Summary:


NtAddAtom(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserCallNoParam(>)  7 
NtQueryDefaultLocale(>)  42 

NtAllocateLocallyUniqueId(>)  1 
NtQueryInstallUILanguage(>)  2 
NtCreateThread(>)  8 
NtContinue(>)  45 

NtCallbackReturn(>)  1 
NtSetEvent(>)  2 
NtOpenSymbolicLinkObject(>)  8 
NtCreateEvent(>)  46 

NtDuplicateToken(>)  1 
NtUnlockFile(>)  2 
NtQuerySymbolicLinkObject(>)  8 
NtUserUnregisterClass(>)  47 

NtGdiCreateBitmap(>)  1 
NtUserCloseDesktop(>)  2 
NtRegisterThreadTerminatePort(>)  8 
NtUserFindExistingCursorIcon(>)  49 

NtGdiCreateHalftonePalette(>)  1 
NtUserCreateWindowEx(>)  2 
NtResumeThread(>)  8 
NtQueryInformationFile(>)  50 

NtGdiCreatePaletteInternal(>)  1 
NtUserDestroyWindow(>)  2 
NtQueryVirtualMemory(>)  9 
NtSetInformationFile(>)  50 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserGetObjectInformation(>)  2 
NtReadVirtualMemory(>)  9 
NtCreateFile(>)  52 

NtGdiDoPalette(>)  1 
NtUserMessageCall(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtQueryDirectoryFile(>)  52 

NtGdiInit(>)  1 
NtYieldExecution(>)  2 
NtUserGetWindowDC(>)  10 
NtDelayExecution(>)  59 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenMutant(>)  3 
NtUserCallOneParam(>)  11 
NtQueryInformationProcess(>)  63 

NtGdiSelectBitmap(>)  1 
NtOpenProcess(>)  3 
NtUserSystemParametersInfo(>)  11 
NtUserRegisterClassExWOW(>)  65 

NtOpenKeyedEvent(>)  1 
NtTerminateProcess(>)  3 
NtSetValueKey(>)  13 
NtProtectVirtualMemory(>)  72 

NtQueryFullAttributesFile(>)  1 
NtTerminateThread(>)  3 
NtWriteVirtualMemory(>)  16 
NtUnmapViewOfSection(>)  72 

NtQueryObject(>)  1 
NtUserOpenDesktop(>)  3 
NtNotifyChangeKey(>)  17 
NtWaitForSingleObject(>)  74 

NtQueryPerformanceCounter(>)  1 
NtUserRemoveProp(>)  3 
NtOpenProcessToken(>)  17 
NtCreateSection(>)  75 

NtQuerySystemTime(>)  1 
NtWaitForMultipleObjects(>)  3 
NtCreateKey(>)  18 
NtOpenSection(>)  78 

NtSecureConnectPort(>)  1 
NtConnectPort(>)  4 
NtDeviceIoControlFile(>)  18 
NtReadFile(>)  83 

NtUserBuildNameList(>)  1 
NtCreateProcessEx(>)  4 
NtUserRegisterWindowMessage(>)  19 
NtUserGetClassInfo(>)  91 

NtUserGetAtomName(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtWriteFile(>)  20 
NtQuerySystemInformation(>)  95 

NtUserGetDC(>)  1 
NtOpenEvent(>)  4 
NtQueryVolumeInformationFile(>)  21 
NtOpenProcessTokenEx(>)  112 

NtUserGetForegroundWindow(>)  1 
NtQueryInformationJobObject(>)  4 
NtFsControlFile(>)  22 
NtOpenThreadTokenEx(>)  112 

NtUserGetGUIThreadInfo(>)  1 
NtQueryInformationThread(>)  4 
NtRaiseException(>)  23 
NtAllocateVirtualMemory(>)  119 

NtUserGetThreadDesktop(>)  1 
NtQuerySecurityObject(>)  4 
NtFlushInstructionCache(>)  24 
NtMapViewOfSection(>)  120 

NtUserKillTimer(>)  1 
NtUserWaitForInputIdle(>)  4 
NtFreeVirtualMemory(>)  24 
NtQueryKey(>)  129 

NtUserSetProp(>)  1 
NtCreateMutant(>)  5 
NtQueryDebugFilterState(>)  26 
NtOpenFile(>)  130 

NtUserSetTimer(>)  1 
NtGdiGetStockObject(>)  5 
NtReleaseSemaphore(>)  27 
NtQueryInformationToken(>)  133 

NtUserSetWindowsHookEx(>)  1 
NtSetInformationObject(>)  5 
NtRequestWaitReplyPort(>)  29 
NtUserQueryWindow(>)  138 

NtUserUnhookWindowsHookEx(>)  1 
NtUserBuildHwndList(>)  5 
NtEnumerateKey(>)  31 
NtQueryAttributesFile(>)  182 

NtAccessCheck(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtSetInformationThread(>)  31 
NtQueryValueKey(>)  373 

NtClearEvent(>)  2 
NtCreateSemaphore(>)  6 
NtEnumerateValueKey(>)  33 
NtOpenKey(>)  528 

NtCreateIoCompletion(>)  2 
NtGdiDeleteObjectApp(>)  6 
NtOpenThreadToken(>)  36 
NtClose(>)  713 

NtGdiCreateSolidBrush(>)  2 
NtSetEventBoostPriority(>)  6 
NtSetInformationProcess(>)  36 

