424   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02710   424   NtClose  (324, ... ) == 0x0
 02711   424   NtOpenKey  (0x20019, {24, 288, 0x40, 0, 0,  (0x20019, {24, 288, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 02712   424   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02713   424   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02714   424   NtQueryValueKey  (324,  (324, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02715   424   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02716   424   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02717   424   NtClose  (324, ... ) == 0x0
 02718   424   NtOpenKey  (0x20019, {24, 288, 0x40, 0, 0,  (0x20019, {24, 288, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 02719   424   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02720   424   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02721   424   NtQueryValueKey  (324,  (324, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02722   424   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02723   424   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02724   424   NtClose  (324, ... ) == 0x0
 02725   424   NtOpenKey  (0x20019, {24, 288, 0x40, 0, 0,  (0x20019, {24, 288, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 324, ) }, ... 324, ) == 0x0
 02726   424   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02727   424   NtQueryValueKey  (324,  (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02728   424   NtQueryValueKey  (324,  (324, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02729   424   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02730   424   NtQueryValueKey  (324,  (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02731   424   NtClose  (324, ... ) == 0x0
 02732   424   NtClose  (288, ... ) == 0x0
 02733   424   NtQueryDefaultLocale  (1, 1233744, ... ) == 0x0
 02734   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231756, ... ) }, 1231756, ... ) == 0x0
 02735   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 02736   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 288, ... 324, ) == 0x0
 02737   424   NtClose  (288, ... ) == 0x0
 02738   424   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1170000), 0x0, 12288, ) == 0x0
 02739   424   NtClose  (324, ... ) == 0x0
 02740   424   NtUnmapViewOfSection  (-1, 0x1170000, ... ) == 0x0
 02741   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1232072, ... ) }, 1232072, ... ) == 0x0
 02742   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02743   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 288, ) == 0x0
 02744   424   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02745   424   NtClose  (324, ... ) == 0x0
 02746   424   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 02747   424   NtClose  (288, ... ) == 0x0
 02748   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 288, ) }, ... 288, ) == 0x0
 02749   424   NtQueryValueKey  (288,  (288, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02750   424   NtClose  (288, ... ) == 0x0
 02751   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231756, ... ) }, 1231756, ... ) == 0x0
 02752   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 02753   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 288, ... 324, ) == 0x0
 02754   424   NtClose  (288, ... ) == 0x0
 02755   424   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1170000), 0x0, 40960, ) == 0x0
 02756   424   NtClose  (324, ... ) == 0x0
 02757   424   NtUnmapViewOfSection  (-1, 0x1170000, ... ) == 0x0
 02758   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1232072, ... ) }, 1232072, ... ) == 0x0
 02759   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02760   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 288, ) == 0x0
 02761   424   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02762   424   NtClose  (324, ... ) == 0x0
 02763   424   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 02764   424   NtClose  (288, ... ) == 0x0
 02765   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02766   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1231260, ... ) }, 1231260, ... ) == 0x0
 02767   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 02768   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 288, ... 324, ) == 0x0
 02769   424   NtQuerySection  (324, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02770   424   NtClose  (288, ... ) == 0x0
 02771   424   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 02772   424   NtClose  (324, ... ) == 0x0
 02773   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02774   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1231260, ... ) }, 1231260, ... ) == 0x0
 02775   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02776   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 288, ) == 0x0
 02777   424   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02778   424   NtClose  (324, ... ) == 0x0
 02779   424   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 02780   424   NtClose  (288, ... ) == 0x0
 02781   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02782   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1230456, ... ) }, 1230456, ... ) == 0x0
 02783   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 02784   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 288, ... 324, ) == 0x0
 02785   424   NtQuerySection  (324, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02786   424   NtClose  (288, ... ) == 0x0
 02787   424   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 02788   424   NtClose  (324, ... ) == 0x0
 02789   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02790   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1230456, ... ) }, 1230456, ... ) == 0x0
 02791   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02792   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 288, ) == 0x0
 02793   424   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02794   424   NtClose  (324, ... ) == 0x0
 02795   424   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 02796   424   NtClose  (288, ... ) == 0x0
 02797   424   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 288, ) }, ... 288, ) == 0x0
 02798   424   NtQueryValueKey  (288,  (288, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02799   424   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 324, ) == 0x0
 02800   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231756, ... ) }, 1231756, ... ) == 0x0
 02801   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02802   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 328, ) == 0x0
 02803   424   NtClose  (320, ... ) == 0x0
 02804   424   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1170000), 0x0, 24576, ) == 0x0
 02805   424   NtClose  (328, ... ) == 0x0
 02806   424   NtUnmapViewOfSection  (-1, 0x1170000, ... ) == 0x0
 02807   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1232072, ... ) }, 1232072, ... ) == 0x0
 02808   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02809   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 320, ) == 0x0
 02810   424   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02811   424   NtClose  (328, ... ) == 0x0
 02812   424   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 02813   424   NtClose  (320, ... ) == 0x0
 02814   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 320, ) }, ... 320, ) == 0x0
 02815   424   NtQueryValueKey  (320,  (320, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02816   424   NtClose  (320, ... ) == 0x0
 02817   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02818   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02819   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02820   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02821   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231748, ... ) }, 1231748, ... ) == 0x0
 02822   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02823   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 328, ) == 0x0
 02824   424   NtClose  (320, ... ) == 0x0
 02825   424   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1170000), 0x0, 122880, ) == 0x0
 02826   424   NtClose  (328, ... ) == 0x0
 02827   424   NtUnmapViewOfSection  (-1, 0x1170000, ... ) == 0x0
 02828   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02829   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02830   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02831   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02832   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1232064, ... ) }, 1232064, ... ) == 0x0
 02833   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02834   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 320, ) == 0x0
 02835   424   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02836   424   NtClose  (328, ... ) == 0x0
 02837   424   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 131072, ) == 0x0
 02838   424   NtClose  (320, ... ) == 0x0
 02839   424   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02840   424   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02841   424   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02842   424   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02843   424   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02844   424   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02845   424   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02846   424   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02847   424   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02848   424   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 02849   424   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 02850   424   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 02851   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02852   424   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 18284544, 65536, ) == 0x0
 02853   424   NtAllocateVirtualMemory  (-1, 18284544, 0, 4096, 4096, 4, ... 18284544, 4096, ) == 0x0
 02854   424   NtAllocateVirtualMemory  (-1, 18288640, 0, 8192, 4096, 4, ... 18288640, 8192, ) == 0x0
 02855   424   NtAllocateVirtualMemory  (-1, 18296832, 0, 4096, 4096, 4, ... 18296832, 4096, ) == 0x0
 02856   424   NtQueryPerformanceCounter  (... {114321123, 0}, {3579545, 0}, ) == 0x0
 02857   424   NtRaiseException  (1231556, 1230816, 1, ...
 02858   424   NtContinue  (1229612, 0, ...
 02859   424   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 320, ) }, ... 320, ) == 0x0
 02860   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02861   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02862   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02863   424   NtRaiseException  (1221532, 1220792, 1, ...
 02864   424   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 02865   424   NtContinue  (1219588, 0, ...
 02866   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02867   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02868   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02869   424   NtRaiseException  (1223292, 1222552, 1, ...
 02870   424   NtContinue  (1221348, 0, ...
 02871   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02872   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02873   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02874   424   NtRaiseException  (1223296, 1222556, 1, ...
 02875   424   NtContinue  (1221352, 0, ...
 02876   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02877   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02878   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02879   424   NtRaiseException  (1223292, 1222552, 1, ...
 02880   424   NtContinue  (1221348, 0, ...
 02881   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02882   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02883   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02884   424   NtRaiseException  (1223296, 1222556, 1, ...
 02885   424   NtContinue  (1221352, 0, ...
 02886   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02887   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02888   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02889   424   NtRaiseException  (1223292, 1222552, 1, ...
 02890   424   NtContinue  (1221348, 0, ...
 02891   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02892   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02893   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02894   424   NtRaiseException  (1223296, 1222556, 1, ...
 02895   424   NtContinue  (1221352, 0, ...
 02896   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02897   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02898   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02899   424   NtRaiseException  (1223292, 1222552, 1, ...
 02900   424   NtContinue  (1221348, 0, ...
 02901   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02902   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02903   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02904   424   NtRaiseException  (1223296, 1222556, 1, ...
 02905   424   NtContinue  (1221352, 0, ...
 02906   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02907   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02908   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02909   424   NtRaiseException  (1223292, 1222552, 1, ...
 02910   424   NtContinue  (1221348, 0, ...
 02911   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02912   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02913   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02914   424   NtRaiseException  (1223296, 1222556, 1, ...
 02915   424   NtContinue  (1221352, 0, ...
 02916   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02917   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02918   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02919   424   NtRaiseException  (1223292, 1222552, 1, ...
 02920   424   NtContinue  (1221348, 0, ...
 02921   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02922   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02923   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02924   424   NtRaiseException  (1223296, 1222556, 1, ...
 02925   424   NtContinue  (1221352, 0, ...
 02926   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02927   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02928   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02929   424   NtRaiseException  (1223292, 1222552, 1, ...
 02930   424   NtContinue  (1221348, 0, ...
 02931   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02932   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02933   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02934   424   NtRaiseException  (1223296, 1222556, 1, ...
 02935   424   NtContinue  (1221352, 0, ...
 02936   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02937   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02938   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02939   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231724, ... ) }, 1231724, ... ) == 0x0
 02940   424   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {416, 0}, ... 328, ) == 0x0
 02941   424   NtQueryInformationProcess  (328, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02942   424   NtClose  (328, ... ) == 0x0
 02943   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231724, ... ) }, 1231724, ... ) == 0x0
 02944   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02945   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 02946   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02947   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02948   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230772,  (0xc0100080, {24, 0, 0x40, 0, 1230772, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02949   424   NtSetInformationFile  (332, 1230828, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02950   424   NtSetInformationFile  (332, 1230820, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02951   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02952   424   NtWriteFile  (332, 133, 0, 0,  (332, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02953   424   NtReadFile  (332, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\354!\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02954   424   NtFsControlFile  (332, 133, 0x0, 0x0, 0x11c017,  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\2\3\20\0\0\0t\0\0\0\1\0\0\0\\0\0\0\0\0\0\0d\0\0\0PX\13\0\364\1\0\0~X\13\0jX\13\0\5\0\0\0\1\0\0\0\10\0\0\0\0\0\0\0\10\0\0\0M\0Y\0", ) , 48, 1024, ... {status=0x103, info=68},  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\2\3\20\0\0\0t\0\0\0\1\0\0\0\\0\0\0\0\0\0\0d\0\0\0PX\13\0\364\1\0\0~X\13\0jX\13\0\5\0\0\0\1\0\0\0\10\0\0\0\0\0\0\0\10\0\0\0M\0Y\0", ) , ) == 0x103
 02955   424   NtClose  (328, ... ) == 0x0
 02956   424   NtClose  (332, ... ) == 0x0
 02957   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02958   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02959   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02960   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02961   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230772,  (0xc0100080, {24, 0, 0x40, 0, 1230772, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02962   424   NtSetInformationFile  (328, 1230828, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02963   424   NtSetInformationFile  (328, 1230820, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02964   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02965   424   NtWriteFile  (328, 133, 0, 0,  (328, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02966   424   NtReadFile  (328, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\355!\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02967   424   NtFsControlFile  (328, 133, 0x0, 0x0, 0x11c017,  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\355!\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (328, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\355!\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02968   424   NtWaitForSingleObject  (133, 0, 0x0, ... ) == 0x0
 02969   424   NtClose  (332, ... ) == 0x0
 02970   424   NtClose  (328, ... ) == 0x0
 02971   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 328, ) }, ... 328, ) == 0x0
 02972   424   NtQueryKey  (328, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 02973   424   NtQuerySecurityObject  (328, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02974   424   NtQuerySecurityObject  (328, 15, 0, ... ) == STATUS_ACCESS_DENIED
 02975   424   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 18350080, 524288, ) == 0x0
 02976   424   NtAllocateVirtualMemory  (-1, 18350080, 0, 4096, 4096, 4, ... 18350080, 4096, ) == 0x0
 02977   424   NtQueryValueKey  (328,  (328, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02978   424   NtClose  (328, ... ) == 0x0
 02979   424   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02980   424   NtFsControlFile  (328, 0, 0x0, 0x0, 0x600bc,  (328, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (328, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02981   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02982   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02983   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02984   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02985   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232212,  (0xc0100080, {24, 0, 0x40, 0, 1232212, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 336, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 336, {status=0x0, info=1}, ) == 0x0
 02986   424   NtSetInformationFile  (336, 1232268, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02987   424   NtSetInformationFile  (336, 1232260, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02988   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02989   424   NtWriteFile  (336, 133, 0, 0,  (336, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02990   424   NtReadFile  (336, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (336, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\356!\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02991   424   NtFsControlFile  (336, 133, 0x0, 0x0, 0x11c017,  (336, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\274\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\356!\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (336, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\274\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\356!\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02992   424   NtClose  (332, ... ) == 0x0
 02993   424   NtClose  (336, ... ) == 0x0
 02994   424   NtWaitForSingleObject  (324, 0, {-70000000, -1}, ... ) == 0x0
 02995   424   NtReleaseSemaphore  (324, 1, ... 0x0, ) == 0x0
 02996   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231724, ... ) }, 1231724, ... ) == 0x0
 02997   424   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 336, ) }, ... 336, ) == 0x0
 02998   424   NtWaitForSingleObject  (336, 0, {-1800000000, -1}, ... ) == 0x0
 02999   424   NtClose  (336, ... ) == 0x0
 03000   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03001   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 03002   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03003   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03004   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232248,  (0xc0100080, {24, 0, 0x40, 0, 1232248, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 03005   424   NtSetInformationFile  (332, 1232304, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03006   424   NtSetInformationFile  (332, 1232296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03007   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03008   424   NtWriteFile  (332, 133, 0, 0,  (332, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03009   424   NtReadFile  (332, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\217 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03010   424   NtFsControlFile  (332, 133, 0x0, 0x0, 0x11c017,  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\217 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\217 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03011   424   NtFsControlFile  (332, 133, 0x0, 0x0, 0x11c017,  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\265}\230\242\355~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\265}\230\242\355~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\265}\230\242\355~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\265}\230\242\355~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03012   424   NtFsControlFile  (332, 133, 0x0, 0x0, 0x11c017,  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\266}\230\242\355~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266}\230\242\355~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\266}\230\242\355~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266}\230\242\355~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03013   424   NtFsControlFile  (332, 133, 0x0, 0x0, 0x11c017,  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\265}\230\242\355~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\265}\230\242\355~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03014   424   NtFsControlFile  (332, 133, 0x0, 0x0, 0x11c017,  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266}\230\242\355~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266}\230\242\355~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03015   424   NtClose  (336, ... ) == 0x0
 03016   424   NtClose  (332, ... ) == 0x0
 03017   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03018   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03019   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03020   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03021   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231716, ... ) }, 1231716, ... ) == 0x0
 03022   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 332, ) }, ... 332, ) == 0x0
 03023   424   NtQueryValueKey  (332,  (332, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 03024   424   NtClose  (332, ... ) == 0x0
 03025   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 332, ) }, ... 332, ) == 0x0
 03026   424   NtQueryValueKey  (332,  (332, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 03027   424   NtClose  (332, ... ) == 0x0
 03028   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 332, ) }, ... 332, ) == 0x0
 03029   424   NtQueryValueKey  (332,  (332, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03030   424   NtClose  (332, ... ) == 0x0
 03031   424   NtRaiseException  (1222216, 1221476, 1, ...
 03032   424   NtContinue  (1220272, 0, ...
 03033   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03034   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03035   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03036   424   NtRaiseException  (1222212, 1221472, 1, ...
 03037   424   NtContinue  (1220268, 0, ...
 03038   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03039   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03040   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03041   424   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1232880, 0,  (0x1f0001, {24, 52, 0x80, 1232880, 0, "HGFSMUTEX"}, 1, ... 332, ) }, 1, ... 332, ) == STATUS_OBJECT_NAME_EXISTS
 03042   424   NtWaitForSingleObject  (332, 0, 0x0, ... ) == 0x0
 03043   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "HGFSMEMORY"}, ... 336, ) }, ... 336, ) == 0x0
 03044   424   NtMapViewOfSection  (336, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1200000), {0, 0}, 28672, ) == 0x0
 03045   424   NtReleaseMutant  (332, ... 0x0, ) == 0x0
 03046   424   NtRaiseException  (1223268, 1222528, 1, ...
 03047   424   NtContinue  (1221324, 0, ...
 03048   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03049   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03050   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03051   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1233924, 1233512,  (0xc0100080, {24, 0, 0x40, 1233924, 1233512, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 340, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 340, {status=0x0, info=0}, ) == 0x0
 03052   424   NtDeviceIoControlFile  (340, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (340, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 03053   424   NtClose  (340, ... ) == 0x0
 03054   424   NtRaiseException  (1223248, 1222508, 1, ...
 03055   424   NtContinue  (1221304, 0, ...
 03056   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03057   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03058   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03059   424   NtRaiseException  (1223268, 1222528, 1, ...
 03060   424   NtContinue  (1221324, 0, ...
 03061   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03062   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03063   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03064   424   NtAllocateVirtualMemory  (-1, 1474560, 0, 20480, 4096, 4, ... 1474560, 20480, ) == 0x0
 03065   424   NtAllocateVirtualMemory  (-1, 1495040, 0, 20480, 4096, 4, ... 1495040, 20480, ) == 0x0
 03066   424   NtWaitForSingleObject  (324, 0, {-70000000, -1}, ... ) == 0x0
 03067   424   NtReleaseSemaphore  (324, 1, ... 0x0, ) == 0x0
 03068   424   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 340, ) }, ... 340, ) == 0x0
 03069   424   NtWaitForSingleObject  (340, 0, {-1800000000, -1}, ... ) == 0x0
 03070   424   NtClose  (340, ... ) == 0x0
 03071   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03072   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 03073   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03074   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03075   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232188,  (0xc0100080, {24, 0, 0x40, 0, 1232188, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 344, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 344, {status=0x0, info=1}, ) == 0x0
 03076   424   NtSetInformationFile  (344, 1232244, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03077   424   NtSetInformationFile  (344, 1232236, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03078   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03079   424   NtWriteFile  (344, 133, 0, 0,  (344, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03080   424   NtReadFile  (344, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (344, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\220 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03081   424   NtFsControlFile  (344, 133, 0x0, 0x0, 0x11c017,  (344, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\220 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (344, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\220 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03082   424   NtFsControlFile  (344, 133, 0x0, 0x0, 0x11c017,  (344, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\271}\230\242\355~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\271}\230\242\355~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (344, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\271}\230\242\355~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\271}\230\242\355~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03083   424   NtFsControlFile  (344, 133, 0x0, 0x0, 0x11c017,  (344, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\272}\230\242\355~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\272}\230\242\355~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (344, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\272}\230\242\355~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\272}\230\242\355~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03084   424   NtFsControlFile  (344, 133, 0x0, 0x0, 0x11c017,  (344, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\271}\230\242\355~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (344, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\271}\230\242\355~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03085   424   NtFsControlFile  (344, 133, 0x0, 0x0, 0x11c017,  (344, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\272}\230\242\355~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (344, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\272}\230\242\355~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03086   424   NtClose  (340, ... ) == 0x0
 03087   424   NtClose  (344, ... ) == 0x0
 03088   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03089   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 344, ) == 0x0