NtGdiHfontCreate(>)  2 
NtDuplicateObject(>)  7 
NtQuerySection(>)  37 

NtLockFile(>)  2 

Trace:
 00001   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   392   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   392   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   392   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   392   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   392   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   392   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   392   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   392   NtClose  (12, ... ) == 0x0
 00014   392   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   392   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   392   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   392   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   392   NtClose  (16, ... ) == 0x0
 00021   392   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   392   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   392   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   392   NtClose  (16, ... ) == 0x0
 00026   392   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   392   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   392   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   392   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 388, 392, 1479, 0} " o\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 388, 392, 1479, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 388, 392, 1479, 0} " o\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   392   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   392   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   392   NtClose  (16, ... ) == 0x0
 00036   392   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   392   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   392   NtClose  (28, ... ) == 0x0
 00041   392   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   392   NtClose  (28, ... ) == 0x0
 00045   392   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   392   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   392   NtClose  (28, ... ) == 0x0
 00049   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   392   NtClose  (28, ... ) == 0x0
 00052   392   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 388, 392, 1482, 0} "\220E\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 388, 392, 1482, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 388, 392, 1482, 0} "\220E\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   392   NtProtectVirtualMemory  (-1, (0x42a000), 36864, 4, ... (0x42a000), 36864, 128, ) == 0x0
 00057   392   NtProtectVirtualMemory  (-1, (0x42a000), 36864, 128, ... (0x42a000), 36864, 4, ) == 0x0
 00058   392   NtFlushInstructionCache  (-1, 4366336, 36864, ... ) == 0x0
 00059   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   392   NtClose  (28, ... ) == 0x0
 00062   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   392   NtClose  (28, ... ) == 0x0
 00065   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   392   NtClose  (28, ... ) == 0x0
 00068   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   392   NtClose  (28, ... ) == 0x0
 00071   392   NtProtectVirtualMemory  (-1, (0x42a000), 36864, 4, ... (0x42a000), 36864, 64, ) == 0x0
 00072   392   NtProtectVirtualMemory  (-1, (0x42a000), 36864, 64, ... (0x42a000), 36864, 4, ) == 0x0
 00073   392   NtFlushInstructionCache  (-1, 4366336, 36864, ... ) == 0x0
 00074   392   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   392   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   392   NtClose  (28, ... ) == 0x0
 00077   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   392   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   392   NtClose  (28, ... ) == 0x0
 00080   392   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00081   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   392   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   392   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   392   NtClose  (28, ... ) == 0x0
 00085   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   392   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   392   NtClose  (28, ... ) == 0x0
 00088   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   392   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\35\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 388, 392, 1484, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 388, 392, 1484, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\35\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 388, 392, 1484, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00093   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   392   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x450000), 0x0, 1060864, ) == 0x0
 00095   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   392   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   392   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   392   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   392   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   392   NtClose  (-2147482020, ... ) == 0x0
 00101   392   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00102   392   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00103   392   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   392   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   392   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   392   NtClose  (-2147482020, ... ) == 0x0
 00107   392   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   392   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   392   NtClose  (-2147482020, ... ) == 0x0
 00110   392   NtQueryDefaultLocale  (0, -136508916, ... ) == 0x0
 00111   392   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   392   NtUserCallNoParam  (24, ... ) == 0x0
 00113   392   NtGdiCreateCompatibleDC  (0, ...
 00114   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00113   392   NtGdiCreateCompatibleDC  ... ) == 0x51010408
 00115   392   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   392   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   392   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x4905031a
 00118   392   NtGdiCreateSolidBrush  (0, 0, ...
 00119   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8781824, 4096, ) == 0x0
 00118   392   NtGdiCreateSolidBrush  ... ) == 0x1d10031f
 00120   392   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   392   NtGdiCreateCompatibleDC  (0, ... ) == 0x4001031e
 00122   392   NtGdiSelectBitmap  (1073808158, 1225065242, ... ) == 0x185000f
 00123   392   NtUserGetThreadDesktop  (392, 0, ... ) == 0x2c
 00124   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   392   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   392   NtClose  (52, ... ) == 0x0
 00127   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   392   NtAllocateVirtualMemory  (-1, 5730304, 0, 4096, 4096, 32, ... 5730304, 4096, ) == 0x0
 00142   392   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   392   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   392   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   392   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   392   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   392   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   392   NtCallbackReturn  (0, 0, 0, ...
 00152   392   NtGdiInit  (... ) == 0x1
 00153   392   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   392   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   392   NtAllocateVirtualMemory  (-1, 0, 0, 13650, 4096, 4, ... 8847360, 16384, ) == 0x0
 00156   392   NtFreeVirtualMemory  (-1, (0x870000), 0, 32768, ... (0x870000), 16384, ) == 0x0
 00157   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00158   392   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00159   392   NtClose  (52, ... ) == 0x0
 00160   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00161   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00162   392   NtClose  (52, ... ) == 0x0
 00163   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00164   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0
 00165   392   NtAllocateVirtualMemory  (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0
 00166   392   NtAllocateVirtualMemory  (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0
 00167   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00168   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 12288, ) == 0x0
 00169   392   NtClose  (52, ... ) == 0x0
 00170   392   NtAllocateVirtualMemory  (-1, 8859648, 0, 4096, 4096, 4, ... 8859648, 4096, ) == 0x0
 00171   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00172   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00173   392   NtClose  (52, ... ) == 0x0
 00174   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 52, ) }, ... 52, ) == 0x0
 00175   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00176   392   NtClose  (52, ... ) == 0x0
 00177   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00178   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00179   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00180   392   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00181   392   NtClose  (52, ... ) == 0x0
 00182   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00183   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00184   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00185   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00186   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00187   392   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   392   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   392   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   392   NtClose  (52, ... ) == 0x0
 00191   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00192   392   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   392   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194   392   NtClose  (52, ... ) == 0x0
 00195   392   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00196   392   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   392   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00198   392   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00199   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00200   392   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00201   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00202   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00203   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00204   392   NtClose  (56, ... ) == 0x0
 00205   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00206   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00207   392   NtClose  (56, ... ) == 0x0
 00208   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00210   392   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00211   392   NtClose  (56, ... ) == 0x0
 00212   392   NtQueryDefaultUILanguage  (1239892, ...
 00213   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00214   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00215   392   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00216   392   NtClose  (-2147482020, ... ) == 0x0
 00217   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00218   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00219   392   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00220   392   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00221   392   NtClose  (-2147482024, ... ) == 0x0
 00222   392   NtClose  (-2147482020, ... ) == 0x0
 00212   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00223   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00224   392   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00225   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00226   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00227   392   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x890000), 0x0, 8323072, ) == 0x0
 00228   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   392   NtQueryDefaultUILanguage  (2013024600, ...
 00230   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00231   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00232   392   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00233   392   NtClose  (-2147482020, ... ) == 0x0
 00234   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00235   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00236   392   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00237   392   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   392   NtClose  (-2147482024, ... ) == 0x0
 00239   392   NtClose  (-2147482020, ... ) == 0x0
 00229   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00240   392   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00241   392   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00242   392   NtQueryDefaultLocale  (1, 1237928, ... ) == 0x0
 00243   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00244   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238784, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238784, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\18\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\0\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 392, 1493, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\18\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\0\356\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 392, 1493, 0}  (24, {128, 156, new_msg, 0, 1238784, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\18\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\0\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 392, 1493, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\18\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\0\356\22\0\0\0\0\0" )  ) == 0x0
 00245   392   NtClose  (56, ... ) == 0x0
 00246   392   NtClose  (60, ... ) == 0x0
 00247   392   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00248   392   NtUnmapViewOfSection  (-1, 0x12ee00, ... ) == STATUS_NOT_MAPPED_VIEW
 00249   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00250   392   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00252   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00253   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237012, ... ) }, 1237012, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00255   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00256   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00257   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237604, ... ) }, 1237604, ... ) == 0x0
 00258   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00259   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00260   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00261   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00262   392   NtClose  (56, ... ) == 0x0
 00263   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x890000), 0x0, 921600, ) == 0x0
 00264   392   NtClose  (64, ... ) == 0x0
 00265   392   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00266   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00267   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00268   392   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00269   392   NtOpenProcessToken  (-1, 0x8, ... 68, ) == 0x0
 00270   392   NtQueryInformationToken  (68, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00271   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 72, ) }, ... 72, ) == 0x0
 00273   392   NtQueryValueKey  (72,  (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00274   392   NtClose  (72, ... ) == 0x0
 00275   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00276   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00277   392   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00278   392   NtClose  (72, ... ) == 0x0
 00279   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280   392   NtClose  (68, ... ) == 0x0
 00281   392   NtClose  (64, ... ) == 0x0
 00282   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00283   392   NtClose  (56, ... ) == 0x0
 00284   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00285   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00286   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00287   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00288   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00289   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00290   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00291   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00292   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00293   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00294   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00295   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00296   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00297   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00298   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00299   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00300   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00301   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00302   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00303   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00304   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00305   392   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238788, ... ) , 42, 1238788, ... ) == 0x0
 00306   392   NtQueryDefaultUILanguage  (1237504, ...
 00307   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00308   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00309   392   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00310   392   NtClose  (-2147482020, ... ) == 0x0
 00311   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00312   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313   392   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00314   392   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   392   NtClose  (-2147482024, ... ) == 0x0
 00316   392   NtClose  (-2147482020, ... ) == 0x0
 00306   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00317   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236356, ... ) }, 1236356, ... ) == 0x0
 00319   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00320   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00321   392   NtClose  (56, ... ) == 0x0
 00322   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x890000), 0x0, 4096, ) == 0x0
 00323   392   NtClose  (64, ... ) == 0x0
 00324   392   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00325   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235996, ... ) }, 1235996, ... ) == 0x0
 00326   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236696,  (0x80100080, {24, 0, 0x40, 0, 1236696, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00327   392   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00328   392   NtClose  (64, ... ) == 0x0
 00329   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x890000), {0, 0}, 4096, ) == 0x0
 00330   392   NtClose  (56, ... ) == 0x0
 00331   392   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00332   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00333   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00334   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x890000), 0x0, 4096, ) == 0x0
 00335   392   NtQueryInformationFile  (56, 1236316, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00336   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00337   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236396, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236396, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\254\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 392, 1494, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\254\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 392, 1494, 0}  (24, {128, 156, new_msg, 0, 1236396, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\254\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 392, 1494, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\254\344\22\0\0\0\0\0" )  ) == 0x0
 00338   392   NtClose  (56, ... ) == 0x0
 00339   392   NtClose  (64, ... ) == 0x0
 00340   392   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00341   392   NtUnmapViewOfSection  (-1, 0x12e4ac, ... ) == STATUS_NOT_MAPPED_VIEW
 00342   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00343   392   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00344   392   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00345   392   NtUserGetDC  (0, ... ) == 0x1010053
 00346   392   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00347   392   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00348   392   NtUserSystemParametersInfo  (66, 12, 1238808, 0, ... ) == 0x1
 00349   392   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00350   392   NtAccessCheck  (1327064, 64, 0x1, 1238212, 1238156, 56, 1238240, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00351   392   NtClose  (64, ... ) == 0x0
 00352   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00353   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00354   392   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00355   392   NtClose  (64, ... ) == 0x0
 00356   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00357   392   NtSetInformationObject  (64, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00358   392   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00359   392   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00360   392   NtClose  (56, ... ) == 0x0
 00361   392   NtUserSystemParametersInfo  (41, 500, 1238308, 0, ... ) == 0x1
 00362   392   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00363   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00364   392   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00365   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00366   392   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00367   392   NtClose  (68, ... ) == 0x0
 00368   392   NtClose  (56, ... ) == 0x0
 00369   392   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00370   392   NtUserSystemParametersInfo  (4130, 0, 1238832, 0, ... ) == 0x1
 00371   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 56, ) }, ... 56, ) == 0x0
 00372   392   NtEnumerateValueKey  (56, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00373   392   NtClose  (56, ... ) == 0x0
 00374   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00375   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc03b
 00376   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc03d
 00377   392   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00378   392   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc03f
 00379   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00380   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc041
 00381   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00382   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc043
 00383   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc045
 00384   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00385   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc047
 00386   392   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00387   392   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc049
 00388   392   NtUserGetClassInfo  (1905590272, 1238728, 1238680, 1238756, 0, ... ) == 0xc049
 00389   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00390   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc04b
 00391   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00392   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc04d
 00393   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00394   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc04f
 00395   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc051
 00396   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00397   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc053
 00398   392   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00399   392   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc055
 00400   392   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc057
 00401   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00402   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc059
 00403   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10013
 00404   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc05b
 00405   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00406   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc05d