 03090   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03091   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03092   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232280,  (0xc0100080, {24, 0, 0x40, 0, 1232280, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 03093   424   NtSetInformationFile  (340, 1232336, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03094   424   NtSetInformationFile  (340, 1232328, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03095   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03096   424   NtWriteFile  (340, 133, 0, 0,  (340, 133, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03097   424   NtReadFile  (340, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (340, 133, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\256'\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03098   424   NtFsControlFile  (340, 133, 0x0, 0x0, 0x11c017,  (340, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\256'\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (340, 133, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\256'\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03099   424   NtClose  (344, ... ) == 0x0
 03100   424   NtClose  (340, ... ) == 0x0
 03101   424   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 03102   424   NtSetValueKey  (340,  (340, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (340, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03103   424   NtClose  (340, ... ) == 0x0
 03104   424   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 340, ) }, ... 340, ) == 0x0
 03105   424   NtQueryValueKey  (340,  (340, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (340, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03106   424   NtClose  (340, ... ) == 0x0
 03107   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03108   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03109   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03110   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03111   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03112   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03113   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03114   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03115   424   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 03116   424   NtSetValueKey  (340,  (340, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (340, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03117   424   NtClose  (340, ... ) == 0x0
 03118   424   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 340, ) }, ... 340, ) == 0x0
 03119   424   NtQueryValueKey  (340,  (340, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (340, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03120   424   NtClose  (340, ... ) == 0x0
 03121   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03122   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03123   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03124   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03125   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03126   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03127   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03128   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03129   424   NtWaitForSingleObject  (324, 0, {-70000000, -1}, ... ) == 0x0
 03130   424   NtReleaseSemaphore  (324, 1, ... 0x0, ) == 0x0
 03131   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03132   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 03133   424   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03134   424   NtClose  (340, ... ) == 0x0
 03135   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 340, ) }, ... 340, ) == 0x0
 03136   424   NtOpenKey  (0x20019, {24, 340, 0x40, 0, 0,  (0x20019, {24, 340, 0x40, 0, 0, "Network"}, ... 344, ) }, ... 344, ) == 0x0
 03137   424   NtClose  (340, ... ) == 0x0
 03138   424   NtQueryKey  (344, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (344, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 03139   424   NtQuerySecurityObject  (344, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03140   424   NtQuerySecurityObject  (344, 15, 0, ... ) == STATUS_ACCESS_DENIED
 03141   424   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 03142   424   NtEnumerateKey  (344, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (344, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 03143   424   NtOpenKey  (0x2001f, {24, 344, 0x40, 0, 0,  (0x2001f, {24, 344, 0x40, 0, 0, "f"}, ... 340, ) }, ... 340, ) == 0x0
 03144   424   NtQueryValueKey  (340,  (340, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (340, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03145   424   NtQueryValueKey  (340,  (340, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (340, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03146   424   NtQueryValueKey  (340,  (340, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03147   424   NtQueryValueKey  (340,  (340, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03148   424   NtQueryValueKey  (340,  (340, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03149   424   NtQueryValueKey  (340,  (340, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03150   424   NtQueryValueKey  (340,  (340, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03151   424   NtClose  (340, ... ) == 0x0
 03152   424   NtEnumerateKey  (344, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (344, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 03153   424   NtOpenKey  (0x2001f, {24, 344, 0x40, 0, 0,  (0x2001f, {24, 344, 0x40, 0, 0, "u"}, ... 340, ) }, ... 340, ) == 0x0
 03154   424   NtQueryValueKey  (340,  (340, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (340, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03155   424   NtQueryValueKey  (340,  (340, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (340, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03156   424   NtQueryValueKey  (340,  (340, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03157   424   NtQueryValueKey  (340,  (340, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03158   424   NtQueryValueKey  (340,  (340, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03159   424   NtQueryValueKey  (340,  (340, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03160   424   NtQueryValueKey  (340,  (340, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03161   424   NtClose  (340, ... ) == 0x0
 03162   424   NtClose  (344, ... ) == 0x0
 03163   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03164   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03165   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03166   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03167   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03168   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03169   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 344, ) }, ... 344, ) == 0x0
 03170   424   NtQueryKey  (346, Name, 392, ... {Name= (346, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 03171   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03172   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 03173   424   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03174   424   NtClose  (340, ... ) == 0x0
 03175   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03176   424   NtEnumerateKey  (346, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (346, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 03177   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03178   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03179   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 340, ) }, ... 340, ) == 0x0
 03180   424   NtQueryKey  (342, Name, 392, ... {Name= (342, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 03181   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03182   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03183   424   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03184   424   NtClose  (348, ... ) == 0x0
 03185   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03186   424   NtQueryValueKey  (342,  (342, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (342, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03187   424   NtClose  (342, ... ) == 0x0
 03188   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03189   424   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 340, {status=0x0, info=1}, ) }, 3, 96, ... 340, {status=0x0, info=1}, ) == 0x0
 03190   424   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 348, ) }, ... 348, ) == 0x0
 03191   424   NtQuerySymbolicLinkObject  (348, ...  (348, ... "\Device\WinDfs\U:00000000000091ac", 66, ) , 66, ) == 0x0
 03192   424   NtClose  (348, ... ) == 0x0
 03193   424   NtQueryVolumeInformationFile  (340, 1233600, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03194   424   NtClose  (340, ... ) == 0x0
 03195   424   NtEnumerateKey  (346, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03196   424   NtClose  (346, ... ) == 0x0
 03197   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 344, {status=0x0, info=1}, ) }, 3, 16417, ... 344, {status=0x0, info=1}, ) == 0x0
 03198   424   NtQueryDirectoryFile  (344, 0, 0, 0, 1232388, 616, BothDirectory, 1,  (344, 0, 0, 0, 1232388, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03199   424   NtClose  (344, ... ) == 0x0
 03200   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03201   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03202   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 344, ) }, ... 344, ) == 0x0
 03203   424   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03204   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03205   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 03206   424   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03207   424   NtClose  (340, ... ) == 0x0
 03208   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03209   424   NtOpenKey  (0x1, {24, 346, 0x40, 0, 0,  (0x1, {24, 346, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03210   424   NtQueryKey  (346, Name, 384, ... {Name= (346, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03211   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03212   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 03213   424   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03214   424   NtClose  (340, ... ) == 0x0
 03215   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03216   424   NtOpenKey  (0x2000000, {24, 346, 0x40, 0, 0, ""}, ... 340, ) == 0x0
 03217   424   NtClose  (346, ... ) == 0x0
 03218   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03219   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03220   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03221   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 344, ) }, ... 344, ) == 0x0
 03222   424   NtQueryValueKey  (344,  (344, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03223   424   NtClose  (344, ... ) == 0x0
 03224   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03225   424   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0, ""}, ... 344, ) == 0x0
 03226   424   NtQueryValueKey  (344,  (344, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (344, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03227   424   NtQueryValueKey  (344,  (344, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (344, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03228   424   NtClose  (344, ... ) == 0x0
 03229   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03230   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03231   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03232   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 344, ) }, ... 344, ) == 0x0
 03233   424   NtQueryValueKey  (344,  (344, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03234   424   NtClose  (344, ... ) == 0x0
 03235   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03236   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03237   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03238   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 344, ) }, ... 344, ) == 0x0
 03239   424   NtQueryValueKey  (344,  (344, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03240   424   NtClose  (344, ... ) == 0x0
 03241   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03242   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03243   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03244   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 344, ) }, ... 344, ) == 0x0
 03245   424   NtQueryValueKey  (344,  (344, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03246   424   NtClose  (344, ... ) == 0x0
 03247   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03248   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03249   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03250   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 344, ) }, ... 344, ) == 0x0
 03251   424   NtQueryValueKey  (344,  (344, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03252   424   NtClose  (344, ... ) == 0x0
 03253   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03254   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03255   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03256   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03257   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03258   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 344, ) }, ... 344, ) == 0x0
 03259   424   NtQueryValueKey  (344,  (344, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03260   424   NtClose  (344, ... ) == 0x0
 03261   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03262   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03263   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03264   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 344, ) }, ... 344, ) == 0x0
 03265   424   NtQueryValueKey  (344,  (344, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03266   424   NtClose  (344, ... ) == 0x0
 03267   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03268   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03269   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03270   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 344, ) }, ... 344, ) == 0x0
 03271   424   NtQueryValueKey  (344,  (344, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03272   424   NtClose  (344, ... ) == 0x0
 03273   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03274   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03275   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03276   424   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "Advanced"}, ... 344, ) }, ... 344, ) == 0x0
 03277   424   NtQueryValueKey  (344,  (344, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 03278   424   NtQueryValueKey  (344,  (344, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03279   424   NtQueryValueKey  (344,  (344, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03280   424   NtQueryValueKey  (344,  (344, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03281   424   NtQueryValueKey  (344,  (344, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03282   424   NtQueryValueKey  (344,  (344, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03283   424   NtQueryValueKey  (344,  (344, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03284   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03285   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03286   424   NtQueryValueKey  (344,  (344, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03287   424   NtQueryValueKey  (344,  (344, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03288   424   NtQueryValueKey  (344,  (344, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03289   424   NtQueryValueKey  (344,  (344, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03290   424   NtQueryValueKey  (344,  (344, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03291   424   NtClose  (344, ... ) == 0x0
 03292   424   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1365368, 0,  (0x1f0003, {24, 52, 0x80, 1365368, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 344, ) }, 0, 2147483647, ... 344, ) == STATUS_OBJECT_NAME_EXISTS
 03293   424   NtReleaseSemaphore  (344, 1, ... 0, ) == 0x0
 03294   424   NtWaitForSingleObject  (344, 0, {0, 0}, ... ) == 0x0
 03295   424   NtQueryKey  (342, Name, 384, ... {Name= (342, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03296   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03297   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03298   424   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03299   424   NtClose  (348, ... ) == 0x0
 03300   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03301   424   NtOpenKey  (0x1, {24, 342, 0x40, 0, 0,  (0x1, {24, 342, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03302   424   NtQueryKey  (342, Name, 392, ... {Name= (342, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03303   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03304   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03305   424   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03306   424   NtClose  (348, ... ) == 0x0
 03307   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03308   424   NtQueryValueKey  (342,  (342, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03309   424   NtQueryKey  (342, Name, 392, ... {Name= (342, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03310   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03311   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03312   424   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03313   424   NtClose  (348, ... ) == 0x0
 03314   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03315   424   NtQueryValueKey  (342,  (342, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03316   424   NtQueryKey  (342, Name, 384, ... {Name= (342, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03317   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03318   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 03319   424   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03320   424   NtClose  (348, ... ) == 0x0
 03321   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03322   424   NtOpenKey  (0x1, {24, 342, 0x40, 0, 0,  (0x1, {24, 342, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03323   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03324   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03325   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 348, ) }, ... 348, ) == 0x0
 03326   424   NtQueryKey  (350, Name, 384, ... {Name= (350, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 03327   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03328   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 03329   424   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03330   424   NtClose  (352, ... ) == 0x0
 03331   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03332   424   NtOpenKey  (0x1, {24, 350, 0x40, 0, 0,  (0x1, {24, 350, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03333   424   NtQueryKey  (342, Name, 392, ... {Name= (342, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03334   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03335   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 03336   424   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03337   424   NtClose  (352, ... ) == 0x0
 03338   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03339   424   NtQueryValueKey  (342,  (342, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03340   424   NtQueryKey  (342, Name, 392, ... {Name= (342, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03341   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03342   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 03343   424   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03344   424   NtClose  (352, ... ) == 0x0
 03345   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03346   424   NtQueryValueKey  (342,  (342, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (342, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03347   424   NtQueryKey  (342, Name, 392, ... {Name= (342, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03348   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03349   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 03350   424   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03351   424   NtClose  (352, ... ) == 0x0
 03352   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03353   424   NtQueryValueKey  (342,  (342, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03354   424   NtClose  (342, ... ) == 0x0
 03355   424   NtClose  (350, ... ) == 0x0
 03356   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\work\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 03357   424   NtQueryDirectoryFile  (348, 0, 0, 0, 1232316, 616, BothDirectory, 1,  (348, 0, 0, 0, 1232316, 616, BothDirectory, 1, "zufbj.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03358   424   NtClose  (348, ... ) == 0x0
 03359   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03360   424   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "FileExts"}, ... 348, ) }, ... 348, ) == 0x0
 03361   424   NtOpenKey  (0x2000000, {24, 348, 0x40, 0, 0,  (0x2000000, {24, 348, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03362   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03363   424   NtOpenKey  (0x2000000, {24, 348, 0x40, 0, 0,  (0x2000000, {24, 348, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03364   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03365   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03366   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 340, ) }, ... 340, ) == 0x0
 03367   424   NtQueryKey  (342, Name, 392, ... {Name= (342, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03368   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03369   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 03370   424   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03371   424   NtClose  (352, ... ) == 0x0
 03372   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03373   424   NtQueryValueKey  (342, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (342, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03374   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03375   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03376   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 352, ) }, ... 352, ) == 0x0
 03377   424   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03378   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03379   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03380   424   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03381   424   NtClose  (356, ... ) == 0x0
 03382   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03383   424   NtOpenKey  (0x1, {24, 354, 0x40, 0, 0,  (0x1, {24, 354, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03384   424   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03385   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03386   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03387   424   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03388   424   NtClose  (356, ... ) == 0x0
 03389   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03390   424   NtOpenKey  (0x2000000, {24, 354, 0x40, 0, 0, ""}, ... 356, ) == 0x0
 03391   424   NtClose  (354, ... ) == 0x0
 03392   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03393   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03394   424   NtReleaseSemaphore  (344, 1, ... 0, ) == 0x0
 03395   424   NtWaitForSingleObject  (344, 0, {0, 0}, ... ) == 0x0
 03396   424   NtQueryKey  (358, Name, 384, ... {Name= (358, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03397   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03398   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 03399   424   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03400   424   NtClose  (352, ... ) == 0x0
 03401   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03402   424   NtOpenKey  (0x1, {24, 358, 0x40, 0, 0,  (0x1, {24, 358, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03403   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03404   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03405   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03406   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03407   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03408   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 352, ) }, ... 352, ) == 0x0
 03409   424   NtQueryKey  (354, Name, 392, ... {Name= (354, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03410   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03411   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03412   424   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03413   424   NtClose  (360, ... ) == 0x0
 03414   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03415   424   NtQueryValueKey  (354,  (354, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03416   424   NtClose  (354, ... ) == 0x0
 03417   424   NtQueryKey  (358, Name, 392, ... {Name= (358, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03418   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03419   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 03420   424   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03421   424   NtClose  (352, ... ) == 0x0
 03422   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03423   424   NtQueryValueKey  (358,  (358, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03424   424   NtQueryKey  (358, Name, 392, ... {Name= (358, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03425   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03426   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 03427   424   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03428   424   NtClose  (352, ... ) == 0x0
 03429   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03430   424   NtQueryValueKey  (358,  (358, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03431   424   NtQueryKey  (358, Name, 384, ... {Name= (358, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03432   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03433   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 03434   424   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03435   424   NtClose  (352, ... ) == 0x0
 03436   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03437   424   NtOpenKey  (0x1, {24, 358, 0x40, 0, 0,  (0x1, {24, 358, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03438   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03439   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03440   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 352, ) }, ... 352, ) == 0x0
 03441   424   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03442   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03443   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03444   424   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03445   424   NtClose  (360, ... ) == 0x0
 03446   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03447   424   NtOpenKey  (0x1, {24, 354, 0x40, 0, 0,  (0x1, {24, 354, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03448   424   NtQueryKey  (358, Name, 392, ... {Name= (358, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03449   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03450   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03451   424   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03452   424   NtClose  (360, ... ) == 0x0
 03453   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03454   424   NtQueryValueKey  (358,  (358, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03455   424   NtQueryKey  (358, Name, 392, ... {Name= (358, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03456   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03457   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03458   424   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03459   424   NtClose  (360, ... ) == 0x0
 03460   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03461   424   NtQueryValueKey  (358,  (358, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03462   424   NtQueryKey  (358, Name, 392, ... {Name= (358, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03463   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03464   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03465   424   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03466   424   NtClose  (360, ... ) == 0x0
 03467   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03468   424   NtQueryValueKey  (358,  (358, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03469   424   NtClose  (342, ... ) == 0x0
 03470   424   NtClose  (358, ... ) == 0x0
 03471   424   NtClose  (354, ... ) == 0x0
 03472   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03473   424   NtOpenKey  (0x2000000, {24, 348, 0x40, 0, 0,  (0x2000000, {24, 348, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03474   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03475   424   NtOpenKey  (0x2000000, {24, 348, 0x40, 0, 0,  (0x2000000, {24, 348, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03476   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03477   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03478   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 352, ) }, ... 352, ) == 0x0
 03479   424   NtQueryKey  (354, Name, 392, ... {Name= (354, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03480   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03481   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03482   424   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03483   424   NtClose  (356, ... ) == 0x0
 03484   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03485   424   NtQueryValueKey  (354, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (354, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03486   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03487   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03488   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 356, ) }, ... 356, ) == 0x0
 03489   424   NtQueryKey  (358, Name, 384, ... {Name= (358, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03490   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03491   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 03492   424   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03493   424   NtClose  (340, ... ) == 0x0
 03494   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03495   424   NtOpenKey  (0x1, {24, 358, 0x40, 0, 0,  (0x1, {24, 358, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03496   424   NtQueryKey  (358, Name, 384, ... {Name= (358, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03497   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03498   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 03499   424   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03500   424   NtClose  (340, ... ) == 0x0
 03501   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03502   424   NtOpenKey  (0x2000000, {24, 358, 0x40, 0, 0, ""}, ... 340, ) == 0x0
 03503   424   NtClose  (358, ... ) == 0x0
 03504   424   NtQueryKey  (342, Name, 384, ... {Name= (342, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03505   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03506   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03507   424   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03508   424   NtClose  (356, ... ) == 0x0