 00407   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00408   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc05f
 00409   392   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00410   392   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc017
 00411   392   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00412   392   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc019
 00413   392   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10013
 00414   392   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810dc018
 00415   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00416   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc01a
 00417   392   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00418   392   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ...
 00419   392   NtAllocateVirtualMemory  (-1, 5734400, 0, 4096, 4096, 32, ... 5734400, 4096, ) == 0x0
 00418   392   NtUserRegisterClassExWOW  ... ) == 0x810dc01c
 00420   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00421   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc01e
 00422   392   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00423   392   NtUserRegisterClassExWOW  (1238624, 1238704, 1238688, 1238720, 0, 384, 0, ... ) == 0x810dc01b
 00424   392   NtUserFindExistingCursorIcon  (1238108, 1238124, 1238692, ... ) == 0x10011
 00425   392   NtUserRegisterClassExWOW  (1238620, 1238700, 1238684, 1238716, 0, 384, 0, ... ) == 0x810dc068
 00426   392   NtUserFindExistingCursorIcon  (1238116, 1238132, 1238700, ... ) == 0x10011
 00427   392   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810dc06a
 00428   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00429   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00430   392   NtClose  (56, ... ) == 0x0
 00431   392   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {388, 0}, ... 56, ) == 0x0
 00432   392   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00433   392   NtClose  (56, ... ) == 0x0
 00434   392   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00435   392   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00436   392   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00437   392   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00438   392   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   392   NtClose  (56, ... ) == 0x0
 00440   392   NtUserSystemParametersInfo  (41, 500, 1239468, 0, ... ) == 0x1
 00441   392   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00442   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00443   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00444   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc03b
 00445   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00446   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc03d
 00447   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00448   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00449   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc03f
 00450   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00451   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00452   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc041
 00453   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00454   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00455   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc043
 00456   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00457   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc045
 00458   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00459   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00460   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc047
 00461   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00462   392   NtUserFindExistingCursorIcon  (1239256, 1239272, 1239840, ... ) == 0x10011
 00463   392   NtUserRegisterClassExWOW  (1239708, 1239788, 1239772, 1239804, 0, 384, 0, ... ) == 0x810dc049
 00464   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00465   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00466   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc04b
 00467   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00468   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00469   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc04d
 00470   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00471   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00472   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc04f
 00473   392   NtUserGetClassInfo  (1999896576, 1239880, 1239832, 1239908, 0, ... ) == 0x0
 00474   392   NtUserRegisterClassExWOW  (1239716, 1239796, 1239780, 1239812, 0, 384, 0, ... ) == 0x810dc051
 00475   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00476   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00477   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc053
 00478   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00479   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00480   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc055
 00481   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc057
 00482   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00483   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00484   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc059
 00485   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00486   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10013
 00487   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc05b
 00488   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00489   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00490   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc05d
 00491   392   NtUserGetClassInfo  (1999896576, 1239876, 1239828, 1239904, 0, ... ) == 0x0
 00492   392   NtUserFindExistingCursorIcon  (1239260, 1239276, 1239844, ... ) == 0x10011
 00493   392   NtUserRegisterClassExWOW  (1239712, 1239792, 1239776, 1239808, 0, 384, 0, ... ) == 0x810dc05f
 00494   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc03b
 00495   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc03d
 00496   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc03f
 00497   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc041
 00498   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc043
 00499   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc045
 00500   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc047
 00501   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc049
 00502   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc04b
 00503   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc04d
 00504   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc04f
 00505   392   NtUserGetClassInfo  (1999896576, 1241632, 1241584, 1241660, 0, ... ) == 0xc051
 00506   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc053
 00507   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc055
 00508   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc059
 00509   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc05b
 00510   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc05d
 00511   392   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0xc05f
 00512   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241536, ... ) }, 1241536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00514   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241536, ... ) }, 1241536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241536, ... ) }, 1241536, ... ) == 0x0
 00516   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00517   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 68, ) == 0x0
 00518   392   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00519   392   NtClose  (56, ... ) == 0x0
 00520   392   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00521   392   NtClose  (68, ... ) == 0x0
 00522   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240732, ... ) }, 1240732, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00524   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240732, ... ) }, 1240732, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00525   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240732, ... ) }, 1240732, ... ) == 0x0
 00526   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00527   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 56, ) == 0x0
 00528   392   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00529   392   NtClose  (68, ... ) == 0x0
 00530   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00531   392   NtClose  (56, ... ) == 0x0
 00532   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00533   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00534   392   NtQueryVirtualMemory  (-1, 0x425080, Basic, 28, ... {BaseAddress=0x425000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x5000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00535   392   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00536   392   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00537   392   NtProtectVirtualMemory  (-1, (0x400220), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00538   392   NtProtectVirtualMemory  (-1, (0x400220), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00539   392   NtProtectVirtualMemory  (-1, (0x400248), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00540   392   NtProtectVirtualMemory  (-1, (0x400248), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00541   392   NtProtectVirtualMemory  (-1, (0x400270), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00542   392   NtProtectVirtualMemory  (-1, (0x400270), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00543   392   NtProtectVirtualMemory  (-1, (0x400298), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00544   392   NtProtectVirtualMemory  (-1, (0x400298), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00545   392   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00546   392   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00547   392   NtTestAlert  (... ) == 0x0
 00548   392   NtContinue  (1244464, 1, ...
 00549   392   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x444000,}, 4, ... ) == 0x0
 00550   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243656, ... ) }, 1243656, ... ) == 0x0
 00551   392   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1310720, 1329472, 1, 1311176}  (24, {20, 48, new_msg, 0, 1310720, 1329472, 1, 1311176} "\0\0\0\0\2\0\1\0\31\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 388, 392, 1497, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 388, 392, 1497, 0}  (24, {20, 48, new_msg, 0, 1310720, 1329472, 1, 1311176} "\0\0\0\0\2\0\1\0\31\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 388, 392, 1497, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00552   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243664,  (0x80100080, {24, 0, 0x40, 0, 1243664, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00553   392   NtQueryDirectoryFile  (-2147482020, 0, 0, 0, -519811072, 4096, Names, 1,  (-2147482020, 0, 0, 0, -519811072, 4096, Names, 1, "~1.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00554   392   NtClose  (-2147482020, ... ) == 0x0
 00552   392   NtCreateFile  ... 56, {status=0x0, info=2}, ) == 0x0
 00555   392   NtClose  (56, ... ) == 0x0
 00556   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1242912, ... ) }, 1242912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00557   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243644,  (0xc0100080, {24, 0, 0x40, 0, 1243644, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00558   392   NtClose  (-2147482020, ... ) == 0x0
 00559   392   NtQueryDirectoryFile  (-2147482020, 0, 0, 0, -519811072, 4096, Names, 1,  (-2147482020, 0, 0, 0, -519811072, 4096, Names, 1, "~1.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 00560   392   NtClose  (-2147482020, ... ) == 0x0
 00557   392   NtCreateFile  ... 56, {status=0x0, info=2}, ) == 0x0
 00561   392   NtQueryVolumeInformationFile  (56, 1243804, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00562   392   NtQueryInformationFile  (56, 1243696, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00563   392   NtWriteFile  (56, 0, 0, 0,  (56, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 43520, 0x0, 0, ... {status=0x0, info=43520}, ) , 43520, 0x0, 0, ... {status=0x0, info=43520}, ) == 0x0
 00564   392   NtClose  (56, ... ) == 0x0
 00565   392   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00566   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1240368, ... ) }, 1240368, ... ) == 0x0
 00567   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00568   392   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00569   392   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 56, ... 68, ) == 0x0
 00570   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 72, ) }, ... 72, ) == 0x0
 00572   392   NtQueryValueKey  (72,  (72, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   392   NtClose  (72, ... ) == 0x0
 00574   392   NtQueryVolumeInformationFile  (56, 1240368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00575   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238352, ... ) }, 1238352, ... ) == 0x0
 00576   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00577   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 72, ... 76, ) == 0x0
 00578   392   NtClose  (72, ... ) == 0x0
 00579   392   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8b0000), 0x0, 106496, ) == 0x0
 00580   392   NtClose  (76, ... ) == 0x0
 00581   392   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 00582   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238668, ... ) }, 1238668, ... ) == 0x0
 00583   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00584   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 72, ) == 0x0
 00585   392   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00586   392   NtClose  (76, ... ) == 0x0
 00587   392   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00588   392   NtClose  (72, ... ) == 0x0
 00589   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00590   392   NtQueryInformationFile  (72, 1238956, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00591   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00592   392   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8b0000), 0x0, 1028096, ) == 0x0
 00593   392   NtQueryInformationFile  (72, 1239052, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00594   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00596   392   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00597   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00598   392   NtQueryDirectoryFile  (80, 0, 0, 0, 1236616, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236616, 616, BothDirectory, 1, "~1.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00599   392   NtClose  (80, ... ) == 0x0
 00600   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00601   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00602   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1236004, ... ) }, 1236004, ... ) == 0x0
 00603   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00604   392   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00605   392   NtClose  (80, ... ) == 0x0
 00606   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00607   392   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00608   392   NtClose  (80, ... ) == 0x0
 00609   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00610   392   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00611   392   NtClose  (80, ... ) == 0x0
 00612   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00613   392   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00614   392   NtClose  (80, ... ) == 0x0
 00615   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00616   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00617   392   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00618   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00619   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00620   392   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00621   392   NtClose  (80, ... ) == 0x0
 00622   392   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00623   392   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00624   392   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 00625   392   NtClose  (76, ... ) == 0x0
 00626   392   NtClose  (72, ... ) == 0x0
 00627   392   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00628   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00629   392   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00630   392   NtOpenProcessToken  (-1, 0xa, ... 72, ) == 0x0
 00631   392   NtQueryInformationToken  (72, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00632   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00633   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00634   392   NtQueryValueKey  (76,  (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00635   392   NtQueryValueKey  (76,  (76, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00636   392   NtClose  (76, ... ) == 0x0
 00637   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00638   392   NtQueryValueKey  (76,  (76, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00639   392   NtQueryValueKey  (76,  (76, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (76, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00640   392   NtClose  (76, ... ) == 0x0
 00641   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00643   392   NtQueryValueKey  (76,  (76, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   392   NtClose  (76, ... ) == 0x0
 00645   392   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00646   392   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00647   392   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00648   392   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00649   392   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00650   392   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00651   392   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00652   392   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00653   392   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00654   392   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00655   392   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00656   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 76, ) }, ... 76, ) == 0x0
 00657   392   NtEnumerateKey  (76, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (76, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00658   392   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 80, ) }, ... 80, ) == 0x0
 00659   392   NtQueryValueKey  (80,  (80, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (80, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00660   392   NtQueryValueKey  (80,  (80, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (80, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00661   392   NtClose  (80, ... ) == 0x0
 00662   392   NtEnumerateKey  (76, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00663   392   NtClose  (76, ... ) == 0x0
 00664   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00666   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00669   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00670   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00671   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00679   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00680   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00681   392   NtClose  (76, ... ) == 0x0
 00682   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00683   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00684   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00685   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00686   392   NtClose  (76, ... ) == 0x0
 00687   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00688   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00689   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00690   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00691   392   NtClose  (76, ... ) == 0x0
 00692   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00693   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00694   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00695   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00696   392   NtClose  (76, ... ) == 0x0
 00697   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00698   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00699   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00700   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00701   392   NtClose  (76, ... ) == 0x0
 00702   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00703   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00704   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00705   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00706   392   NtClose  (76, ... ) == 0x0
 00707   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00708   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00709   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00710   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00711   392   NtClose  (76, ... ) == 0x0
 00712   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00713   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00714   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00715   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00716   392   NtClose  (76, ... ) == 0x0
 00717   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00719   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00720   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00721   392   NtClose  (76, ... ) == 0x0
 00722   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00724   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00725   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00726   392   NtClose  (76, ... ) == 0x0
 00727   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00729   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00730   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00731   392   NtClose  (76, ... ) == 0x0
 00732   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00733   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00734   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00735   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00736   392   NtClose  (76, ... ) == 0x0
 00737   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00738   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00739   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00740   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00741   392   NtClose  (76, ... ) == 0x0
 00742   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00743   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00744   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00745   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00746   392   NtClose  (76, ... ) == 0x0
 00747   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00748   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00749   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00750   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00751   392   NtClose  (76, ... ) == 0x0
 00752   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00753   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00754   392   NtQueryValueKey  (76,  (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00755   392   NtClose  (76, ... ) == 0x0
 00756   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00757   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00758   392   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00759   392   NtClose  (76, ... ) == 0x0
 00760   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   392   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00762   392   NtOpenProcessToken  (-1, 0xa, ... 76, ) == 0x0
 00763   392   NtDuplicateToken  (76, 0xc, {24, 0, 0x0, 0, 1240260, 0x0}, 0, 2, ... 80, ) == 0x0
 00764   392   NtClose  (76, ... ) == 0x0
 00765   392   NtAccessCheck  (1337824, 80, 0x1, 1240388, 1240332, 56, 1240416, ... (0x1), ) == 0x0
 00766   392   NtClose  (80, ... ) == 0x0
 00767   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 80, ) }, ... 80, ) == 0x0
 00768   392   NtQueryValueKey  (80,  (80, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (80, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00769   392   NtClose  (80, ... ) == 0x0
 00770   392   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 80, ) }, ... 80, ) == 0x0