 03509   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03510   424   NtOpenKey  (0x1, {24, 342, 0x40, 0, 0,  (0x1, {24, 342, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03511   424   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 03512   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03513   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 03514   424   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03515   424   NtClose  (356, ... ) == 0x0
 03516   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03517   424   NtOpenKey  (0x1, {24, 354, 0x40, 0, 0,  (0x1, {24, 354, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03518   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03519   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03520   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03521   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03522   424   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03523   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 356, ) }, ... 356, ) == 0x0
 03524   424   NtQueryKey  (358, Name, 392, ... {Name= (358, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03525   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03526   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03527   424   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03528   424   NtClose  (360, ... ) == 0x0
 03529   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03530   424   NtQueryValueKey  (358,  (358, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03531   424   NtClose  (358, ... ) == 0x0
 03532   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03533   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03534   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 356, ) }, ... 356, ) == 0x0
 03535   424   NtQueryKey  (358, Name, 384, ... {Name= (358, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03536   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03537   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03538   424   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03539   424   NtClose  (360, ... ) == 0x0
 03540   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03541   424   NtOpenKey  (0x1, {24, 358, 0x40, 0, 0,  (0x1, {24, 358, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03542   424   NtClose  (354, ... ) == 0x0
 03543   424   NtClose  (342, ... ) == 0x0
 03544   424   NtClose  (358, ... ) == 0x0
 03545   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03546   424   NtOpenKey  (0x2000000, {24, 348, 0x40, 0, 0,  (0x2000000, {24, 348, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03547   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03548   424   NtOpenKey  (0x2000000, {24, 348, 0x40, 0, 0,  (0x2000000, {24, 348, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03549   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03550   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03551   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 356, ) }, ... 356, ) == 0x0
 03552   424   NtQueryKey  (358, Name, 392, ... {Name= (358, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03553   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03554   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 03555   424   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03556   424   NtClose  (340, ... ) == 0x0
 03557   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03558   424   NtQueryValueKey  (358, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (358, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03559   424   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03560   424   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0,  (0x2000000, {24, 166, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03561   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 340, ) }, ... 340, ) == 0x0
 03562   424   NtQueryKey  (342, Name, 384, ... {Name= (342, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03563   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03564   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 03565   424   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03566   424   NtClose  (352, ... ) == 0x0
 03567   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03568   424   NtOpenKey  (0x1, {24, 342, 0x40, 0, 0,  (0x1, {24, 342, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03569   424   NtQueryKey  (342, Name, 384, ... {Name= (342, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03570   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03571   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 03572   424   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03573   424   NtClose  (352, ... ) == 0x0
 03574   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03575   424   NtOpenKey  (0x2000000, {24, 342, 0x40, 0, 0, ""}, ... 352, ) == 0x0
 03576   424   NtClose  (342, ... ) == 0x0
 03577   424   NtQueryKey  (354, Name, 384, ... {Name= (354, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03578   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03579   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 03580   424   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03581   424   NtClose  (340, ... ) == 0x0
 03582   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03583   424   NtOpenKey  (0x2000000, {24, 354, 0x40, 0, 0,  (0x2000000, {24, 354, 0x40, 0, 0, "shell\open"}, ... 340, ) }, ... 340, ) == 0x0
 03584   424   NtQueryKey  (342, Name, 384, ... {Name= (342, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03585   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03586   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03587   424   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03588   424   NtClose  (360, ... ) == 0x0
 03589   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03590   424   NtOpenKey  (0x1, {24, 342, 0x40, 0, 0,  (0x1, {24, 342, 0x40, 0, 0, "command"}, ... 360, ) }, ... 360, ) == 0x0
 03591   424   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03592   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03593   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03594   424   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03595   424   NtClose  (364, ... ) == 0x0
 03596   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03597   424   NtQueryValueKey  (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03598   424   NtClose  (362, ... ) == 0x0
 03599   424   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03600   424   NtQueryKey  (342, Name, 384, ... {Name= (342, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03601   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03602   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03603   424   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03604   424   NtClose  (360, ... ) == 0x0
 03605   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03606   424   NtOpenKey  (0x1, {24, 342, 0x40, 0, 0,  (0x1, {24, 342, 0x40, 0, 0, "command"}, ... 360, ) }, ... 360, ) == 0x0
 03607   424   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03608   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03609   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03610   424   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03611   424   NtClose  (364, ... ) == 0x0
 03612   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03613   424   NtQueryValueKey  (362,  (362, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03614   424   NtClose  (362, ... ) == 0x0
 03615   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\zufbj.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03616   424   NtQueryKey  (342, Name, 384, ... {Name= (342, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03617   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03618   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03619   424   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03620   424   NtClose  (360, ... ) == 0x0
 03621   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03622   424   NtOpenKey  (0x1, {24, 342, 0x40, 0, 0,  (0x1, {24, 342, 0x40, 0, 0, "command"}, ... 360, ) }, ... 360, ) == 0x0
 03623   424   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03624   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03625   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03626   424   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03627   424   NtClose  (364, ... ) == 0x0
 03628   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03629   424   NtQueryValueKey  (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03630   424   NtClose  (362, ... ) == 0x0
 03631   424   NtQueryKey  (342, Name, 384, ... {Name= (342, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03632   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03633   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03634   424   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03635   424   NtClose  (360, ... ) == 0x0
 03636   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03637   424   NtOpenKey  (0x1, {24, 342, 0x40, 0, 0,  (0x1, {24, 342, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03638   424   NtUserGetForegroundWindow  (... ) == 0x2005c
 03639   424   NtQueryKey  (342, Name, 384, ... {Name= (342, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03640   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03641   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 03642   424   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03643   424   NtClose  (360, ... ) == 0x0
 03644   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03645   424   NtOpenKey  (0x1, {24, 342, 0x40, 0, 0,  (0x1, {24, 342, 0x40, 0, 0, "command"}, ... 360, ) }, ... 360, ) == 0x0
 03646   424   NtQueryKey  (362, Name, 392, ... {Name= (362, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03647   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03648   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 03649   424   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03650   424   NtClose  (364, ... ) == 0x0
 03651   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03652   424   NtQueryValueKey  (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (362, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03653   424   NtClose  (362, ... ) == 0x0
 03654   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03655   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03656   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03657   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 360, ) }, ... 360, ) == 0x0
 03658   424   NtQueryValueKey  (360,  (360, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03659   424   NtClose  (360, ... ) == 0x0
 03660   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03661   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03662   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03663   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 360, ) }, ... 360, ) == 0x0
 03664   424   NtQueryValueKey  (360,  (360, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03665   424   NtClose  (360, ... ) == 0x0
 03666   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\zufbj.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03667   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03668   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\zufbj.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03669   424   NtReleaseSemaphore  (156, 1, ... 0, ) == 0x0
 03670   424   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x0
 03671   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03672   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 360, ) }, ... 360, ) == 0x0
 03673   424   NtQueryValueKey  (360,  (360, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03674   424   NtClose  (360, ... ) == 0x0
 03675   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\zufbj.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03676   424   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03677   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\zufbj.bat"}, 1228796, ... ) }, 1228796, ... ) == 0x0
 03678   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\zufbj.bat"}, 1229488, ... ) }, 1229488, ... ) == 0x0
 03679   424   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\zufbj.bat"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 03680   424   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 360, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 03681   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 364, ) }, ... 364, ) == 0x0
 03682   424   NtQueryValueKey  (364,  (364, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03683   424   NtClose  (364, ... ) == 0x0
 03684   424   NtQueryVolumeInformationFile  (360, 1228796, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03685   424   NtWaitForSingleObject  (168, 0, {-1000000, -1}, ... ) == 0x0
 03686   424   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 03687   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1226780, ... ) }, 1226780, ... ) == 0x0
 03688   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) == 0x0
 03689   424   NtQueryInformationFile  (364, 1227384, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03690   424   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 364, ... 368, ) == 0x0
 03691   424   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1210000), 0x0, 1028096, ) == 0x0
 03692   424   NtQueryInformationFile  (364, 1227480, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03693   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03694   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03695   424   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 03696   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 03697   424   NtQueryDirectoryFile  (372, 0, 0, 0, 1225044, 616, BothDirectory, 1,  (372, 0, 0, 0, 1225044, 616, BothDirectory, 1, "zufbj.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03698   424   NtClose  (372, ... ) == 0x0
 03699   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03700   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03701   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\zufbj.bat"}, 1224432, ... ) }, 1224432, ... ) == 0x0
 03702   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 03703   424   NtQueryDirectoryFile  (372, 0, 0, 0, 1223792, 616, BothDirectory, 1,  (372, 0, 0, 0, 1223792, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 03704   424   NtClose  (372, ... ) == 0x0
 03705   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 03706   424   NtQueryDirectoryFile  (372, 0, 0, 0, 1223792, 616, BothDirectory, 1,  (372, 0, 0, 0, 1223792, 616, BothDirectory, 1, "zufbj.bat", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03707   424   NtClose  (372, ... ) == 0x0
 03708   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03709   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03710   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03711   424   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 372, {status=0x0, info=1}, ) }, 3, 96, ... 372, {status=0x0, info=1}, ) == 0x0
 03712   424   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 376, ) }, ... 376, ) == 0x0
 03713   424   NtQuerySymbolicLinkObject  (376, ...  (376, ... "\Device\WinDfs\U:00000000000091ac", 66, ) , 66, ) == 0x0
 03714   424   NtClose  (376, ... ) == 0x0
 03715   424   NtQueryVolumeInformationFile  (372, 1225184, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03716   424   NtClose  (372, ... ) == 0x0
 03717   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03718   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 03719   424   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03720   424   NtClose  (372, ... ) == 0x0
 03721   424   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03722   424   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\zufbj.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03723   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03724   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03725   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\zufbj.bat"}, 1226712, ... ) }, 1226712, ... ) == 0x0
 03726   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 03727   424   NtQueryDirectoryFile  (372, 0, 0, 0, 1226072, 616, BothDirectory, 1,  (372, 0, 0, 0, 1226072, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 03728   424   NtClose  (372, ... ) == 0x0
 03729   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 03730   424   NtQueryDirectoryFile  (372, 0, 0, 0, 1226072, 616, BothDirectory, 1,  (372, 0, 0, 0, 1226072, 616, BothDirectory, 1, "zufbj.bat", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03731   424   NtClose  (372, ... ) == 0x0
 03732   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03733   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03734   424   NtWaitForSingleObject  (168, 0, {-1000000, -1}, ... ) == 0x0
 03735   424   NtQueryVolumeInformationFile  (360, 1227356, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03736   424   NtQueryInformationFile  (360, 1227336, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03737   424   NtQueryInformationFile  (360, 1227376, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03738   424   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 03739   424   NtUnmapViewOfSection  (-1, 0x1210000, ... ) == 0x0
 03740   424   NtClose  (368, ... ) == 0x0
 03741   424   NtClose  (364, ... ) == 0x0
 03742   424   NtClose  (360, ... ) == 0x0
 03743   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1228772, ... ) }, 1228772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03744   424   NtQueryAttributesFile  ({24, 112, 0x40, 0, 0,  ({24, 112, 0x40, 0, 0, "cmd.exe"}, 1228772, ... ) }, 1228772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03745   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1228772, ... ) }, 1228772, ... ) == 0x0
 03746   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1229488, ... ) }, 1229488, ... ) == 0x0
 03747   424   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 03748   424   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 03749   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03750   424   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03751   424   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03752   424   NtCreateProcessEx  (1231424, 2035711, 0, -1, 0, 364, 0, 0, 0, ... ) == 0x0
 03753   424   NtSetInformationProcess  (368, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03754   424   NtQueryInformationProcess  (368, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1260,ParentPid=416,}, 0x0, ) == 0x0
 03755   424   NtReadVirtualMemory  (368, 0x7ffdf008, 4, ...  (368, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 03756   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03757   424   NtReadVirtualMemory  (368, 0x4ad00000, 4096, ...  (368, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03758   424   NtReadVirtualMemory  (368, 0x4ad3b000, 256, ...  (368, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 03759   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03760   424   NtQueryInformationProcess  (368, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1260,ParentPid=416,}, 0x0, ) == 0x0
 03761   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1229488, ... ) }, 1229488, ... ) == 0x0
 03762   424   NtAllocateVirtualMemory  (-1, 0, 0, 1640, 4096, 4, ... 18939904, 4096, ) == 0x0
 03763   424   NtAllocateVirtualMemory  (368, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03764   424   NtWriteVirtualMemory  (368, 0x10000,  (368, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03765   424   NtAllocateVirtualMemory  (368, 0, 0, 1640, 4096, 4, ... 131072, 4096, ) == 0x0
 03766   424   NtWriteVirtualMemory  (368, 0x20000,  (368, 0x20000, "\0\20\0\0h\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0:\0<\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\14\6\0\0\36\0 \0D\6\0\0\0\0\2\0d\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1640, ... 0x0, ) , 1640, ... 0x0, ) == 0x0
 03767   424   NtWriteVirtualMemory  (368, 0x7ffdf010,  (368, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03768   424   NtWriteVirtualMemory  (368, 0x7ffdf1e8,  (368, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03769   424   NtFreeVirtualMemory  (-1, (0x1210000), 0, 32768, ... (0x1210000), 4096, ) == 0x0
 03770   424   NtAllocateVirtualMemory  (368, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03771   424   NtAllocateVirtualMemory  (368, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 03772   424   NtCreateThread  (0x1f03ff, 0x0, 368, 1229688, 1230408, 1, ... 372, {1260, 1300}, ) == 0x0
 03773   424   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1231520, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1231520, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0p\1\0\0t\1\0\0\354\4\0\0\24\5\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0,\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 416, 424, 1578, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0p\1\0\0t\1\0\0\354\4\0\0\24\5\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0,\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 416, 424, 1578, 0}  (24, {168, 196, new_msg, 0, 0, 1231520, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0p\1\0\0t\1\0\0\354\4\0\0\24\5\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0,\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 416, 424, 1578, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0p\1\0\0t\1\0\0\354\4\0\0\24\5\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0,\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03774   424   NtResumeThread  (372, ... 1, ) == 0x0
 03775   424   NtClose  (360, ... ) == 0x0
 03776   424   NtClose  (364, ... ) == 0x0
 03777   424   NtClose  (342, ... ) == 0x0
 03778   424   NtClose  (358, ... ) == 0x0
 03779   424   NtClose  (354, ... ) == 0x0
 03780   424   NtClose  (368, ... ) == 0x0
 03781   424   NtClose  (372, ... ) == 0x0
 03782   424   NtGdiDeleteObjectApp  (117965802, ... ) == 0x1
 03783   424   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03784   424   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03785   424   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03786   424   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03787   424   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03788   424   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03789   424   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03790   424   NtUserGetClassInfo  (1989935104, 1233728, 1233680, 1233756, 0, ... ) == 0x0
 03791   424   NtUnmapViewOfSection  (-1, 0xc50000, ... ) == 0x0
 03792   424   NtClose  (284, ... ) == 0x0
 03793   424   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 03794   424   NtUserDestroyWindow  (65736, ...
 03795   424   NtUserRemoveProp  (65736, 43288, ... ) == 0xffffffff
 03796   424   NtUserRemoveProp  (65736, 43282, ... ) == 0x0
 03797   424   NtUserRemoveProp  (65736, 43287, ... ) == 0x0
 03794   424   NtUserDestroyWindow  ... ) == 0x1
 03798   424   NtUserUnregisterClass  (1234868, 1998258176, 1234856, ... ) == 0x1
 03799   424   NtFreeVirtualMemory  (-1, (0x155000), 8192, 16384, ... (0x155000), 8192, ) == 0x0
 03800   424   NtClose  (188, ... ) == 0x0
 03801   424   NtClose  (180, ... ) == 0x0
 03802   424   NtClose  (184, ... ) == 0x0
 03803   424   NtClose  (160, ... ) == 0x0
 03804   424   NtClose  (176, ... ) == 0x0
 03805   424   NtClose  (208, ... ) == 0x0
 03806   424   NtClose  (212, ... ) == 0x0
 03807   424   NtClose  (204, ... ) == 0x0
 03808   424   NtClose  (196, ... ) == 0x0
 03809   424   NtClose  (200, ... ) == 0x0
 03810   424   NtClose  (224, ... ) == 0x0
 03811   424   NtClose  (228, ... ) == 0x0
 03812   424   NtClose  (216, ... ) == 0x0
 03813   424   NtClose  (220, ... ) == 0x0
 03814   424   NtClose  (248, ... ) == 0x0
 03815   424   NtClose  (240, ... ) == 0x0
 03816   424   NtClose  (244, ... ) == 0x0
 03817   424   NtClose  (232, ... ) == 0x0
 03818   424   NtClose  (236, ... ) == 0x0
 03819   424   NtClose  (252, ... ) == 0x0
 03820   424   NtClose  (256, ... ) == 0x0
 03821   424   NtClose  (268, ... ) == 0x0
 03822   424   NtClose  (272, ... ) == 0x0
 03823   424   NtClose  (260, ... ) == 0x0
 03824   424   NtClose  (264, ... ) == 0x0
 03825   424   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03826   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 1235744, ... ) }, 1235744, ... ) == 0x0
 03827   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 1236436, ... ) }, 1236436, ... ) == 0x0
 03828   424   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 03829   424   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 264, ... 260, ) == 0x0
 03830   424   NtQueryVolumeInformationFile  (264, 1235744, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03831   424   NtWaitForSingleObject  (168, 0, {-1000000, -1}, ... ) == 0x0
 03832   424   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 03833   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 272, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 272, {status=0x0, info=1}, ) == 0x0
 03834   424   NtQueryInformationFile  (272, 1234332, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03835   424   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 272, ... 268, ) == 0x0
 03836   424   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1210000), 0x0, 1028096, ) == 0x0
 03837   424   NtQueryInformationFile  (272, 1234428, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03838   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03839   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 03840   424   NtQueryDirectoryFile  (256, 0, 0, 0, 1231992, 616, BothDirectory, 1,  (256, 0, 0, 0, 1231992, 616, BothDirectory, 1, "Isass.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03841   424   NtClose  (256, ... ) == 0x0
 03842   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03843   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03844   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 1231380, ... ) }, 1231380, ... ) == 0x0
 03845   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 03846   424   NtQueryDirectoryFile  (256, 0, 0, 0, 1230740, 616, BothDirectory, 1,  (256, 0, 0, 0, 1230740, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03847   424   NtClose  (256, ... ) == 0x0
 03848   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 03849   424   NtQueryDirectoryFile  (256, 0, 0, 0, 1230740, 616, BothDirectory, 1,  (256, 0, 0, 0, 1230740, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03850   424   NtClose  (256, ... ) == 0x0
 03851   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 03852   424   NtQueryDirectoryFile  (256, 0, 0, 0, 1230740, 616, BothDirectory, 1,  (256, 0, 0, 0, 1230740, 616, BothDirectory, 1, "Isass.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03853   424   NtClose  (256, ... ) == 0x0
 03854   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03855   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03856   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03857   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03858   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 256, ) == 0x0
 03859   424   NtQueryInformationToken  (256, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03860   424   NtClose  (256, ... ) == 0x0
 03861   424   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03862   424   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\Isass.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03863   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03864   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03865   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 1233660, ... ) }, 1233660, ... ) == 0x0
 03866   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 03867   424   NtQueryDirectoryFile  (256, 0, 0, 0, 1233020, 616, BothDirectory, 1,  (256, 0, 0, 0, 1233020, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03868   424   NtClose  (256, ... ) == 0x0
 03869   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 03870   424   NtQueryDirectoryFile  (256, 0, 0, 0, 1233020, 616, BothDirectory, 1,  (256, 0, 0, 0, 1233020, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03871   424   NtClose  (256, ... ) == 0x0
 03872   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 256, {status=0x0, info=1}, ) }, 3, 16417, ... 256, {status=0x0, info=1}, ) == 0x0
 03873   424   NtQueryDirectoryFile  (256, 0, 0, 0, 1233020, 616, BothDirectory, 1,  (256, 0, 0, 0, 1233020, 616, BothDirectory, 1, "Isass.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03874   424   NtClose  (256, ... ) == 0x0
 03875   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03876   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03877   424   NtWaitForSingleObject  (168, 0, {-1000000, -1}, ... ) == 0x0
 03878   424   NtQueryVolumeInformationFile  (264, 1234304, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03879   424   NtQueryInformationFile  (264, 1234284, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03880   424   NtQueryInformationFile  (264, 1234324, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03881   424   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 03882   424   NtUnmapViewOfSection  (-1, 0x1210000, ... ) == 0x0
 03883   424   NtClose  (268, ... ) == 0x0
 03884   424   NtClose  (272, ... ) == 0x0
 03885   424   NtQuerySection  (260, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03886   424   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Isass.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03887   424   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 03888   424   NtOpenProcessToken  (-1, 0xa, ... 272, ) == 0x0
 03889   424   NtQueryInformationToken  (272, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 03890   424   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03891   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 268, ) }, ... 268, ) == 0x0
 03892   424   NtQueryValueKey  (268,  (268, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (268, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03893   424   NtQueryValueKey  (268,  (268, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (268, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03894   424   NtClose  (268, ... ) == 0x0
 03895   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 268, ) }, ... 268, ) == 0x0
 03896   424   NtQueryValueKey  (268,  (268, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03897   424   NtQueryValueKey  (268,  (268, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (268, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 03898   424   NtClose  (268, ... ) == 0x0
 03899   424   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 268, ) }, ... 268, ) == 0x0
 03900   424   NtQuerySymbolicLinkObject  (268, ...  (268, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 03901   424   NtClose  (268, ... ) == 0x0
 03902   424   NtQueryInformationFile  (264, 1234096, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 03903   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03904   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03905   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe"}, 1232776, ... ) }, 1232776, ... ) == 0x0
 03906   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 268, {status=0x0, info=1}, ) }, 3, 16417, ... 268, {status=0x0, info=1}, ) == 0x0
 03907   424   NtQueryDirectoryFile  (268, 0, 0, 0, 1232136, 616, BothDirectory, 1,  (268, 0, 0, 0, 1232136, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03908   424   NtClose  (268, ... ) == 0x0
 03909   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 268, {status=0x0, info=1}, ) }, 3, 16417, ... 268, {status=0x0, info=1}, ) == 0x0
 03910   424   NtQueryDirectoryFile  (268, 0, 0, 0, 1232136, 616, BothDirectory, 1,  (268, 0, 0, 0, 1232136, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03911   424   NtClose  (268, ... ) == 0x0
 03912   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 268, {status=0x0, info=1}, ) }, 3, 16417, ... 268, {status=0x0, info=1}, ) == 0x0