 00771   392   NtQuerySymbolicLinkObject  (80, ...  (80, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00772   392   NtClose  (80, ... ) == 0x0
 00773   392   NtQueryInformationFile  (56, 1238720, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 00774   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00775   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00776   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~1.tmp.exe"}, 1237400, ... ) }, 1237400, ... ) == 0x0
 00777   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00778   392   NtQueryDirectoryFile  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00779   392   NtClose  (80, ... ) == 0x0
 00780   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00781   392   NtQueryDirectoryFile  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00782   392   NtClose  (80, ... ) == 0x0
 00783   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00784   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00785   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00786   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00787   392   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00788   392   NtClose  (80, ... ) == 0x0
 00789   392   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00790   392   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 76, ) }, ... 76, ) == 0x0
 00791   392   NtClose  (80, ... ) == 0x0
 00792   392   NtQueryValueKey  (76,  (76, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00793   392   NtQueryValueKey  (76,  (76, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (76, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 00794   392   NtClose  (76, ... ) == 0x0
 00795   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 8978432, 4096, ) == 0x0
 00796   392   NtAllocateVirtualMemory  (-1, 8978432, 0, 4096, 4096, 4, ... 8978432, 4096, ) == 0x0
 00797   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00798   392   NtQueryValueKey  (76,  (76, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00799   392   NtClose  (76, ... ) == 0x0
 00800   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00801   392   NtQueryInformationToken  (72, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00802   392   NtQueryInformationToken  (72, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00803   392   NtClose  (72, ... ) == 0x0
 00804   392   NtCreateProcessEx  (1242996, 2035711, 0, -1, 0, 68, 0, 0, 0, ... ) == 0x0
 00805   392   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=496,ParentPid=388,}, 0x0, ) == 0x0
 00806   392   NtReadVirtualMemory  (72, 0x7ffdf008, 4, ...  (72, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 00807   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   392   NtAllocateVirtualMemory  (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0
 00809   392   NtReadVirtualMemory  (72, 0x9800000, 4096, ...  (72, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 00810   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00811   392   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=496,ParentPid=388,}, 0x0, ) == 0x0
 00812   392   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 9109504, 4096, ) == 0x0
 00813   392   NtAllocateVirtualMemory  (72, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 00814   392   NtWriteVirtualMemory  (72, 0x10000,  (72, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 00815   392   NtAllocateVirtualMemory  (72, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 00816   392   NtWriteVirtualMemory  (72, 0x20000,  (72, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 00817   392   NtWriteVirtualMemory  (72, 0x7ffdf010,  (72, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00818   392   NtWriteVirtualMemory  (72, 0x7ffdf1e8,  (72, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00819   392   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 4096, ) == 0x0
 00820   392   NtAllocateVirtualMemory  (72, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 00821   392   NtAllocateVirtualMemory  (72, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 00822   392   NtProtectVirtualMemory  (72, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 00823   392   NtCreateThread  (0x1f03ff, 0x0, 72, 1241260, 1241980, 1, ... 76, {496, 492}, ) == 0x0
 00824   392   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329480, 1243080}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329480, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367wK\0\0\0L\0\0\0\360\1\0\0\354\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 388, 392, 1498, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wH\0\0\0L\0\0\0\360\1\0\0\354\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 388, 392, 1498, 0}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329480, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367wK\0\0\0L\0\0\0\360\1\0\0\354\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 388, 392, 1498, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wH\0\0\0L\0\0\0\360\1\0\0\354\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00825   392   NtResumeThread  (76, ... 1, ) == 0x0
 00826   392   NtClose  (56, ... ) == 0x0
 00827   392   NtClose  (68, ... ) == 0x0
 00828   392   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=496,ParentPid=388,}, 0x0, ) == 0x0
 00829   392   NtUserWaitForInputIdle  (496, 30000, 0, ...
 00830   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00831   392   NtClose  (68, ... ) == 0x0
 00829   392   NtUserWaitForInputIdle  ... ) == 0x102
 00832   392   NtClose  (72, ... ) == 0x0
 00833   392   NtClose  (76, ... ) == 0x0
 00834   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00835   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00836   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "LZ32.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00837   392   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73dc0000), 0x0, 12288, ) == 0x0
 00838   392   NtClose  (76, ... ) == 0x0
 00839   392   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244956,  (0x40100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 2, 1, 5, 96, 0, 0, ... }, 0x0, 2, 1, 5, 96, 0, 0, ...
 00840   392   NtClose  (-2147482108, ... ) == 0x0
 00839   392   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00841   392   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "SZDD\210\360'3A\0\0\220\0\0\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217", 17878, 0x0, 0, ... {status=0x0, info=17878}, ) , 17878, 0x0, 0, ... {status=0x0, info=17878}, ) == 0x0
 00842   392   NtClose  (76, ... ) == 0x0
 00843   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 1243636, ... ) }, 1243636, ... ) == 0x0
 00844   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244368,  (0x80100080, {24, 0, 0x40, 0, 1244368, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 0, 3, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00845   392   NtQueryVolumeInformationFile  (76, 1244528, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00846   392   NtQueryInformationFile  (76, 1244420, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00847   392   NtQueryInformationFile  (76, 1244628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00848   392   NtSetInformationFile  (76, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00849   392   NtSetInformationFile  (76, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00850   392   NtReadFile  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00851   392   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 9109504, 524288, ) == 0x0
 00852   392   NtAllocateVirtualMemory  (-1, 9109504, 0, 4096, 4096, 4, ... 9109504, 4096, ) == 0x0
 00853   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243640, ... ) }, 1243640, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244372,  (0xc0100080, {24, 0, 0x40, 0, 1244372, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00855   392   NtClose  (-2147482108, ... ) == 0x0
 00854   392   NtCreateFile  ... 72, {status=0x0, info=2}, ) == 0x0
 00856   392   NtQueryVolumeInformationFile  (72, 1244532, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00857   392   NtQueryInformationFile  (72, 1244424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00858   392   NtAllocateVirtualMemory  (-1, 1347584, 0, 36864, 4096, 4, ... 1347584, 36864, ) == 0x0
 00859   392   NtAllocateVirtualMemory  (-1, 1384448, 0, 36864, 4096, 4, ... 1384448, 36864, ) == 0x0
 00860   392   NtQueryInformationFile  (76, 1244892, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00861   392   NtSetInformationFile  (76, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00862   392   NtSetInformationFile  (76, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00863   392   NtReadFile  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00864   392   NtSetInformationFile  (76, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00865   392   NtSetInformationFile  (72, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00866   392   NtReadFile  (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864},  (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864}, "\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217m\237m\257m\277m\0\317m\337m\357m", ) , ) == 0x0
 00867   392   NtWriteFile  (72, 0, 0, 0,  (72, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0ei\350\341!\10\206\262!\10\206\262!\10\206\262\242\24\210\262$\10\206\262C\27\225\262(\10\206\262!\10\207\262h\10\206\262\311\27\220\262 \10\206\262\311\27\202\262 \10\206\262Rich!\10\206\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0R\344\315D\0\0\0\0\0\0\0\0\340\0\16!\13\1\6\0\0P\0\0\0\260\0\0\0\0\0\00D\0\0\0\20\0\0\0`\0\0\0\0\0\20\0\20\0\0\0\20\0\0\4\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\0\20\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\220Q\0\0F\0\0\0\30K\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\04\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\326A\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 00868   392   NtWriteFile  (72, 0, 0, 0,  (72, 0, 0, 0, "\0\20\0\0D\1\0\0<1@1L1P1\1`1l1p1|1\2001\2141\2201\2341\2401\2541\2601Z2\3262\3532\33\263>3E3Y3a3\2123\2243\2733\3013\3243\3343\3473\3543\3623\3773\104\234\304\36454=4\1774\2204\376475a5n5\2055\2145\2355\3245\3465\3535\226\3456\3636\3716\3776\77(7-7\2477\3127\3277\3557\18\148\268D8Y8_8f8s8\2018\3148\3318\3428\3578\3668\3758\119\179$999N9d9j9\2029\2159\2239\2359\2519\3249\3369\3609\3729\27:$:/:;:V:[:\225:\317:\344:\10;\25;6;O;n;\255;\272;\341;\15\16>\25>@>M>U>c>i>p>\202>\217>\227>\245>\253>\262>\37?&?+?1?L?e?\236?\250?\257?\267?\302?\325?\334?\366?\0\0\0 \0\0,\2\0\0&0+0\2640\3150\3320\3520\3570\3670!101l1\2011\3151\3541\3611\3671\132\222\272\352*2H2_2k2y2\2142\2362\2532\3372\3702\173\313/343:3@3F3N3T3Z3b3k3s3\1773\2133\2213\2273\2623\2723\3253\3353\3743\204\324(4.444F4P4Z4h4m4\2044\2114\2174\2244\2324\2404\2604\3134\3264\3344\3564\3644\65\145"5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) 5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00869   392   NtQueryInformationFile  (76, 1244896, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00870   392   NtSetInformationFile  (72, 1244896, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00871   392   NtFreeVirtualMemory  (-1, (0x147000), 81920, 16384, ... (0x147000), 81920, ) == 0x0
 00872   392   NtClose  (72, ... ) == 0x0
 00873   392   NtClose  (76, ... ) == 0x0
 00874   392   NtUnmapViewOfSection  (-1, 0x73dc0000, ... ) == 0x0
 00875   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1242748, ... ) }, 1242748, ... ) == 0x0
 00876   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00877   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 76, ... 72, ) == 0x0
 00878   392   NtClose  (76, ... ) == 0x0
 00879   392   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x930000), 0x0, 36864, ) == 0x0
 00880   392   NtClose  (72, ... ) == 0x0
 00881   392   NtUnmapViewOfSection  (-1, 0x930000, ... ) == 0x0
 00882   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243064, ... ) }, 1243064, ... ) == 0x0
 00883   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00884   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 76, ) == 0x0
 00885   392   NtQuerySection  (76, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00886   392   NtClose  (72, ... ) == 0x0
 00887   392   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 69632, ) == 0x0
 00888   392   NtClose  (76, ... ) == 0x0
 00889   392   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 128, ) == 0x0
 00890   392   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 128, ... (0x10001000), 4096, 4, ) == 0x0
 00891   392   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00892   392   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00893   392   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00894   392   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00895   392   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00896   392   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00897   392   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00898   392   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00899   392   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00900   392   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00901   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00902   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00903   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1240980, ... ) }, 1240980, ... ) == 0x0
 00904   392   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "_kuku_joker_v3.09_"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00905   392   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00906   392   NtUserSetWindowsHookEx  (268435456, 1242684, 0, 3, 268446576, 2, ... ) == 0x3003b
 00907   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9633792, 1048576, ) == 0x0
 00908   392   NtAllocateVirtualMemory  (-1, 10674176, 0, 8192, 4096, 4, ... 10674176, 8192, ) == 0x0
 00909   392   NtProtectVirtualMemory  (-1, (0xa2e000), 4096, 260, ... (0xa2e000), 4096, 4, ) == 0x0
 00910   392   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 72, {388, 1492}, ) == 0x0
 00911   392   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=388,Tid=1492,}, 0x0, ) == 0x0
 00912   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0}  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0} "\0\0\0\0\1\0\1\0E\0R\03\02\0H\0\0\0\204\1\0\0\324\5\0\0" ... {28, 56, reply, 0, 388, 392, 2254, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0\204\1\0\0\324\5\0\0" )  ... {28, 56, reply, 0, 388, 392, 2254, 0}  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0} "\0\0\0\0\1\0\1\0E\0R\03\02\0H\0\0\0\204\1\0\0\324\5\0\0" ... {28, 56, reply, 0, 388, 392, 2254, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0\204\1\0\0\324\5\0\0" )  ) == 0x0
 00913   392   NtResumeThread  (72, ... 1, ) == 0x0
 00914   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10682368, 1048576, ) == 0x0
 00915   392   NtAllocateVirtualMemory  (-1, 11722752, 0, 8192, 4096, 4, ... 11722752, 8192, ) == 0x0
 00916   392   NtProtectVirtualMemory  (-1, (0xb2e000), 4096, 260, ...
 00917  1492   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 68, ) == 0x0
 00918  1492   NtWaitForSingleObject  (68, 0, 0x0, ...
 00916   392   NtProtectVirtualMemory  ... (0xb2e000), 4096, 4, ) == 0x0
 00919   392   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 56, {388, 1500}, ) == 0x0
 00920   392   NtQueryInformationThread  (56, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=388,Tid=1500,}, 0x0, ) == 0x0
 00921   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 388, 392, 2254, 0}  (24, {28, 56, new_msg, 0, 388, 392, 2254, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0\204\1\0\0\334\5\0\0" ... {28, 56, reply, 0, 388, 392, 2255, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0\204\1\0\0\334\5\0\0" )  ... {28, 56, reply, 0, 388, 392, 2255, 0}  (24, {28, 56, new_msg, 0, 388, 392, 2254, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0\204\1\0\0\334\5\0\0" ... {28, 56, reply, 0, 388, 392, 2255, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0\204\1\0\0\334\5\0\0" )  ) == 0x0
 00922   392   NtResumeThread  (56, ... 1, ) == 0x0
 00923   392   NtUserSetTimer  (0, 0, 4096, 268451664, ... ) == 0x7ff9
 00924  1500   NtWaitForSingleObject  (68, 0, 0x0, ...
 00925   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11730944, 1048576, ) == 0x0
 00926   392   NtAllocateVirtualMemory  (-1, 12771328, 0, 8192, 4096, 4, ... 12771328, 8192, ) == 0x0
 00927   392   NtProtectVirtualMemory  (-1, (0xc2e000), 4096, 260, ... (0xc2e000), 4096, 4, ) == 0x0
 00928   392   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 80, {388, 1504}, ) == 0x0
 00929   392   NtQueryInformationThread  (80, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=388,Tid=1504,}, 0x0, ) == 0x0
 00930   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 388, 392, 2255, 0}  (24, {28, 56, new_msg, 0, 388, 392, 2255, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\204\1\0\0\340\5\0\0" ... {28, 56, reply, 0, 388, 392, 2256, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\204\1\0\0\340\5\0\0" )  ... {28, 56, reply, 0, 388, 392, 2256, 0}  (24, {28, 56, new_msg, 0, 388, 392, 2255, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\204\1\0\0\340\5\0\0" ... {28, 56, reply, 0, 388, 392, 2256, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\204\1\0\0\340\5\0\0" )  ) == 0x0
 00931   392   NtResumeThread  (80, ... 1, ) == 0x0
 00932   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "m_Tem_v3.06"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   392   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "m_Tem_v3.06"}, {20480, 0}, 4, 134217728, 0, ... }, {20480, 0}, 4, 134217728, 0, ...
 00934  1504   NtWaitForSingleObject  (68, 0, 0x0, ...
 00933   392   NtCreateSection  ... 84, ) == 0x0
 00935   392   NtSetEventBoostPriority  (68, ...
 00918  1492   NtWaitForSingleObject  ... ) == 0x0
 00936  1492   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00937  1492   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00938  1492   NtSetEventBoostPriority  (68, ...
 00924  1500   NtWaitForSingleObject  ... ) == 0x0
 00939  1500   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00940  1500   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00941  1500   NtSetEventBoostPriority  (68, ...
 00934  1504   NtWaitForSingleObject  ... ) == 0x0
 00942  1504   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00943  1504   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00944  1504   NtTestAlert  (... ) == 0x0
 00945  1504   NtContinue  (12778800, 1, ...
 00946  1504   NtRegisterThreadTerminatePort  (24, ...
 00941  1500   NtSetEventBoostPriority  ... ) == 0x0
 00938  1492   NtSetEventBoostPriority  ... ) == 0x0
 00935   392   NtSetEventBoostPriority  ... ) == 0x0
 00947  1500   NtTestAlert  (...
 00948  1492   NtTestAlert  (...
 00949   392   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ...
 00947  1500   NtTestAlert  ... ) == 0x0
 00948  1492   NtTestAlert  ... ) == 0x0
 00949   392   NtMapViewOfSection  ... (0xc30000), {0, 0}, 20480, ) == 0x0
 00946  1504   NtRegisterThreadTerminatePort  ... ) == 0x0
 00950  1500   NtContinue  (11730224, 1, ...
 00951   392   NtUnmapViewOfSection  (-1, 0xc30000, ...
 00952  1504   NtDelayExecution  (0, {-20480000, -1}, ...
 00953  1500   NtRegisterThreadTerminatePort  (24, ...
 00954  1492   NtContinue  (10681648, 1, ...
 00953  1500   NtRegisterThreadTerminatePort  ... ) == 0x0
 00955  1492   NtRegisterThreadTerminatePort  (24, ...
 00956  1500   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... }, ...
 00955  1492   NtRegisterThreadTerminatePort  ... ) == 0x0
 00956  1500   NtOpenKey  ... 88, ) == 0x0
 00957  1492   NtDelayExecution  (0, {-40960000, -1}, ...
 00958  1500   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... , Partial, 144, ...
 00951   392   NtUnmapViewOfSection  ... ) == 0x0
 00959   392   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00960   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243652, ... ) }, 1243652, ... ) == 0x0
 00961   392   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1339088, 1339080, 0, 1243992}  (24, {20, 48, new_msg, 0, 1339088, 1339080, 0, 1243992} "\0\0\0\0\2\0\1\0h\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 388, 392, 2257, 0} "\0\0\0\0\2\0\1\0\3\0\0\0\0\0\0\0\3\0\0\0" )  ... {20, 48, reply, 0, 388, 392, 2257, 0}  (24, {20, 48, new_msg, 0, 1339088, 1339080, 0, 1243992} "\0\0\0\0\2\0\1\0h\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 388, 392, 2257, 0} "\0\0\0\0\2\0\1\0\3\0\0\0\0\0\0\0\3\0\0\0" )  ) == 0x0
 00962   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243660,  (0x80100080, {24, 0, 0x40, 0, 1243660, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00963   392   NtQueryDirectoryFile  (-2147482108, 0, 0, 0, -519876608, 4096, Names, 1,  (-2147482108, 0, 0, 0, -519876608, 4096, Names, 1, "~3.tmp", 1, ... , 1, ...
 00958  1500   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00964  1500   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00965  1500   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00966  1500   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Protocol_Catalog9"}, ... 96, ) }, ... 96, ) == 0x0
 00967  1500   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00968  1500   NtNotifyChangeKey  (96, 92, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00969  1500   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... , Partial, 144, ...
 00963   392   NtQueryDirectoryFile  ... {status=0x0, info=24}, ) == 0x0
 00970   392   NtClose  (-2147482108, ... ) == 0x0
 00962   392   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00971   392   NtClose  (100, ... ) == 0x0
 00972   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243640,  (0xc0100080, {24, 0, 0x40, 0, 1243640, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00974   392   NtClose  (-2147482108, ...
 00969  1500   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00975  1500   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976  1500   NtQueryValueKey  (96,  (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00977  1500   NtQueryValueKey  (96,  (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00978  1500   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Catalog_Entries"}, ... 100, ) }, ... 100, ) == 0x0
 00979  1500   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000001"}, ... 104, ) }, ... 104, ) == 0x0
 00980  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 00974   392   NtClose  ... ) == 0x0
 00981   392   NtQueryDirectoryFile  (-2147482108, 0, 0, 0, -519876608, 4096, Names, 1,  (-2147482108, 0, 0, 0, -519876608, 4096, Names, 1, "~3.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 00982   392   NtClose  (-2147482108, ... ) == 0x0
 00973   392   NtCreateFile  ... 108, {status=0x0, info=2}, ) == 0x0
 00983   392   NtQueryVolumeInformationFile  (108, 1243800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00984   392   NtQueryInformationFile  (108, 1243692, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00985   392   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 43520, 0x0, 0, ... , 43520, 0x0, 0, ...
 00980  1500   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 00986  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00987  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\334\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\334\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\335\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\335\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\336\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\336\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\337\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\334\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\334\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\335\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\335\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\336\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\336\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\337\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\336\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\337\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\334\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\334\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\335\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\335\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\336\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\336\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\337\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00988  1500   NtClose  (104, ... ) == 0x0
 00989  1500   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000002"}, ... 104, ) }, ... 104, ) == 0x0
 00990  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00991  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 00985   392   NtWriteFile  ... {status=0x0, info=43520}, ) == 0x0
 00992   392   NtClose  (108, ... ) == 0x0
 00993   392   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00994   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1240364, ... ) }, 1240364, ... ) == 0x0
 00995   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1241056, ... ) }, 1241056, ... ) == 0x0
 00996   392   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00997   392   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 108, ...
 00991  1500   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 00998  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\347\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\347\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\350\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\351\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\351\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\347\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\347\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\350\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\351\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\351\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\351\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\347\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\347\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\350\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\351\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\351\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00999  1500   NtClose  (104, ... ) == 0x0
 01000  1500   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000003"}, ... 104, ) }, ... 104, ) == 0x0
 01001  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01002  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01003  1500   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 01004  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\355\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\355\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\356\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\356\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\357\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\357\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\355\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\355\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\356\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\356\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\357\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\357\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\357\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\355\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\355\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\356\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\356\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\357\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\357\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01005  1500   NtClose  (104, ... ) == 0x0
 01006  1500   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000004"}, ... 104, ) }, ... 104, ) == 0x0
 01007  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01008  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01009  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\362\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\362\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\363\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\364\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\362\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\362\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\363\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\364\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\362\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\362\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\363\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\364\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01010  1500   NtClose  (104, ... ) == 0x0
 01011  1500   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000005"}, ... 104, ) }, ... 104, ) == 0x0
 01012  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01013  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01014  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\367\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\367\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\370\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\371\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\371\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\367\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\367\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\370\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\371\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\371\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\371\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\367\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\367\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\370\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\371\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\371\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01015  1500   NtClose  (104, ... ) == 0x0
 01016  1500   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000006"}, ... 104, ) }, ... 104, ) == 0x0
 01017  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01018  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01019  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\374\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\374\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\375\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\376\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\376\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\374\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\374\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\375\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\376\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\376\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\376\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\374\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\374\3\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\375\3\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\376\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\376\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\3\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01020  1500   NtClose  (104, ... ) == 0x0
 01021  1500   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000007"}, ... 104, ) }, ... 104, ) == 0x0
 01022  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01023  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01024  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\1\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\1\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\2\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\3\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\3\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\1\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\1\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\2\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\3\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\3\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\3\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\1\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\1\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\2\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\3\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\3\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01025  1500   NtClose  (104, ... ) == 0x0
 01026  1500   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000008"}, ... 104, ) }, ... 104, ) == 0x0
 01027  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01028  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01029  1500   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01030  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\7\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\7\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\10\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\11\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\11\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\7\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\7\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\10\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\11\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\11\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\11\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\7\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\7\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\10\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\11\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\11\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01031  1500   NtClose  (104, ... ) == 0x0
 01032  1500   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000009"}, ... 104, ) }, ... 104, ) == 0x0
 01033  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01034  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01035  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\14\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\14\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\15\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\16\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\16\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\14\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\14\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\15\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\16\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\16\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\16\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\14\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\14\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\15\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\16\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\16\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01036  1500   NtClose  (104, ... ) == 0x0
 01037  1500   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000010"}, ... 104, ) }, ... 104, ) == 0x0
 01038  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01039  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01040  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\21\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\21\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\22\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\23\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\23\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\21\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\21\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\22\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\23\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\23\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\23\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\21\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\21\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Po\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\22\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\23\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\23\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\4\0\0\204\1\0\0\334\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01041  1500   NtClose  (104, ... ) == 0x0
 01042  1500   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000011"}, ... 104, ) }, ... 104, ) == 0x0
 01043  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01044  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01045  1500   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\26\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\26\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\27\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\4\0\0\204\1\0\0\334\5\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\4\0\0\204\1\0\0\334\5\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\31\4\0\0\204\1\0\0\334\5\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\31\4\0\0\204\1\0\0\334\5\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\32\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\240\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250m\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\26\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\26\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\27\4\0\0\204\1\0\0\334\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\4\0\0\204\1\0\0\334\5\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\4\0\0\204\1\0\0\334\5\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\31\4\0\0\204\1\0\0\334\5\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\31\4\0\0\204\1\0\0\334\5\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\32\4\0\0\204\1\0\0\334\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\240\376\262\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250m\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01046  1500   NtClose  (104, ... ) == 0x0
 01047  1500   NtClose  (100, ... ) == 0x0
 01048  1500   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 01049  1500   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 01050  1500   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 104, ) }, ... 104, ) == 0x0
 01051  1500   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01052  1500   NtNotifyChangeKey  (104, 100, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01053  1500   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01054  1500   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055  1500   NtQueryValueKey  (104,  (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01056  1500   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 01057  1500   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01058  1500   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 01059  1500   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01060  1500   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01061  1500   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01062  1500   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01063  1500   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01064  1500   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01065  1500   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01066  1500   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01067  1500   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01068  1500   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01069  1500   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01070  1500   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01071  1500   NtClose  (116, ... ) == 0x0
 01072  1500   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 01073  1500   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01074  1500   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01075  1500   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01076  1500   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01077  1500   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01078  1500   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01079  1500   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01080  1500   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01081  1500   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01082  1500   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01083  1500   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01084  1500   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01085  1500   NtClose  (116, ... ) == 0x0
 01086  1500   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 01087  1500   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01088  1500   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01089  1500   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01090  1500   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01091  1500   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01092  1500   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01093  1500   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01094  1500   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095  1500   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01096  1500   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01097  1500   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01098  1500   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01099  1500   NtClose  (116, ... ) == 0x0
 01100  1500   NtClose  (112, ... ) == 0x0
 01101  1500   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 01102  1500   NtClose  (88, ... ) == 0x0
 01103  1500   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01104  1500   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01105  1500   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 01106  1500   NtQueryValueKey  (88,  (88, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107  1500   NtClose  (88, ... ) == 0x0
 01108  1500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 88, ) == 0x0
 01109  1500   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 7, 96, ... 112, {status=0x0, info=1}, ) }, 7, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01110  1500   NtLockFile  (112, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01111  1500   NtQueryInformationFile  (112, 1354632, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01112  1500   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 12779520, 1052672, ) == 0x0
 01113  1500   NtAllocateVirtualMemory  (-1, 12779520, 0, 235, 4096, 4, ... 12779520, 4096, ) == 0x0
 01114  1500   NtReadFile  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 01115  1500   NtFreeVirtualMemory  (-1, (0xc30000), 1052672, 32768, ... (0xc30000), 1052672, ) == 0x0
 01116  1500   NtUnlockFile  (112, {0, 0}, {-1, -1}, 1500, ... ) == STATUS_RANGE_NOT_LOCKED
 01117  1500   NtClose  (112, ... ) == 0x0
 01118  1500   NtOpenProcessToken  (-1, 0x8, ... 112, ) == 0x0
 01119  1500   NtQueryInformationToken  (112, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01120  1500   NtClose  (112, ... ) == 0x0
 01121  1500   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01122  1500   NtCreateFile  (0xc0100000, {24, 0, 0x40, 0, 0,  (0xc0100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 0x0, 128, 7, 3, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01123  1500   NtLockFile  (112, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 1, ... {status=0x0, info=-2142329745}, ) == 0x0
 01124  1500   NtQueryInformationFile  (112, 1354632, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01125  1500   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 12779520, 1052672, ) == 0x0
 01126  1500   NtAllocateVirtualMemory  (-1, 12779520, 0, 235, 4096, 4, ... 12779520, 4096, ) == 0x0
 01127  1500   NtReadFile  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 01128  1500   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "[MCIDRV_VER]\15\12DEVICE=58343sxkbc20241\15\12", 38, {231, 0}, 2012046884, ... {status=0x0, info=38}, ) , 38, {231, 0}, 2012046884, ... {status=0x0, info=38}, ) == 0x0
 01129  1500   NtSetInformationFile  (112, 11730088, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00997   392   NtCreateSection  ... 116, ) == 0x0
 01130   392   NtQueryVolumeInformationFile  (108, 1240364, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01131   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 01132   392   NtQueryInformationFile  (120, 1238952, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01133   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 120, ...
 01134  1500   NtFreeVirtualMemory  (-1, (0xc30000), 1052672, 32768, ... (0xc30000), 1052672, ) == 0x0
 01135  1500   NtUnlockFile  (112, {0, 0}, {-1, -1}, 1500, ... ) == STATUS_RANGE_NOT_LOCKED
 01136  1500   NtClose  (112, ... ) == 0x0
 01137  1500   NtDelayExecution  (0, {-122880000, -1}, ...
 01133   392   NtCreateSection  ... 112, ) == 0x0
 01138   392   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc30000), 0x0, 1028096, ) == 0x0
 01139   392   NtQueryInformationFile  (120, 1239048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01140   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01142   392   NtQueryDirectoryFile  (124, 0, 0, 0, 1236612, 616, BothDirectory, 1,  (124, 0, 0, 0, 1236612, 616, BothDirectory, 1, "~3.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01143   392   NtClose  (124, ... ) == 0x0
 01144   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01145   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01146   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1236000, ... ) }, 1236000, ... ) == 0x0
 01147   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01148   392   NtQueryDirectoryFile  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01149   392   NtClose  (124, ... ) == 0x0
 01150   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01151   392   NtQueryDirectoryFile  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01152   392   NtClose  (124, ... ) == 0x0
 01153   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01154   392   NtQueryDirectoryFile  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01155   392   NtClose  (124, ... ) == 0x0
 01156   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01157   392   NtQueryDirectoryFile  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 01158   392   NtClose  (124, ... ) == 0x0
 01159   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01160   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01161   392   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01162   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01163   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01164   392   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01165   392   NtClose  (124, ... ) == 0x0
 01166   392   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   392   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~3.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   392   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01169   392   NtClose  (112, ... ) == 0x0
 01170   392   NtClose  (120, ... ) == 0x0
 01171   392   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01172   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~3.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   392   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01174   392   NtOpenProcessToken  (-1, 0xa, ... 120, ) == 0x0
 01175   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 112, ) }, ... 112, ) == 0x0
 01176   392   NtQueryValueKey  (112,  (112, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01177   392   NtQueryValueKey  (112,  (112, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (112, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01178   392   NtClose  (112, ... ) == 0x0
 01179   392   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 112, ) }, ... 112, ) == 0x0
 01180   392   NtQuerySymbolicLinkObject  (112, ...  (112, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01181   392   NtClose  (112, ... ) == 0x0
 01182   392   NtQueryInformationFile  (108, 1238716, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 01183   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01184   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01185   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~3.tmp.exe"}, 1237396, ... ) }, 1237396, ... ) == 0x0
 01186   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 112, {status=0x0, info=1}, ) }, 3, 16417, ... 112, {status=0x0, info=1}, ) == 0x0
 01187   392   NtQueryDirectoryFile  (112, 0, 0, 0, 1236756, 616, BothDirectory, 1,  (112, 0, 0, 0, 1236756, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01188   392   NtClose  (112, ... ) == 0x0
 01189   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 112, {status=0x0, info=1}, ) }, 3, 16417, ... 112, {status=0x0, info=1}, ) == 0x0
 01190   392   NtQueryDirectoryFile  (112, 0, 0, 0, 1236756, 616, BothDirectory, 1,  (112, 0, 0, 0, 1236756, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 01191   392   NtClose  (112, ... ) == 0x0