 03913   424   NtQueryDirectoryFile  (268, 0, 0, 0, 1232136, 616, BothDirectory, 1,  (268, 0, 0, 0, 1232136, 616, BothDirectory, 1, "Isass.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03914   424   NtClose  (268, ... ) == 0x0
 03915   424   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03916   424   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03917   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 268, ) }, ... 268, ) == 0x0
 03918   424   NtQueryValueKey  (268,  (268, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03919   424   NtClose  (268, ... ) == 0x0
 03920   424   NtQueryInformationToken  (272, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03921   424   NtQueryInformationToken  (272, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03922   424   NtClose  (272, ... ) == 0x0
 03923   424   NtCreateProcessEx  (1238372, 2035711, 0, -1, 4, 260, 0, 0, 0, ... ) == 0x0
 03924   424   NtSetInformationProcess  (272, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 03925   424   NtQueryInformationProcess  (272, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1444,ParentPid=416,}, 0x0, ) == 0x0
 03926   424   NtReadVirtualMemory  (272, 0x7ffdf008, 4, ...  (272, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 03927   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Isass.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03928   424   NtReadVirtualMemory  (272, 0x400000, 4096, ...  (272, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\360\19F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\260\0\0\0\20\0\0\0`\1\0\00\2\0\0p\1\0\0 \2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\2\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0 \2\0\220\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0`\1\0", 4096, ) , 4096, ) == 0x0
 03929   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03930   424   NtQueryInformationProcess  (272, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1444,ParentPid=416,}, 0x0, ) == 0x0
 03931   424   NtAllocateVirtualMemory  (-1, 0, 0, 1648, 4096, 4, ... 12910592, 4096, ) == 0x0
 03932   424   NtAllocateVirtualMemory  (272, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03933   424   NtWriteVirtualMemory  (272, 0x10000,  (272, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03934   424   NtAllocateVirtualMemory  (272, 0, 0, 1648, 4096, 4, ... 131072, 4096, ) == 0x0
 03935   424   NtWriteVirtualMemory  (272, 0x20000,  (272, 0x20000, "\0\20\0\0p\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\10\2\220\2\0\0s\0\0\0\374\0\376\0\230\4\0\0:\0<\0\230\5\0\0:\0<\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\20\6\0\0\36\0 \0L\6\0\0\0\0\2\0l\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1648, ... 0x0, ) , 1648, ... 0x0, ) == 0x0
 03936   424   NtWriteVirtualMemory  (272, 0x7ffdf010,  (272, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03937   424   NtWriteVirtualMemory  (272, 0x7ffdf1e8,  (272, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03938   424   NtFreeVirtualMemory  (-1, (0xc50000), 0, 32768, ... (0xc50000), 4096, ) == 0x0
 03939   424   NtAllocateVirtualMemory  (272, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03940   424   NtAllocateVirtualMemory  (272, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 03941   424   NtProtectVirtualMemory  (272, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 03942   424   NtCreateThread  (0x1f03ff, 0x0, 272, 1236636, 1237356, 1, ... 268, {1444, 1448}, ) == 0x0
 03943   424   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1451416, 1238456}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1451416, 1238456} "\0\0\0\0\0\0\1\0\2$\370w U\367w\23\1\0\0\14\1\0\0\244\5\0\0\250\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 416, 424, 1611, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\20\1\0\0\14\1\0\0\244\5\0\0\250\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 416, 424, 1611, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1451416, 1238456} "\0\0\0\0\0\0\1\0\2$\370w U\367w\23\1\0\0\14\1\0\0\244\5\0\0\250\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 416, 424, 1611, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\20\1\0\0\14\1\0\0\244\5\0\0\250\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03944   424   NtResumeThread  (268, ... 1, ) == 0x0
 03945   424   NtClose  (264, ... ) == 0x0
 03946   424   NtClose  (260, ... ) == 0x0
 03947   424   NtTerminateProcess  (0, 0, ...
 02497  1024   NtWaitForMultipleObjects  ... ) == 0xc0
 03947   424   NtTerminateProcess  ... ) == 0x0
 03948   424   NtRaiseException  (1238120, 1237380, 1, ...
 03949   424   NtContinue  (1236176, 0, ...
 03950   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03951   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03952   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03953   424   NtRaiseException  (1228096, 1227356, 1, ...
 03954   424   NtContinue  (1226152, 0, ...
 03955   424   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03956   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03957   424   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03958   424   NtUnmapViewOfSection  (-1, 0x1200000, ... ) == 0x0
 03959   424   NtClose  (336, ... ) == 0x0
 03960   424   NtClose  (332, ... ) == 0x0
 03961   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x13,}, 4, ... ) == 0x0
 03962   424   NtFreeVirtualMemory  (-1, (0x1170000), 0, 32768, ... (0x1170000), 65536, ) == 0x0
 03963   424   NtClose  (324, ... ) == 0x0
 03964   424   NtClose  (328, ... ) == 0x0
 03965   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 03966   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 328, ) }, ... 328, ) == 0x0
 03967   424   NtQueryValueKey  (328,  (328, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03968   424   NtClose  (328, ... ) == 0x0
 03969   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 03970   424   NtFreeVirtualMemory  (-1, (0xc40000), 0, 32768, ... (0xc40000), 65536, ) == 0x0
 03971   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 03972   424   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 262144, ) == 0x0
 03973   424   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 03974   424   NtClose  (276, ... ) == 0x0
 03975   424   NtFreeVirtualMemory  (-1, (0xaf0000), 4096, 16384, ... (0xaf0000), 4096, ) == 0x0
 03976   424   NtFreeVirtualMemory  (-1, (0xaf0000), 0, 32768, ... (0xaf0000), 65536, ) == 0x0
 03977   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 03978   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 03979   424   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 03980   424   NtClose  (108, ... ) == 0x0
 03981   424   NtGdiDeleteObjectApp  (101712860, ... ) == 0x1
 03982   424   NtUserGetProcessWindowStation  (... ) == 0x28
 03983   424   NtUserBuildNameList  (40, 256, 1329760, 1238760, ... ) == 0x0
 03984   424   NtUserGetProcessWindowStation  (... ) == 0x28
 03985   424   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x6c
 03986   424   NtUserBuildHwndList  (108, 0, 0, 0, 64, ... (0x3004c, 0x100e2, 0x100aa, 0x100a8, 0x100a6, 0x60030, 0x20062, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100e6, 0x100de, 0x100da, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x2005c, 0x100d6, 0x100cc, 0x100ca, 0x100c6, 0x200b2, 0x100ac, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 43, ) == 0x0
 03987   424   NtUserQueryWindow  (196684, 0, ... ) == 0x770
 03988   424   NtUserQueryWindow  (196684, 1, ... ) == 0x780
 03989   424   NtUserQueryWindow  (65762, 0, ... ) == 0x770
 03990   424   NtUserQueryWindow  (65762, 1, ... ) == 0x780
 03991   424   NtUserQueryWindow  (65706, 0, ... ) == 0x7dc
 03992   424   NtUserQueryWindow  (65706, 1, ... ) == 0x7e0
 03993   424   NtUserQueryWindow  (65704, 0, ... ) == 0x7dc
 03994   424   NtUserQueryWindow  (65704, 1, ... ) == 0x7e0
 03995   424   NtUserQueryWindow  (65702, 0, ... ) == 0x7dc
 03996   424   NtUserQueryWindow  (65702, 1, ... ) == 0x7e0
 03997   424   NtUserQueryWindow  (393264, 0, ... ) == 0x7dc
 03998   424   NtUserQueryWindow  (393264, 1, ... ) == 0x7e0
 03999   424   NtUserQueryWindow  (131170, 0, ... ) == 0x770
 04000   424   NtUserQueryWindow  (131170, 1, ... ) == 0x780
 04001   424   NtUserQueryWindow  (65662, 0, ... ) == 0x770
 04002   424   NtUserQueryWindow  (65662, 1, ... ) == 0x780
 04003   424   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x100a0, 0x100a2, 0x1, ), 13, ) == 0x0
 04004   424   NtUserQueryWindow  (65664, 0, ... ) == 0x770
 04005   424   NtUserQueryWindow  (65664, 1, ... ) == 0x780
 04006   424   NtUserQueryWindow  (65670, 0, ... ) == 0x770
 04007   424   NtUserQueryWindow  (65670, 1, ... ) == 0x780
 04008   424   NtUserQueryWindow  (65672, 0, ... ) == 0x770
 04009   424   NtUserQueryWindow  (65672, 1, ... ) == 0x780
 04010   424   NtUserQueryWindow  (65674, 0, ... ) == 0x770
 04011   424   NtUserQueryWindow  (65674, 1, ... ) == 0x780
 04012   424   NtUserQueryWindow  (65678, 0, ... ) == 0x770
 04013   424   NtUserQueryWindow  (65678, 1, ... ) == 0x780
 04014   424   NtUserQueryWindow  (65680, 0, ... ) == 0x770
 04015   424   NtUserQueryWindow  (65680, 1, ... ) == 0x780
 04016   424   NtUserQueryWindow  (65682, 0, ... ) == 0x770
 04017   424   NtUserQueryWindow  (65682, 1, ... ) == 0x780
 04018   424   NtUserQueryWindow  (65684, 0, ... ) == 0x770
 04019   424   NtUserQueryWindow  (65684, 1, ... ) == 0x780
 04020   424   NtUserQueryWindow  (65686, 0, ... ) == 0x770
 04021   424   NtUserQueryWindow  (65686, 1, ... ) == 0x780
 04022   424   NtUserQueryWindow  (65690, 0, ... ) == 0x770
 04023   424   NtUserQueryWindow  (65690, 1, ... ) == 0x780
 04024   424   NtUserQueryWindow  (65696, 0, ... ) == 0x770
 04025   424   NtUserQueryWindow  (65696, 1, ... ) == 0x780
 04026   424   NtUserQueryWindow  (65698, 0, ... ) == 0x770
 04027   424   NtUserQueryWindow  (65698, 1, ... ) == 0x780
 04028   424   NtUserQueryWindow  (65652, 0, ... ) == 0x770
 04029   424   NtUserQueryWindow  (65652, 1, ... ) == 0x780
 04030   424   NtUserQueryWindow  (65640, 0, ... ) == 0x770
 04031   424   NtUserQueryWindow  (65640, 1, ... ) == 0x780
 04032   424   NtUserQueryWindow  (196682, 0, ... ) == 0x770
 04033   424   NtUserQueryWindow  (196682, 1, ... ) == 0x780
 04034   424   NtUserQueryWindow  (65638, 0, ... ) == 0x770
 04035   424   NtUserQueryWindow  (65638, 1, ... ) == 0x780
 04036   424   NtUserQueryWindow  (196668, 0, ... ) == 0x770
 04037   424   NtUserQueryWindow  (196668, 1, ... ) == 0x780
 04038   424   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 04039   424   NtUserQueryWindow  (196670, 0, ... ) == 0x770
 04040   424   NtUserQueryWindow  (196670, 1, ... ) == 0x780
 04041   424   NtUserQueryWindow  (196674, 0, ... ) == 0x770
 04042   424   NtUserQueryWindow  (196674, 1, ... ) == 0x780
 04043   424   NtUserQueryWindow  (196672, 0, ... ) == 0x770
 04044   424   NtUserQueryWindow  (196672, 1, ... ) == 0x780
 04045   424   NtUserQueryWindow  (196676, 0, ... ) == 0x770
 04046   424   NtUserQueryWindow  (196676, 1, ... ) == 0x780
 04047   424   NtUserQueryWindow  (196678, 0, ... ) == 0x770
 04048   424   NtUserQueryWindow  (196678, 1, ... ) == 0x780
 04049   424   NtUserQueryWindow  (196680, 0, ... ) == 0x770
 04050   424   NtUserQueryWindow  (196680, 1, ... ) == 0x780
 04051   424   NtUserQueryWindow  (65642, 0, ... ) == 0x770
 04052   424   NtUserQueryWindow  (65642, 1, ... ) == 0x780
 04053   424   NtUserQueryWindow  (65646, 0, ... ) == 0x770
 04054   424   NtUserQueryWindow  (65646, 1, ... ) == 0x780
 04055   424   NtUserQueryWindow  (65650, 0, ... ) == 0x770
 04056   424   NtUserQueryWindow  (65650, 1, ... ) == 0x780
 04057   424   NtUserQueryWindow  (65688, 0, ... ) == 0x770
 04058   424   NtUserQueryWindow  (65688, 1, ... ) == 0x780
 04059   424   NtUserQueryWindow  (65676, 0, ... ) == 0x770
 04060   424   NtUserQueryWindow  (65676, 1, ... ) == 0x780
 04061   424   NtUserQueryWindow  (65660, 0, ... ) == 0x770
 04062   424   NtUserQueryWindow  (65660, 1, ... ) == 0x774
 04063   424   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 04064   424   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 04065   424   NtUserQueryWindow  (65766, 0, ... ) == 0x4ec
 04066   424   NtUserQueryWindow  (65766, 1, ... ) == 0x514
 04067   424   NtUserQueryWindow  (65758, 0, ... ) == 0x134
 04068   424   NtUserQueryWindow  (65758, 1, ... ) == 0x40c
 04069   424   NtUserQueryWindow  (65754, 0, ... ) == 0x134
 04070   424   NtUserQueryWindow  (65754, 1, ... ) == 0x40c
 04071   424   NtUserQueryWindow  (65726, 0, ... ) == 0x7e4
 04072   424   NtUserQueryWindow  (65726, 1, ... ) == 0x7e8
 04073   424   NtUserQueryWindow  (65724, 0, ... ) == 0x7e4
 04074   424   NtUserQueryWindow  (65724, 1, ... ) == 0x7e8
 04075   424   NtUserQueryWindow  (65722, 0, ... ) == 0x7e4
 04076   424   NtUserQueryWindow  (65722, 1, ... ) == 0x7e8
 04077   424   NtUserQueryWindow  (65720, 0, ... ) == 0x7e4
 04078   424   NtUserQueryWindow  (65720, 1, ... ) == 0x7e8
 04079   424   NtUserQueryWindow  (65718, 0, ... ) == 0x7e4
 04080   424   NtUserQueryWindow  (65718, 1, ... ) == 0x7e8
 04081   424   NtUserQueryWindow  (65716, 0, ... ) == 0x7e4
 04082   424   NtUserQueryWindow  (65716, 1, ... ) == 0x7e8
 04083   424   NtUserQueryWindow  (65712, 0, ... ) == 0x7e4
 04084   424   NtUserQueryWindow  (65712, 1, ... ) == 0x7e8
 04085   424   NtUserQueryWindow  (65710, 0, ... ) == 0x7e4
 04086   424   NtUserQueryWindow  (65710, 1, ... ) == 0x7e8
 04087   424   NtUserQueryWindow  (131164, 0, ... ) == 0x7f0
 04088   424   NtUserQueryWindow  (131164, 1, ... ) == 0x7f4
 04089   424   NtUserQueryWindow  (65750, 0, ... ) == 0x770
 04090   424   NtUserQueryWindow  (65750, 1, ... ) == 0x430
 04091   424   NtUserQueryWindow  (65740, 0, ... ) == 0x770
 04092   424   NtUserQueryWindow  (65740, 1, ... ) == 0x430
 04093   424   NtUserBuildHwndList  (0, 65740, 1, 0, 64, ... (0x100ce, 0x100d0, 0x100d2, 0x100d4, 0x1, ), 5, ) == 0x0
 04094   424   NtUserQueryWindow  (65742, 0, ... ) == 0x770
 04095   424   NtUserQueryWindow  (65742, 1, ... ) == 0x430
 04096   424   NtUserQueryWindow  (65744, 0, ... ) == 0x770
 04097   424   NtUserQueryWindow  (65744, 1, ... ) == 0x430
 04098   424   NtUserQueryWindow  (65746, 0, ... ) == 0x770
 04099   424   NtUserQueryWindow  (65746, 1, ... ) == 0x430
 04100   424   NtUserQueryWindow  (65748, 0, ... ) == 0x770
 04101   424   NtUserQueryWindow  (65748, 1, ... ) == 0x430
 04102   424   NtUserQueryWindow  (65738, 0, ... ) == 0x770
 04103   424   NtUserQueryWindow  (65738, 1, ... ) == 0x780
 04104   424   NtUserQueryWindow  (65734, 0, ... ) == 0x770
 04105   424   NtUserQueryWindow  (65734, 1, ... ) == 0x780
 04106   424   NtUserQueryWindow  (131250, 0, ... ) == 0x770
 04107   424   NtUserQueryWindow  (131250, 1, ... ) == 0x780
 04108   424   NtUserQueryWindow  (65708, 0, ... ) == 0x7dc
 04109   424   NtUserQueryWindow  (65708, 1, ... ) == 0x7e0
 04110   424   NtUserQueryWindow  (131166, 0, ... ) == 0x7d4
 04111   424   NtUserQueryWindow  (131166, 1, ... ) == 0x7d8
 04112   424   NtUserQueryWindow  (65644, 0, ... ) == 0x770
 04113   424   NtUserQueryWindow  (65644, 1, ... ) == 0x79c
 04114   424   NtUserQueryWindow  (327760, 0, ... ) == 0x770
 04115   424   NtUserQueryWindow  (327760, 1, ... ) == 0x774
 04116   424   NtUserQueryWindow  (262228, 0, ... ) == 0x770
 04117   424   NtUserQueryWindow  (262228, 1, ... ) == 0x774
 04118   424   NtUserQueryWindow  (327758, 0, ... ) == 0x770
 04119   424   NtUserQueryWindow  (327758, 1, ... ) == 0x774
 04120   424   NtUserQueryWindow  (65666, 0, ... ) == 0x770
 04121   424   NtUserQueryWindow  (65666, 1, ... ) == 0x774
 04122   424   NtUserQueryWindow  (65654, 0, ... ) == 0x770
 04123   424   NtUserQueryWindow  (65654, 1, ... ) == 0x774
 04124   424   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 04125   424   NtUserQueryWindow  (65656, 0, ... ) == 0x770
 04126   424   NtUserQueryWindow  (65656, 1, ... ) == 0x774
 04127   424   NtUserQueryWindow  (65658, 0, ... ) == 0x770
 04128   424   NtUserQueryWindow  (65658, 1, ... ) == 0x774
 04129   424   NtUserCloseDesktop  (108, ...
 04130   424   NtClose  (108, ... ) == 0x0
 04129   424   NtUserCloseDesktop  ... ) == 0x1
 04131   424   NtUserGetProcessWindowStation  (... ) == 0x28
 04132   424   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04133   424   NtUserGetProcessWindowStation  (... ) == 0x28
 04134   424   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04135   424   NtGdiDeleteObjectApp  (201982938, ... ) == 0x1
 04136   424   NtGdiDeleteObjectApp  (118096856, ... ) == 0x1
 04137   424   NtClose  (12, ... ) == 0x0
 04138   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 04139   424   NtFreeVirtualMemory  (-1, (0x14e000), 16384, 16384, ... (0x14e000), 16384, ) == 0x0
 04140   424   NtClose  (100, ... ) == 0x0
 04141   424   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 04142   424   NtClose  (104, ... ) == 0x0
 04143   424   NtClose  (92, ... ) == 0x0
 04144   424   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 262144, ) == 0x0
 04145   424   NtUserUnregisterClass  (1238720, 1991376896, 1238708, ... ) == 0x0
 04146   424   NtQueryVirtualMemory  (-1, 0x946d20, Basic, 28, ... {BaseAddress=0x946000,AllocationBase=0x910000,AllocationProtect=0x80,RegionSize=0x12000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 04147   424   NtQueryVirtualMemory  (-1, 0x94762c, Basic, 28, ... {BaseAddress=0x947000,AllocationBase=0x910000,AllocationProtect=0x80,RegionSize=0x11000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 04148   424   NtQueryVirtualMemory  (-1, 0x91cef4, Basic, 28, ... {BaseAddress=0x91c000,AllocationBase=0x910000,AllocationProtect=0x80,RegionSize=0x3c000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 04149   424   NtGdiDeleteObjectApp  (336200708, ... ) == 0x1
 04150   424   NtGdiDeleteObjectApp  (302646281, ... ) == 0x1
 04151   424   NtGdiDeleteObjectApp  (973734918, ... ) == 0x1
 04152   424   NtUserDestroyCursor  (196767, 1, ... ) == 0x1
 04153   424   NtUserDestroyCursor  (196711, 1, ... ) == 0x1
 04154   424   NtUserDestroyCursor  (196769, 1, ... ) == 0x1
 04155   424   NtUserDestroyCursor  (196771, 1, ... ) == 0x1
 04156   424   NtUserDestroyCursor  (262309, 1, ... ) == 0x1
 04157   424   NtUserDestroyCursor  (262285, 1, ... ) == 0x1
 04158   424   NtUserDestroyCursor  (131189, 1, ... ) == 0x1
 04159   424   NtUserFindExistingCursorIcon  (1238108, 1238124, 1238692, ... ) == 0x10011
 04160   424   NtDeleteAtom  (49180, ... ) == 0x0
 04161   424   NtDeleteAtom  (49181, ... ) == 0x0
 04162   424   NtGdiDeleteObjectApp  (369624062, ... ) == 0x1
 04163   424   NtClose  (84, ... ) == 0x0
 04164   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 04165   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc03b
 04166   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04167   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc03d
 04168   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04169   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc03f
 04170   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04171   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc041
 04172   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04173   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc043
 04174   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04175   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc045
 04176   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04177   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc047
 04178   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04179   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc049
 04180   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04181   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc04b
 04182   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04183   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc04d
 04184   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04185   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc04f
 04186   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04187   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc051
 04188   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04189   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc053
 04190   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04191   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc057
 04192   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04193   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc059
 04194   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04195   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc05b
 04196   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04197   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc05d
 04198   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04199   424   NtUserGetClassInfo  (1999896576, 1238808, 1238760, 1238836, 0, ... ) == 0xc05f
 04200   424   NtUserUnregisterClass  (1238812, 1999896576, 1238800, ... ) == 0x1
 04201   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc03b
 04202   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04203   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc03d
 04204   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04205   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc03f
 04206   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04207   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc041
 04208   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04209   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc043
 04210   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04211   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc045
 04212   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04213   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc047
 04214   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04215   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc049
 04216   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04217   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc04b
 04218   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04219   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc04d
 04220   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04221   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc04f
 04222   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04223   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc051
 04224   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04225   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc053
 04226   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04227   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc057
 04228   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04229   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc059
 04230   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04231   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc05b
 04232   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04233   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc05d
 04234   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04235   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc05f
 04236   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04237   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc017
 04238   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04239   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc019
 04240   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04241   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc018
 04242   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04243   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc01a
 04244   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04245   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc01c
 04246   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04247   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc01e
 04248   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04249   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc01b
 04250   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04251   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc068
 04252   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04253   424   NtUserGetClassInfo  (1905590272, 1238808, 1238760, 1238836, 0, ... ) == 0xc06a
 04254   424   NtUserUnregisterClass  (1238812, 1905590272, 1238800, ... ) == 0x1
 04255   424   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 04256   424   NtFreeVirtualMemory  (-1, (0x168000), 28672, 16384, ... (0x168000), 28672, ) == 0x0
 04257   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 04258   424   NtClose  (156, ... ) == 0x0
 04259   424   NtClose  (344, ... ) == 0x0
 04260   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 04261   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 04262   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 04263   424   NtClose  (152, ... ) == 0x0
 04264   424   NtClose  (348, ... ) == 0x0
 04265   424   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 04266   424   NtUnmapViewOfSection  (-1, 0xd60000, ... ) == 0x0
 04267   424   NtClose  (316, ... ) == 0x0
 04268   424   NtClose  (116, ... ) == 0x0
 04269   424   NtFreeVirtualMemory  (-1, (0x1160000), 4096, 32768, ... (0x1160000), 4096, ) == 0x0
 04270   424   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 4337694, 2147348480, 1310720, 1238944}  (24, {20, 48, new_msg, 0, 4337694, 2147348480, 1310720, 1238944} "\0\0\0\0\3\0\1\0\2$\370w\370T\367w\0\0\0\0" ... {20, 48, reply, 0, 416, 424, 1646, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370T\367w\0\0\0\0" )  ... {20, 48, reply, 0, 416, 424, 1646, 0}  (24, {20, 48, new_msg, 0, 4337694, 2147348480, 1310720, 1238944} "\0\0\0\0\3\0\1\0\2$\370w\370T\367w\0\0\0\0" ... {20, 48, reply, 0, 416, 424, 1646, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370T\367w\0\0\0\0" )  ) == 0x0
 04271   424   NtTerminateProcess  (-1, 0, ...
 04272   424   NtClose  (44, ... ) == 0x0
NtAllocateLocallyUniqueId(>)	1	NtRegisterThreadTerminatePort(>)	2	NtGdiSetDIBitsToDeviceInternal(>)	7	NtUserCallOneParam(>)	30
NtCallbackReturn(>)	1	NtSetEvent(>)	2	NtUserCallNoParam(>)	7	NtWriteFile(>)	30
NtClearEvent(>)	1	NtTestAlert(>)	2	NtUserDestroyCursor(>)	7	NtEnumerateKey(>)	32
NtConnectPort(>)	1	NtUserCloseDesktop(>)	2	NtUserSetCursorIconData(>)	7	NtOpenThreadToken(>)	32
NtDelayExecution(>)	1	NtUserCreateWindowEx(>)	2	NtGdiCreateBitmap(>)	8	NtCreateEvent(>)	33
NtDuplicateToken(>)	1	NtUserDestroyWindow(>)	2	NtWriteVirtualMemory(>)	8	NtFlushInstructionCache(>)	34
NtGdiCreateHalftonePalette(>)	1	NtUserGetObjectInformation(>)	2	NtGdiExtGetObjectW(>)	10	NtUnmapViewOfSection(>)	38
NtGdiCreatePatternBrushInternal(>)	1	NtUserMessageCall(>)	2	NtQueryDefaultUILanguage(>)	10	NtQueryInformationProcess(>)	39
NtGdiDoPalette(>)	1	NtAddAtom(>)	3	NtSetValueKey(>)	10	NtQueryDefaultLocale(>)	42
NtGdiInit(>)	1	NtCreateThread(>)	3	NtUserGetWindowDC(>)	10	NtContinue(>)	46
NtGdiQueryFontAssocInfo(>)	1	NtDuplicateObject(>)	3	NtGdiCreateCompatibleDC(>)	11	NtUserUnregisterClass(>)	47
NtOpenKeyedEvent(>)	1	NtOpenProcess(>)	3	NtUserGetDC(>)	11	NtCreateSection(>)	57
NtQueryFullAttributesFile(>)	1	NtResumeThread(>)	3	NtQueryVirtualMemory(>)	12	NtGdiSelectBitmap(>)	57
NtQueryInformationThread(>)	1	NtTerminateProcess(>)	3	NtFreeVirtualMemory(>)	13	NtUserRegisterClassExWOW(>)	65
NtQueryObject(>)	1	NtUserOpenDesktop(>)	3	NtOpenProcessToken(>)	14	NtProtectVirtualMemory(>)	68
NtQueryPerformanceCounter(>)	1	NtUserRemoveProp(>)	3	NtUserSelectPalette(>)	14	NtOpenSection(>)	73
NtQuerySystemTime(>)	1	NtWaitForMultipleObjects(>)	3	NtUserSystemParametersInfo(>)	14	NtUserFindExistingCursorIcon(>)	73
NtSecureConnectPort(>)	1	NtCreateMutant(>)	4	NtCreateKey(>)	15	NtReleaseMutant(>)	74
NtUserBuildNameList(>)	1	NtOpenEvent(>)	4	NtNotifyChangeKey(>)	15	NtAllocateVirtualMemory(>)	83
NtUserEnumDisplayMonitors(>)	1	NtOpenMutant(>)	4	NtQueryVolumeInformationFile(>)	15	NtMapViewOfSection(>)	83
NtUserGetAtomName(>)	1	NtQuerySecurityObject(>)	4	NtRequestWaitReplyPort(>)	15	NtWaitForSingleObject(>)	84
NtUserGetForegroundWindow(>)	1	NtGdiHfontCreate(>)	5	NtDeviceIoControlFile(>)	17	NtOpenFile(>)	89
NtUserGetGUIThreadInfo(>)	1	NtReadVirtualMemory(>)	5	NtFsControlFile(>)	17	NtQuerySystemInformation(>)	91
NtUserGetKeyboardLayoutList(>)	1	NtSetInformationObject(>)	5	NtQueryDirectoryFile(>)	19	NtUserGetClassInfo(>)	91
NtUserGetThreadDesktop(>)	1	NtUserBuildHwndList(>)	5	NtSetInformationProcess(>)	21	NtReadFile(>)	95
NtUserSetProp(>)	1	NtUserGetProcessWindowStation(>)	5	NtUserRegisterWindowMessage(>)	21	NtOpenProcessTokenEx(>)	110
NtUserSetWindowsHookEx(>)	1	NtCreateSemaphore(>)	6	NtEnumerateValueKey(>)	23	NtOpenThreadTokenEx(>)	110
NtAccessCheck(>)	2	NtOpenSymbolicLinkObject(>)	6	NtRaiseException(>)	23	NtQueryInformationToken(>)	126
NtCreateIoCompletion(>)	2	NtQuerySymbolicLinkObject(>)	6	NtGdiDeleteObjectApp(>)	24	NtQueryKey(>)	129
NtCreateProcessEx(>)	2	NtGdiBitBlt(>)	7	NtQueryDebugFilterState(>)	24	NtUserQueryWindow(>)	138
NtDeleteAtom(>)	2	NtGdiCreateDIBitmapInternal(>)	7	NtSetInformationFile(>)	26	NtQueryAttributesFile(>)	157
NtGdiCreatePaletteInternal(>)	2	NtGdiGetDCObject(>)	7	NtReleaseSemaphore(>)	27	NtQueryValueKey(>)	223
NtGdiCreateSolidBrush(>)	2	NtGdiGetDCforBitmap(>)	7	NtSetInformationThread(>)	28	NtOpenKey(>)	478
NtOpenDirectoryObject(>)	2	NtGdiGetStockObject(>)	7	NtQuerySection(>)	29	NtClose(>)	576
NtQueryInformationJobObject(>)	2	NtGdiRestoreDC(>)	7	NtCreateFile(>)	30
NtQueryInstallUILanguage(>)	2	NtGdiSaveDC(>)	7