 01192   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01193   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01194   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 112, ) }, ... 112, ) == 0x0
 01195   392   NtQueryValueKey  (112,  (112, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01196   392   NtClose  (112, ... ) == 0x0
 01197   392   NtQueryInformationToken  (120, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01198   392   NtQueryInformationToken  (120, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01199   392   NtClose  (120, ... ) == 0x0
 01200   392   NtCreateProcessEx  (1242992, 2035711, 0, -1, 0, 116, 0, 0, 0, ... ) == 0x0
 01201   392   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1508,ParentPid=388,}, 0x0, ) == 0x0
 01202   392   NtReadVirtualMemory  (120, 0x7ffdf008, 4, ...  (120, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 01203   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   392   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 01205   392   NtReadVirtualMemory  (120, 0x9800000, 4096, ...  (120, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 01206   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01207   392   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1508,ParentPid=388,}, 0x0, ) == 0x0
 01208   392   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 12779520, 4096, ) == 0x0
 01209   392   NtAllocateVirtualMemory  (120, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01210   392   NtWriteVirtualMemory  (120, 0x10000,  (120, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01211   392   NtAllocateVirtualMemory  (120, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 01212   392   NtWriteVirtualMemory  (120, 0x20000,  (120, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 01213   392   NtWriteVirtualMemory  (120, 0x7ffdf010,  (120, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01214   392   NtWriteVirtualMemory  (120, 0x7ffdf1e8,  (120, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01215   392   NtFreeVirtualMemory  (-1, (0xc30000), 0, 32768, ... (0xc30000), 4096, ) == 0x0
 01216   392   NtAllocateVirtualMemory  (120, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01217   392   NtAllocateVirtualMemory  (120, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01218   392   NtProtectVirtualMemory  (120, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01219   392   NtCreateThread  (0x1f03ff, 0x0, 120, 1241256, 1241976, 1, ... 112, {1508, 1512}, ) == 0x0
 01220   392   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329480, 1243076}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329480, 1243076} "\0\0\0\0\0\0\1\0\2$\370w U\367w{\0\0\0p\0\0\0\344\5\0\0\350\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 388, 392, 2258, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wx\0\0\0p\0\0\0\344\5\0\0\350\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 388, 392, 2258, 0}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329480, 1243076} "\0\0\0\0\0\0\1\0\2$\370w U\367w{\0\0\0p\0\0\0\344\5\0\0\350\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 388, 392, 2258, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wx\0\0\0p\0\0\0\344\5\0\0\350\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01221   392   NtResumeThread  (112, ... 1, ) == 0x0
 01222   392   NtClose  (108, ... ) == 0x0
 01223   392   NtClose  (116, ... ) == 0x0
 01224   392   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1508,ParentPid=388,}, 0x0, ) == 0x0
 01225   392   NtUserWaitForInputIdle  (1508, 30000, 0, ...
 01226   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 01227   392   NtClose  (116, ... ) == 0x0
 00952  1504   NtDelayExecution  ... ) == 0x0
 01228  1504   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 12779520, 65536, ) == 0x0
 01229  1504   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 01230  1504   NtCreateSection  (0xf0007, 0x0, {13396, 0}, 4, 134217728, 0, ... 116, ) == 0x0
 01231  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc40000), {0, 0}, 16384, ) == 0x0
 01232  1504   NtUnmapViewOfSection  (-1, 0xc40000, ... ) == 0x0
 01233  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc40000), {0, 0}, 16384, ) == 0x0
 01234  1504   NtFreeVirtualMemory  (-1, (0xc30000), 0, 32768, ... (0xc30000), 65536, ) == 0x0
 01235  1504   NtUnmapViewOfSection  (-1, 0xc40000, ... ) == 0x0
 01236  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01237  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01238  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01239  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01240  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01241  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01242  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01243  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01244  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01245  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01246  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01247  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01248  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01249  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01250  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01251  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01252  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01253  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01254  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01255  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01256  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01257  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01258  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01259  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01260  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01261  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01262  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01263  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01264  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01265  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01266  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01267  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01268  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01269  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01270  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01271  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01272  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01273  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01274  1504   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01275  1504   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01276  1504   NtContinue  (12776104, 0, ...
 01277  1504   NtDelayExecution  (0, {-20480000, -1}, ...
 00957  1492   NtDelayExecution  ... ) == 0x0
 01278  1492   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ... (0xc30000), {0, 0}, 20480, ) == 0x0
 01279  1492   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01280  1492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281  1492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc.dll"}, 10680252, ... ) }, 10680252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282  1492   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc.dll"}, 10680252, ... ) }, 10680252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283  1492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 10680252, ... ) }, 10680252, ... ) == 0x0
 01284  1492   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01285  1492   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 124, ) == 0x0
 01286  1492   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01287  1492   NtClose  (108, ... ) == 0x0
 01288  1492   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bb0000), 0x0, 16384, ) == 0x0
 01289  1492   NtClose  (124, ... ) == 0x0
 01290  1492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291  1492   NtAllocateVirtualMemory  (-1, 10670080, 0, 4096, 4096, 260, ... 10670080, 4096, ) == 0x0
 01292  1492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc_os.dll"}, 10679448, ... ) }, 10679448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293  1492   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc_os.dll"}, 10679448, ... ) }, 10679448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01294  1492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 10679448, ... ) }, 10679448, ... ) == 0x0
 01295  1492   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 01296  1492   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 124, ... 108, ) == 0x0
 01297  1492   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01298  1492   NtClose  (124, ... ) == 0x0
 01299  1492   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c60000), 0x0, 167936, ) == 0x0
 01300  1492   NtClose  (108, ... ) == 0x0
 01301  1492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302  1492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 10678644, ... ) }, 10678644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303  1492   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINTRUST.dll"}, 10678644, ... ) }, 10678644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304  1492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 10678644, ... ) }, 10678644, ... ) == 0x0
 01305  1492   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01306  1492   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 124, ) == 0x0
 01307  1492   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01308  1492   NtClose  (108, ... ) == 0x0
 01309  1492   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 01310  1492   NtClose  (124, ... ) == 0x0
 01311  1492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01312  1492   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 01313  1492   NtClose  (124, ... ) == 0x0
 01314  1492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01315  1492   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 01316  1492   NtClose  (124, ... ) == 0x0
 01317  1492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01318  1492   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 01319  1492   NtClose  (124, ... ) == 0x0
 01320  1492   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321  1492   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01322  1492   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 10680384, 0,  (0x1f0003, {24, 52, 0x80, 10680384, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01323  1492   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 124, ) }, ... 124, ) == 0x0
 01324  1492   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01325  1492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01326  1492   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 12779520, 262144, ) == 0x0
 01327  1492   NtAllocateVirtualMemory  (-1, 12779520, 0, 4096, 4096, 4, ... 12779520, 4096, ) == 0x0
 01328  1492   NtAllocateVirtualMemory  (-1, 12783616, 0, 8192, 4096, 4, ... 12783616, 8192, ) == 0x0
 01329  1492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01330  1492   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13041664, 1048576, ) == 0x0
 01331  1492   NtAllocateVirtualMemory  (-1, 13041664, 0, 1048576, 4096, 4, ... 13041664, 1048576, ) == 0x0
 01332  1492   NtCreateMutant  (0x1f0001, 0x0, 0, ... 108, ) == 0x0
 01333  1492   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 128, ) == 0x0
 01334  1492   NtCreateMutant  (0x1f0001, 0x0, 0, ... 132, ) == 0x0
 01335  1492   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 136, ) == 0x0
 01336  1492   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 140, ) == 0x0
 01337  1492   NtSetEvent  (140, ... 0x0, ) == 0x0
 01338  1492   NtDelayExecution  (0, {-40960000, -1}, ...
 01277  1504   NtDelayExecution  ... ) == 0x0
 01339  1504   NtContinue  (12776104, 0, ...
 01340  1504   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01341  1504   NtContinue  (12776104, 0, ...
 01342  1504   NtDelayExecution  (0, {-20480000, -1}, ...
 01338  1492   NtDelayExecution  ... ) == 0x0
 01343  1492   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01344  1492   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 10682096,  (0x40100080, {24, 0, 0x40, 0, 10682096, "\??\C:\KUKU300a"}, 0x0, 32, 2, 5, 96, 0, 0, ... }, 0x0, 32, 2, 5, 96, 0, 0, ...
 01345  1492   NtClose  (-2147482028, ... ) == 0x0
 01344  1492   NtCreateFile  ... 144, {status=0x0, info=2}, ) == 0x0
 01346  1492   NtClose  (144, ... ) == 0x0
 01347  1492   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\KUKU300a"}, 7, 2113600, ... 144, {status=0x0, info=1}, ) }, 7, 2113600, ... 144, {status=0x0, info=1}, ) == 0x0
 01348  1492   NtQueryInformationFile  (144, 10682160, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 01349  1492   NtSetInformationFile  (144, 10682211, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 01350  1492   NtClose  (144, ... ) == 0x0
 01351  1492   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01352  1492   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) , Data=" (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) \0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) == 0x0
 01353  1492   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) , Data=" (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) \0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) == 0x0
 01354  1492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 148, ) }, ... 148, ) == 0x0
 01355  1492   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "ActiveComputerName"}, ... 152, ) }, ... 152, ) == 0x0
 01356  1492   NtQueryValueKey  (152,  (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01357  1492   NtClose  (152, ... ) == 0x0
 01358  1492   NtClose  (148, ... ) == 0x0
 01359  1492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01360  1492   NtQueryValueKey  (148,  (148, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (148, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (148, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01361  1492   NtClose  (148, ... ) == 0x0
 01362  1492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01363  1492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01364  1492   NtQueryValueKey  (148,  (148, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (148, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (148, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01365  1492   NtClose  (148, ... ) == 0x0
 01366  1492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01367  1492   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368  1492   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 148, ) }, ... 148, ) == 0x0
 01369  1492   NtQueryValueKey  (148,  (148, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370  1492   NtClose  (148, ... ) == 0x0
 01371  1492   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372  1492   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01373  1492   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01374  1492   NtQuerySystemTime  (... {-1715163566, 29879620}, ) == 0x0
 01375  1492   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 156, ) == 0x0
 01376  1492   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377  1492   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01378  1492   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01379  1492   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01380  1492   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01381  1492   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 164, ) == 0x0
 01382  1492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 168, ) }, ... 168, ) == 0x0
 01383  1492   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "ActiveComputerName"}, ... 172, ) }, ... 172, ) == 0x0
 01384  1492   NtQueryValueKey  (172,  (172, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (172, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (172, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01385  1492   NtClose  (172, ... ) == 0x0
 01386  1492   NtClose  (168, ... ) == 0x0
 01387  1492   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 168, ) == 0x0
 01388  1492   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 172, ) == 0x0
 01389  1492   NtDuplicateObject  (-1, 168, -1, 0x0, 0, 2, ... 176, ) == 0x0
 01390  1492   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01391  1492   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01392  1492   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 180, ) == 0x0
 01393  1492   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01394  1492   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01395  1492   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10679196,  (0xc0100080, {24, 0, 0x40, 0, 10679196, "\??\PIPE\SfcApi"}, 0x0, 0, 3, 1, 64, 0, 0, ... 184, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 184, {status=0x0, info=1}, ) == 0x0
 01396  1492   NtSetInformationFile  (184, 10679252, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01397  1492   NtSetInformationFile  (184, 10679244, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01398  1492   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01399  1492   NtWriteFile  (184, 161, 0, 0,  (184, 161, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\0|\332\203O\350\322\21\230\7\0\300O\216\310P\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01400  1492   NtReadFile  (184, 161, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (184, 161, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20* \0\0\15\0\PIPE\SfcApi\0\14\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01401  1492   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\1\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0M\0E\0S\0S\0E\0N\0G\0E\0R\0\\0M\0S\0M\0S\0G\0S\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20* \0\0\15\0\PIPE\SfcApi\0\14\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 116, 1024, ... {status=0x103, info=68},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\1\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0M\0E\0S\0S\0E\0N\0G\0E\0R\0\\0M\0S\0M\0S\0G\0S\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20* \0\0\15\0\PIPE\SfcApi\0\14\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01402  1492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 10681264, ... ) }, 10681264, ... ) == 0x0
 01403  1492   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01404  1492   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01405  1492   NtClose  (188, ... ) == 0x0
 01406  1492   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10681244,  (0xc0100080, {24, 0, 0x40, 0, 10681244, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01407  1492   NtQueryInformationFile  (-1, 10681296, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01408  1492   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01409  1492   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01410  1492   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01411  1492   NtClose  (188, ... ) == 0x0
 01412  1492   NtDelayExecution  (0, {-10240000, -1}, ...
 01342  1504   NtDelayExecution  ... ) == 0x0
 01413  1504   NtContinue  (12776104, 0, ...
 01414  1504   NtDelayExecution  (0, {-20480000, -1}, ...
 01412  1492   NtDelayExecution  ... ) == 0x0
 01415  1492   NtEnumerateValueKey  (144, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01416  1492   NtClose  (144, ... ) == 0x0
 01417  1492   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01418  1492   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) , Data= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01419  1492   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) , Data= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01420  1492   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\2\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0T\0R\0A\0Y\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 144, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\2\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0T\0R\0A\0Y\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01421  1492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 10681264, ... ) }, 10681264, ... ) == 0x0
 01422  1492   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01423  1492   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01424  1492   NtClose  (188, ... ) == 0x0
 01425  1492   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10681244,  (0xc0100080, {24, 0, 0x40, 0, 10681244, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01426  1492   NtQueryInformationFile  (-1, 10681296, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01427  1492   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01428  1492   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01429  1492   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01430  1492   NtClose  (188, ... ) == 0x0
 01431  1492   NtDelayExecution  (0, {-10240000, -1}, ... ) == 0x0
 01432  1492   NtEnumerateValueKey  (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) , Data= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) }, 164, ) == 0x0
 01433  1492   NtEnumerateValueKey  (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) , Data= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) }, 164, ) == 0x0
 01434  1492   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\3\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0U\0S\0E\0R\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 144, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\3\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0U\0S\0E\0R\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01435  1492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 10681264, ... ) }, 10681264, ... ) == 0x0
 01436  1492   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01437  1492   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01438  1492   NtClose  (188, ... ) == 0x0
 01439  1492   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10681244,  (0xc0100080, {24, 0, 0x40, 0, 10681244, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01440  1492   NtQueryInformationFile  (-1, 10681296, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01441  1492   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01442  1492   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01443  1492   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01444  1492   NtClose  (188, ... ) == 0x0
 01445  1492   NtDelayExecution  (0, {-10240000, -1}, ...
 01414  1504   NtDelayExecution  ... ) == 0x0
 01446  1504   NtContinue  (12776104, 0, ...
 01447  1504   NtDelayExecution  (0, {-20480000, -1}, ...
 01445  1492   NtDelayExecution  ... ) == 0x0
 01448  1492   NtEnumerateValueKey  (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0i\0a\0z\0d\0y\0z\0.\0e\0x\0e\0\0\0"}, 90, ) , Data= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0i\0a\0z\0d\0y\0z\0.\0e\0x\0e\0\0\0"}, 90, ) }, 90, ) == 0x0
 01449  1492   NtEnumerateValueKey  (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0i\0a\0z\0d\0y\0z\0.\0e\0x\0e\0\0\0"}, 90, ) , Data= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0i\0a\0z\0d\0y\0z\0.\0e\0x\0e\0\0\0"}, 90, ) }, 90, ) == 0x0
 01450  1492   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0f\0\0\0\4\0\0\0N\0\0\0\0\0\1\0p\342\0\20\37\0\0\0\0\0\0\0\37\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0Y\0S\0T\0E\0M\03\02\0\\0I\0A\0Z\0D\0Y\0Z\0.\0E\0X\0E\0\0\0", 102, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 102, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0f\0\0\0\4\0\0\0N\0\0\0\0\0\1\0p\342\0\20\37\0\0\0\0\0\0\0\37\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0Y\0S\0T\0E\0M\03\02\0\\0I\0A\0Z\0D\0Y\0Z\0.\0E\0X\0E\0\0\0", 102, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01451  1492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\IAZDYZ.EXE"}, 10681264, ... ) }, 10681264, ... ) == 0x0
 01452  1492   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\IAZDYZ.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01453  1492   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01454  1492   NtClose  (188, ... ) == 0x0
 01455  1492   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10681244,  (0xc0100080, {24, 0, 0x40, 0, 10681244, "\??\C:\WINDOWS\SYSTEM32\IAZDYZ.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01456  1492   NtQueryInformationFile  (-1, 10681296, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01457  1492   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01458  1492   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\IAZDYZ.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01459  1492   NtSetInformationFile  (188, 10681240, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01460  1492   NtClose  (188, ... ) == 0x0
 01461  1492   NtDelayExecution  (0, {-10240000, -1}, ...
 01137  1500   NtDelayExecution  ... ) == 0x0
 01462  1500   NtOpenKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 188, ) }, ... 188, ) == 0x0
 01463  1500   NtSetValueKey  (188,  (188, "GlobalUserOffline", 0, 4, "\0\0\0\0", 4, ... , 0, 4,  (188, "GlobalUserOffline", 0, 4, "\0\0\0\0", 4, ... , 4, ...
 01464  1500   NtSetInformationFile  (-2147482716, -134473932, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01465  1500   NtSetInformationFile  (-2147482716, -134473968, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01466  1500   NtSetInformationFile  (-2147482716, -134474024, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01467  1500   NtSetInformationFile  (-2147482716, -134474332, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01463  1500   NtSetValueKey  ... ) == 0x0
 01468  1500   NtClose  (188, ... ) == 0x0
 01469  1500   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 188, ) }, ... 188, ) == 0x0
 01470  1500   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 01471  1500   NtClose  (188, ... ) == 0x0
 01472  1500   NtAllocateVirtualMemory  (-1, 11718656, 0, 4096, 4096, 260, ... 11718656, 4096, ) == 0x0
 01473  1500   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01474  1500   NtCreateKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 188, 2, ) }, 0, 0x0, 0, ... 188, 2, ) == 0x0
 01475  1500   NtQueryDefaultUILanguage  (11727188, ...
 01476  1500   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01477  1500   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482028, ) == 0x0
 01478  1500   NtQueryInformationToken  (-2147482028, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01479  1500   NtClose  (-2147482028, ... ) == 0x0
 01480  1500   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 01481  1500   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482  1500   NtOpenKey  (0x80000000, {24, -2147482028, 0x640, 0, 0,  (0x80000000, {24, -2147482028, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 01483  1500   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484  1500   NtClose  (-2147482024, ... ) == 0x0
 01485  1500   NtClose  (-2147482028, ... ) == 0x0
 01475  1500   NtQueryDefaultUILanguage  ... ) == 0x0
 01486  1500   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487  1500   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 192, {status=0x0, info=1}, ) }, 1, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01488  1500   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 192, ... 196, ) == 0x0
 01489  1500   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xd70000), 0x0, 593920, ) == 0x0
 01490  1500   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491  1500   NtAllocateVirtualMemory  (-1, 11714560, 0, 4096, 4096, 260, ... 11714560, 4096, ) == 0x0
 01492  1500   NtQueryDefaultLocale  (1, 11725224, ... ) == 0x0
 01493  1500   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494  1500   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 11726080, 1, 96, 0}  (24, {128, 156, new_msg, 0, 11726080, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\360\262\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\336\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\0\364\262\0\0\0\0\0" ... {128, 156, reply, 0, 388, 1500, 2407, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\262\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\336\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\0\364\262\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 1500, 2407, 0}  (24, {128, 156, new_msg, 0, 11726080, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\360\262\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\336\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\0\364\262\0\0\0\0\0" ... {128, 156, reply, 0, 388, 1500, 2407, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\262\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\336\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\0\364\262\0\0\0\0\0" )  ) == 0x0
 01495  1500   NtClose  (192, ... ) == 0x0
 01496  1500   NtClose  (196, ... ) == 0x0
 01497  1500   NtUnmapViewOfSection  (-1, 0xd70000, ... ) == 0x0
 01498  1500   NtUnmapViewOfSection  (-1, 0xb2f400, ... ) == STATUS_NOT_MAPPED_VIEW
 01499  1500   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01500  1500   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01501  1500   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01502  1500   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01503  1500   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 11723764, ... ) }, 11723764, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504  1500   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01505  1500   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01506  1500   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01507  1500   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 11724356, ... ) }, 11724356, ... ) == 0x0
 01508  1500   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 196, {status=0x0, info=1}, ) }, 3, 33, ... 196, {status=0x0, info=1}, ) == 0x0
 01509  1500   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01510  1500   NtCreateKey  (0x2001f, {24, 64, 0x40, 0, 0,  (0x2001f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 192, 2, ) }, 0, 0x0, 0, ... 192, 2, ) == 0x0
 01511  1500   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 4096, 4, ... 14090240, 262144, ) == 0x0
 01512  1500   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 01513  1500   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 11727048, ... ) }, 11727048, ... ) == 0x0
 01514  1500   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01515  1500   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 200, ... 204, ) == 0x0
 01516  1500   NtClose  (200, ... ) == 0x0
 01517  1500   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdb0000), 0x0, 229376, ) == 0x0
 01518  1500   NtClose  (204, ... ) == 0x0
 01519  1500   NtUnmapViewOfSection  (-1, 0xdb0000, ... ) == 0x0
 01520  1500   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 11727364, ... ) }, 11727364, ... ) == 0x0
 01521  1500   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01522  1500   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01523  1500   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01524  1500   NtClose  (204, ... ) == 0x0
 01525  1500   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 01526  1500   NtClose  (200, ... ) == 0x0
 01527  1500   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01528  1500   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01529  1500   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01530  1500   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01531  1500   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532  1500   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 11727164, ... ) }, 11727164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533  1500   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 11727164, ... ) }, 11727164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534  1500   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 11727164, ... ) }, 11727164, ... ) == 0x0
 01535  1500   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01536  1500   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01537  1500   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01538  1500   NtClose  (204, ... ) == 0x0
 01539  1500   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01540  1500   NtClose  (208, ... ) == 0x0
 01541  1500   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 01542  1500   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01543  1500   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544  1500   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545  1500   NtQueryValueKey  (204,  (204, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01546  1500   NtQueryValueKey  (208,  (208, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547  1500   NtQueryValueKey  (204,  (204, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548  1500   NtQueryValueKey  (208,  (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01549  1500   NtQueryValueKey  (204,  (204, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550  1500   NtQueryValueKey  (208,  (208, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551  1500   NtQueryValueKey  (204,  (204, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01552  1500   NtQueryValueKey  (208,  (208, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01553  1500   NtQueryValueKey  (204,  (204, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01554  1500   NtQueryValueKey  (204,  (204, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555  1500   NtQueryValueKey  (204,  (204, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01556  1500   NtQueryValueKey  (204,  (204, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557  1500   NtQueryValueKey  (204,  (204, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01558  1500   NtQueryValueKey  (204,  (204, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01559  1500   NtQueryValueKey  (204,  (204, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560  1500   NtQueryValueKey  (208,  (208, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561  1500   NtQueryValueKey  (204,  (204, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01562  1500   NtQueryValueKey  (204,  (204, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01563  1500   NtQueryValueKey  (208,  (208, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564  1500   NtQueryValueKey  (204,  (204, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565  1500   NtQueryValueKey  (208,  (208, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01566  1500   NtQueryValueKey  (204,  (204, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567  1500   NtQueryValueKey  (208,  (208, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568  1500   NtQueryValueKey  (204,  (204, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569  1500   NtQueryValueKey  (208,  (208, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570  1500   NtQueryValueKey  (204,  (204, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01571  1500   NtQueryValueKey  (208,  (208, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572  1500   NtQueryValueKey  (204,  (204, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573  1500   NtQueryValueKey  (208,  (208, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574  1500   NtQueryValueKey  (204,  (204, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01575  1500   NtQueryValueKey  (208,  (208, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01576  1500   NtQueryValueKey  (204,  (204, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01577  1500   NtQueryValueKey  (208,  (208, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01578  1500   NtQueryValueKey  (204,  (204, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579  1500   NtQueryValueKey  (204,  (204, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01580  1500   NtQueryValueKey  (204,  (204, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581  1500   NtQueryValueKey  (204,  (204, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01582  1500   NtQueryValueKey  (204,  (204, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583  1500   NtQueryValueKey  (204,  (204, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584  1500   NtQueryValueKey  (204,  (204, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585  1500   NtQueryValueKey  (204,  (204, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586  1500   NtQueryValueKey  (204,  (204, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01587  1500   NtQueryValueKey  (204,  (204, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588  1500   NtQueryValueKey  (204,  (204, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589  1500   NtQueryValueKey  (204,  (204, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590  1500   NtQueryValueKey  (204,  (204, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591  1500   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 01592  1500   NtQueryValueKey  (212,  (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01593  1500   NtClose  (212, ... ) == 0x0
 01594  1500   NtClose  (208, ... ) == 0x0
 01595  1500   NtClose  (204, ... ) == 0x0
 01596  1500   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01597  1500   NtQueryValueKey  (204,  (204, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598  1500   NtQueryValueKey  (204,  (204, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599  1500   NtQueryValueKey  (204,  (204, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600  1500   NtClose  (204, ... ) == 0x0
 01601  1500   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01602  1500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 208, ) == 0x0
 01603  1500   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01604  1500   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 11727640, 112, ... 216, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 11727640, 112, ... 216, 0x0, 0x0, 0x0, 112, ) == 0x0
 01605  1500   NtRequestWaitReplyPort  (216, {128, 152, new_msg, 0, 127212, 1310720, 11727404, 2012750850}  (216, {128, 152, new_msg, 0, 127212, 1310720, 11727404, 2012750850} "\0\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\320*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0P*\25\0x*\25\0\240*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\2\24\0\0\0\0\0\303\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 388, 1500, 2409, 0} "\7\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0P*\25\0x*\25\0\240*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\2\24\0\0\0\0\0\303\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 388, 1500, 2409, 0}  (216, {128, 152, new_msg, 0, 127212, 1310720, 11727404, 2012750850} "\0\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\320*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0P*\25\0x*\25\0\240*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\2\24\0\0\0\0\0\303\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 388, 1500, 2409, 0} "\7\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0P*\25\0x*\25\0\240*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\2\24\0\0\0\0\0\303\0\0\0\5\0\0\0" )  ) == 0x0
 01606  1500   NtRequestWaitReplyPort  (216, {64, 88, new_msg, 0, 0, 0, 0, 0}  (216, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 388, 1500, 2410, 0} "\2\317N\200\1\0*\201\10\20*\201\0\0\0\0\316\321N\200H\20*\201\0-:\201\230K(\370\210\31\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 388, 1500, 2410, 0}  (216, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 388, 1500, 2410, 0} "\2\317N\200\1\0*\201\10\20*\201\0\0\0\0\316\321N\200H\20*\201\0-:\201\230K(\370\210\31\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 01607  1500   NtClose  (212, ... ) == 0x0
 01608  1500   NtClose  (216, ... ) == 0x0
 01609  1500   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) , 0, ... 216, 2, ) == 0x0
 01610  1500   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01611  1500   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01612  1500   NtQueryValueKey  (216,  (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01613  1500   NtQueryValueKey  (216,  (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01614  1500   NtClose  (216, ... ) == 0x0
 01615  1500   NtClose  (212, ... ) == 0x0
 01616  1500   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01617  1500   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 11727504, 112, ... 216, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 11727504, 112, ... 216, 0x0, 0x0, 0x0, 112, ) == 0x0
 01618  1500   NtRequestWaitReplyPort  (216, {128, 152, new_msg, 0, 127076, 1310720, 11727268, 2012750850}  (216, {128, 152, new_msg, 0, 127076, 1310720, 11727268, 2012750850} "\0\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\320*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\340)\25\0\200*\25\0\0\0\0\0\310\1\24\0(+\25\0\4\0\0\0\0\0\0\0\0\0\24\0p+\25\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 388, 1500, 2413, 0} "\7\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\340)\25\0\200*\25\0\0\0\0\0\310\1\24\0(+\25\0\4\0\0\0\0\0\0\0\0\0\24\0p+\25\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 388, 1500, 2413, 0}  (216, {128, 152, new_msg, 0, 127076, 1310720, 11727268, 2012750850} "\0\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\320*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\340)\25\0\200*\25\0\0\0\0\0\310\1\24\0(+\25\0\4\0\0\0\0\0\0\0\0\0\24\0p+\25\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 388, 1500, 2413, 0} "\7\370\262\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\340)\25\0\200*\25\0\0\0\0\0\310\1\24\0(+\25\0\4\0\0\0\0\0\0\0\0\0\24\0p+\25\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 01619  1500   NtRequestWaitReplyPort  (216, {44, 68, new_msg, 0, 388, 1500, 2410, 0}  (216, {44, 68, new_msg, 0, 388, 1500, 2410, 0} "\1\317\0\0A\2\4\0\10\20*\201\0\0\0\0\316\321N\200H\20*\201\377\377\377\377\230K(\370\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 388, 1500, 2414, 0} "\2\317N\200\4\0*\201\10\20*\201\0\0\0\0\316\321N\200H\20*\201\0-:\201\230K(\370\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 388, 1500, 2414, 0}  (216, {44, 68, new_msg, 0, 388, 1500, 2410, 0} "\1\317\0\0A\2\4\0\10\20*\201\0\0\0\0\316\321N\200H\20*\201\377\377\377\377\230K(\370\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 388, 1500, 2414, 0} "\2\317N\200\4\0*\201\10\20*\201\0\0\0\0\316\321N\200H\20*\201\0-:\201\230K(\370\324\1\0\0\240,\11\0" )  ) == 0x0
 01620  1500   NtRequestWaitReplyPort  (216, {64, 88, new_msg, 56, 0, 1, 0, 0}  (216, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\262\0@\0\314wx)\25\0X\364\262\0\300\364\262\0\0\267\362v\300\364\262\0x)\25\0\1\0\0\0\0;\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 388, 1500, 2415, 0} "\10\364\262\0@\0\314wx)\25\0X\364\262\0\300\364\262\0\0\267\362v\300\364\262\0x)\25\0\1\0\0\0\0;\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 388, 1500, 2415, 0}  (216, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\262\0@\0\314wx)\25\0X\364\262\0\300\364\262\0\0\267\362v\300\364\262\0x)\25\0\1\0\0\0\0;\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 388, 1500, 2415, 0} "\10\364\262\0@\0\314wx)\25\0X\364\262\0\300\364\262\0\0\267\362v\300\364\262\0x)\25\0\1\0\0\0\0;\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01621  1500   NtClose  (212, ... ) == 0x0
 01622  1500   NtClose  (216, ... ) == 0x0
 01623  1500   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) , 0, ... 216, 2, ) == 0x0
 01624  1500   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01625  1500   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01626  1500   NtQueryValueKey  (216,  (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01627  1500   NtQueryValueKey  (216,  (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01628  1500   NtClose  (216, ... ) == 0x0
 01629  1500   NtClose  (212, ... ) == 0x0
 01630  1500   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01631  1500   NtQueryValueKey  (212,  (212, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01632  1500   NtClose  (212, ... ) == 0x0
 01633  1500   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 11727048, ... ) }, 11727048, ... ) == 0x0
 01634  1500   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01635  1500   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 212, ... 216, ) == 0x0
 01636  1500   NtClose  (212, ... ) == 0x0
 01637  1500   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdb0000), 0x0, 16384, ) == 0x0
 01638  1500   NtClose  (216, ... ) == 0x0
 01639  1500   NtUnmapViewOfSection  (-1, 0xdb0000, ... ) == 0x0
 01640  1500   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 11727364, ... ) }, 11727364, ... ) == 0x0
 01641  1500   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01642  1500   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01643  1500   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01644  1500   NtClose  (216, ... ) == 0x0
 01645  1500   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 01646  1500   NtClose  (212, ... ) == 0x0
 01647  1500   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 212, ) }, ... 212, ) == 0x0
 01648  1500   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01649  1500   NtClose  (212, ... ) == 0x0
 01650  1500   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 01651  1500   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01652  1500   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 216, ) }, ... 216, ) == 0x0
 01653  1500   NtQueryValueKey  (216,  (216, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (216, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01654  1500   NtClose  (216, ... ) == 0x0
 01655  1500   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 11727048, ... ) }, 11727048, ... ) == 0x0
 01656  1500   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01657  1500   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14352384, 65536, ) == 0x0
 01658  1500   NtAllocateVirtualMemory  (-1, 14352384, 0, 4096, 4096, 4, ... 14352384, 4096, ) == 0x0
 01659  1500   NtAllocateVirtualMemory  (-1, 14356480, 0, 8192, 4096, 4, ... 14356480, 8192, ) == 0x0
 01660  1500   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 216, ) == 0x0
 01661  1500   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 11727324, 112, ... 220, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 11727324, 112, ... 220, 0x0, 0x0, 0x0, 112, ) == 0x0
 01662  1500   NtRequestWaitReplyPort  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 11727088}  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 11727088} "\0$\370w\240\367\262\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\320*\25\0\4\0\0\0\320*\25\0\20\344\314w\320*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0\350K\25\0PJ\25\0\300K\25\0\0\0\0\0\0\0\0\0\0\0\0\0\350K\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 388, 1500, 2418, 0} "\7$\370w\240\367\262\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\320*\25\0\377\377\377\377\320*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0\350K\25\0PJ\25\0\300K\25\0\0\0\0\0\0\0\0\0\0\0\0\0\350K\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {128, 152, reply, 0, 388, 1500, 2418, 0}  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 11727088} "\0$\370w\240\367\262\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\320*\25\0\4\0\0\0\320*\25\0\20\344\314w\320*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0\350K\25\0PJ\25\0\300K\25\0\0\0\0\0\0\0\0\0\0\0\0\0\350K\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 388, 1500, 2418, 0} "\7$\370w\240\367\262\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\320*\25\0\377\377\377\377\320*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0\350K\25\0PJ\25\0\300K\25\0\0\0\0\0\0\0\0\0\0\0\0\0\350K\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01663  1500   NtRequestWaitReplyPort  (220, {104, 128, new_msg, 0, 388, 1500, 2414, 0}  (220, {104, 128, new_msg, 0, 388, 1500, 2414, 0} "\1\317\0\0A\2\11\0\10\20*\201\0\0\0\0\316\321N\200H\20*\201\377\377\377\377\230K(\370\0\0\0\0\324I\25\0\22\0\0\0\0\0\0\0\22\0\0\0w\0w\0w\0.\0m\0i\0c\0r\0o\0s\0o\0f\0t\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01461  1492   NtDelayExecution  ... ) == 0x0
 01664  1492   NtEnumerateValueKey  (144, 3, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01665  1492   NtClose  (144, ... ) == 0x0
 01666  1492   NtDelayExecution  (0, {-10240000, -1}, ...
 01447  1504   NtDelayExecution  ... ) == 0x0
 01667  1504   NtContinue  (12776104, 0, ...
 01668  1504   NtDelayExecution  (0, {-20480000, -1}, ...
 01666  1492   NtDelayExecution  ... ) == 0x0
 01669  1492   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 144, {status=0x0, info=1}, ) }, 3, 16417, ... 144, {status=0x0, info=1}, ) == 0x0
 01670  1492   NtQueryDirectoryFile  (144, 0, 0, 0, 10680804, 616, BothDirectory, 1,  (144, 0, 0, 0, 10680804, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01671  1492   NtAllocateVirtualMemory  (-1, 1396736, 0, 8192, 4096, 4, ... 1396736, 8192, ) == 0x0
 01672  1492   NtQueryDirectoryFile  (144, 0, 0, 0, 1395816, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4018}, ) == 0x0
 01673  1492   NtDelayExecution  (0, {-10240000, -1}, ... ) == 0x0
 01674  1492   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 224, {status=0x0, info=1}, ) }, 3, 16417, ... 224, {status=0x0, info=1}, ) == 0x0
 01675  1492   NtQueryDirectoryFile  (224, 0, 0, 0, 10680744, 616, BothDirectory, 1,  (224, 0, 0, 0, 10680744, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01676  1492   NtQueryDirectoryFile  (224, 0, 0, 0, 1399920, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3982}, ) == 0x0
 01677  1492   NtDelayExecution  (0, {-10240000, -1}, ...
 01668  1504   NtDelayExecution  ... ) == 0x0
 01678  1504   NtContinue  (12776104, 0, ...
 01679  1504   NtDelayExecution  (0, {-20480000, -1}, ...
 01677  1492   NtDelayExecution  ... ) == 0x0
 01680  1492   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\REPAIR\"}, 3, 16417, ... 228, {status=0x0, info=1}, ) }, 3, 16417, ... 228, {status=0x0, info=1}, ) == 0x0
 01681  1492   NtQueryDirectoryFile  (228, 0, 0, 0, 10680684, 616, BothDirectory, 1,  (228, 0, 0, 0, 10680684, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01682  1492   NtAllocateVirtualMemory  (-1, 1404928, 0, 8192, 4096, 4, ... 1404928, 8192, ) == 0x0
 01683  1492   NtQueryDirectoryFile  (228, 0, 0, 0, 1404120, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1240}, ) == 0x0
 01684  1492   NtQueryDirectoryFile  (228, 0, 0, 0, 1404120, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01685  1492   NtClose  (228, ... ) == 0x0
 01686  1492   NtDelayExecution  (0, {-5120000, -1}, ... ) == 0x0
 01687  1492   NtDelayExecution  (0, {-10240000, -1}, ...
 01679  1504   NtDelayExecution  ... ) == 0x0
 01688  1504   NtContinue  (12776104, 0, ...
 01689  1504   NtDelayExecution  (0, {-20480000, -1}, ...
 01687  1492   NtDelayExecution  ... ) == 0x0
 01690  1492   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\INF\"}, 3, 16417, ... 228, {status=0x0, info=1}, ) }, 3, 16417, ... 228, {status=0x0, info=1}, ) == 0x0
 01691  1492   NtQueryDirectoryFile  (228, 0, 0, 0, 10680684, 616, BothDirectory, 1,  (228, 0, 0, 0, 10680684, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01692  1492   NtQueryDirectoryFile  (228, 0, 0, 0, 1404120, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3990}, ) == 0x0
 01693  1492   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\5\0\0\0H\0\0\0\0\0\1\0p\342\0\20\34\0\0\0\0\0\0\0\34\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0I\0N\0F\0\\0u\0n\0r\0e\0g\0m\0p\02\0.\0e\0x\0e\0\0\0", 96, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 96, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\5\0\0\0H\0\0\0\0\0\1\0p\342\0\20\34\0\0\0\0\0\0\0\34\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0I\0N\0F\0\\0u\0n\0r\0e\0g\0m\0p\02\0.\0e\0x\0e\0\0\0", 96, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01694  1492   NtDelayExecution  (0, {-20480000, -1}, ...
 01689  1504   NtDelayExecution  ... ) == 0x0
 01695  1504   NtContinue  (12776104, 0, ...
 01696  1504   NtDelayExecution  (0, {-20480000, -1}, ...
 01694  1492   NtDelayExecution  ... ) == 0x0
 01697  1492   NtQueryDirectoryFile  (228, 0, 0, 0, 1404120, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4014}, ) == 0x0
 01698  1492   NtQueryDirectoryFile  (228, 0, 0, 0, 1404120, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3986}, ) == 0x0
 01699  1492   NtDelayExecution  (0, {-81920000, -1}, ...
 01663  1500   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 388, 1500, 2419, 0}  ... {44, 68, reply, 0, 388, 1500, 2419, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0F'\0\0\1\0\0\0" )  ) == 0x0
 01700  1500   NtClose  (216, ... ) == 0x0
 01701  1500   NtClose  (220, ... ) == 0x0
 01702  1500   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 220, ) }, ... 220, ) == 0x0
 01703  1500   NtQueryValueKey  (220,  (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01704  1500   NtQueryValueKey  (220,  (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01705  1500   NtQueryValueKey  (220,  (220, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01706  1500   NtClose  (220, ... ) == 0x0
 01707  1500   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01708  1500   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 11728084, ... ) }, 11728084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01709  1500   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasadhlp.dll"}, 11728084, ... ) }, 11728084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01710  1500   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 11728084, ... ) }, 11728084, ... ) == 0x0
 01711  1500   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 220, {status=0x0, info=1}, ) }, 5, 96, ... 220, {status=0x0, info=1}, ) == 0x0
 01712  1500   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 220, ... 216, ) == 0x0
 01713  1500   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01714  1500   NtClose  (220, ... ) == 0x0
 01715  1500   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 01716  1500   NtClose  (216, ... ) == 0x0
 01717  1500   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 216, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 216, {status=0x0, info=0}, ) == 0x0
 01718  1500   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 220, ) == 0x0
 01719  1500   NtDeviceIoControlFile  (216, 220, 0x0, 0x0, 0xf14014,  (216, 220, 0x0, 0x0, 0xf14014, "\3\0\0\0www.microsoft.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 01720  1500   NtClose  (220, ... ) == 0x0
 01721  1500   NtClose  (216, ... ) == 0x0
 01722  1500   NtDelayExecution  (0, {1770094592, -2}, ...
 01696  1504   NtDelayExecution  ... ) == 0x0
 01723  1504   NtContinue  (12776104, 0, ...
 01724  1504   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01725  1504   NtContinue  (12776104, 0, ...
 01726  1504   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01727  1504   NtContinue  (12776104, 0, ...
 01728  1504   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01729  1504   NtContinue  (12776104, 0, ...
 01730  1504   NtDelayExecution  (0, {-20480000, -1}, ...
 01699  1492   NtDelayExecution  ... ) == 0x0
 01731  1492   NtQueryDirectoryFile  (228, 0, 0, 0, 1404120, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4044}, ) == 0x0
 01732  1492   NtQueryDirectoryFile  (228, 0, 0, 0, 1404120, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4078}, ) == 0x0
 01733  1492   NtQueryDirectoryFile  (228, 0, 0, 0, 1404120, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4066}, ) == 0x0
 01734  1492   NtDelayExecution  (0, {-81920000, -1}, ...
 01730  1504   NtDelayExecution  ... ) == 0x0
 01735  1504   NtContinue  (12776104, 0, ...
 01736  1504   NtDelayExecution  (0, {-20480000, -1}, ...
 01225   392   NtUserWaitForInputIdle  ... ) == 0x102
 01737   392   NtClose  (120, ... ) == 0x0
 01738   392   NtClose  (112, ... ) == 0x0
 01739   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01740   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01741   392   NtDelayExecution  (0, {-10000000, -1}, ...
 01736  1504   NtDelayExecution  ... ) == 0x0
 01742  1504   NtContinue  (12776104, 0, ...
 01743  1504   NtDelayExecution  (0, {-20480000, -1}, ...
 01741   392   NtDelayExecution  ... ) == 0x0
 01744   392   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "b1790f4c06f035c083b712e3f4f6a1a8c30c"}, 0, ... 112, ) }, 0, ... 112, ) == 0x0
 01745   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01746   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01747   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01748   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238192, ... ) }, 1238192, ... ) == 0x0
 01749   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 01750   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 120, ... 216, ) == 0x0
 01751   392   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01752   392   NtClose  (120, ... ) == 0x0
 01753   392   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01754   392   NtClose  (216, ... ) == 0x0
 01755   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 216, ) }, ... 216, ) == 0x0
 01756   392   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 01757   392   NtClose  (216, ... ) == 0x0
 01758   392   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 216, ) == 0x0
 01759   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 01760   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 220, ) }, ... 220, ) == 0x0
 01761   392   NtNotifyChangeKey  (220, 120, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 01762   392   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01763   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 232, ) == 0x0
 01764   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 236, ) == 0x0
 01765   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01767   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01768   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1238192, ... ) }, 1238192, ... ) == 0x0
 01769   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 01770   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 01771   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01772   392   NtClose  (240, ... ) == 0x0
 01773   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 01774   392   NtClose  (244, ... ) == 0x0
 01775   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01776   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01777   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01778   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237388, ... ) }, 1237388, ... ) == 0x0
 01779   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01780   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 01781   392   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01782   392   NtClose  (244, ... ) == 0x0
 01783   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01784   392   NtClose  (240, ... ) == 0x0
 01785   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01786   392   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14417920, 262144, ) == 0x0
 01787   392   NtAllocateVirtualMemory  (-1, 14417920, 0, 4096, 4096, 4, ... 14417920, 4096, ) == 0x0
 01788   392   NtAllocateVirtualMemory  (-1, 14422016, 0, 8192, 4096, 4, ... 14422016, 8192, ) == 0x0
 01789   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01790   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01791   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01792   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01794   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1238212, ... ) }, 1238212, ... ) == 0x0
 01795   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 01796   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 01797   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01798   392   NtClose  (240, ... ) == 0x0
 01799   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01800   392   NtClose  (244, ... ) == 0x0
 01801   392   NtAllocateVirtualMemory  (-1, 8863744, 0, 8192, 4096, 4, ... 8863744, 8192, ) == 0x0
 01802   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01803   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 01804   392   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01805   392   NtClose  (244, ... ) == 0x0
 01806   392   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 244, ) }, ... 244, ) == 0x0
 01807   392   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   392   NtClose  (244, ... ) == 0x0
 01809   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 244, ) }, ... 244, ) == 0x0
 01810   392   NtQueryValueKey  (244,  (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01811   392   NtQueryValueKey  (244,  (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01812   392   NtQueryValueKey  (244,  (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01813   392   NtQueryValueKey  (244,  (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01814   392   NtClose  (244, ... ) == 0x0
 01815   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 244, ) }, ... 244, ) == 0x0
 01816   392   NtQueryValueKey  (244,  (244, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01817   392   NtQueryValueKey  (244,  (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01818   392   NtQueryValueKey  (244,  (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01819   392   NtQueryValueKey  (244,  (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01820   392   NtQueryValueKey  (244,  (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01821   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 01822   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 01823   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 240, ... 248, ) == 0x0
 01824   392   NtClose  (240, ... ) == 0x0
 01825   392   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe20000), 0x0, 135168, ) == 0x0
 01826   392   NtClose  (248, ... ) == 0x0
 01827   392   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 01828   392   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 01829   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238660, ... ) }, 1238660, ... ) == 0x0
 01830   392   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 01831   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239184,  (0x80100080, {24, 0, 0x40, 0, 1239184, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 01832   392   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 248, ... 240, ) == 0x0
 01833   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe20000), {0, 0}, 135168, ) == 0x0
 01834   392   NtQueryDefaultLocale  (1, 1238992, ... ) == 0x0
 01835   392   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01836   392   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01837   392   NtReadFile  (248, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (248, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01838   392   NtQueryInformationFile  (248, 1239236, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01839   392   NtSetInformationFile  (248, 1239236, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01840   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01841   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01842   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01843   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01844   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01845   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01846   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01847   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01848   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01849   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01850   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01851   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01852   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01853   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01854   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01855   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01856   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01857   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01858   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01859   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01860   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01861   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01862   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01863   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01864   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01865   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01866   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01867   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01868   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01869   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01870   392   NtReadFile  (248, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (248, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01871   392   NtQueryInformationFile  (248, 1239236, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01872   392   NtSetInformationFile  (248, 1239236, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01873   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01874   392   NtReadFile  (248, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (248, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 01875   392   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 01876   392   NtClose  (240, ... ) == 0x0
 01877   392   NtClose  (248, ... ) == 0x0
 01878   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237716, ... ) }, 1237716, ... ) == 0x0
 01879   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 248, {status=0x0, info=1}, ) }, 5, 96, ... 248, {status=0x0, info=1}, ) == 0x0
 01880   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 248, ... 240, ) == 0x0
 01881   392   NtClose  (248, ... ) == 0x0
 01882   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe20000), 0x0, 135168, ) == 0x0
 01883   392   NtClose  (240, ... ) == 0x0
 01884   392   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 01885   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238032, ... ) }, 1238032, ... ) == 0x0
 01886   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 01887   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 248, ) == 0x0
 01888   392   NtQuerySection  (248, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01889   392   NtClose  (240, ... ) == 0x0
 01890   392   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 01891   392   NtClose  (248, ... ) == 0x0
 01892   392   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01893   392   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01894   392   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01895   392   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01896   392   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01897   392   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01898   392   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01899   392   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01900   392   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01901   392   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01902   392   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01903   392   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01904   392   NtAllocateVirtualMemory  (-1, 1413120, 0, 20480, 4096, 4, ... 1413120, 20480, ) == 0x0
 01905   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01906   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01907   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01908   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01909   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01910   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01911   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01912   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01913   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01914   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01915   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01916   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01917   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01918   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01919   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01920   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01921   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01922   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01923   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01924   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01925   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01926   392   NtQueryDefaultLocale  (1, 1236884, ... ) == 0x0
 01927   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236984, ... ) }, 1236984, ... ) == 0x0
 01928   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237716,  (0x80100080, {24, 0, 0x40, 0, 1237716, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 01929   392   NtQueryVolumeInformationFile  (248, 1237876, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01930   392   NtQueryInformationFile  (248, 1237768, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01931   392   NtQueryInformationFile  (248, 1238060, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01932   392   NtClose  (248, ... ) == 0x0
 01933   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236476, ... ) }, 1236476, ... ) == 0x0
 01934   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237208,  (0x80100080, {24, 0, 0x40, 0, 1237208, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 01935   392   NtQueryVolumeInformationFile  (248, 1237368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01936   392   NtQueryInformationFile  (248, 1237260, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01937   392   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 248, ... 240, ) == 0x0
 01938   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe20000), {0, 0}, 135168, ) == 0x0
 01939   392   NtQueryDefaultLocale  (1, 1237348, ... ) == 0x0
 01940   392   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01941   392   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01942   392   NtQueryDefaultLocale  (1, 1237348, ... ) == 0x0
 01943   392   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01944   392   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01945   392   NtReadFile  (248, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (248, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01946   392   NtQueryInformationFile  (248, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01947   392   NtSetInformationFile  (248, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01948   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01949   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01950   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01951   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01952   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01953   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01954   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01955   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01956   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01957   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01958   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01959   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01960   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01961   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01962   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01963   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01964   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01965   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01966   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01967   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01968   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01969   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01970   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01971   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01972   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01973   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01974   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01975   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01976   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01977   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01978   392   NtReadFile  (248, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (248, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01979   392   NtQueryInformationFile  (248, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01980   392   NtSetInformationFile  (248, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01981   392   NtQueryInformationFile  (248, 1237596, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01982   392   NtSetInformationFile  (248, 1237596, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01983   392   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01984   392   NtReadFile  (248, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (248, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01985   392   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 01986   392   NtClose  (240, ... ) == 0x0
 01987   392   NtClose  (248, ... ) == 0x0
 01988   392   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 248, ) }, ... 248, ) == 0x0
 01989   392   NtQueryValueKey  (248,  (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01990   392   NtQueryValueKey  (248,  (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01991   392   NtQueryValueKey  (248,  (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01992   392   NtQueryValueKey  (248,  (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01993   392   NtClose  (248, ... ) == 0x0
 01994   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01995   392   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01996   392   NtOpenProcessToken  (-1, 0x8, ... 248, ) == 0x0
 01997   392   NtQueryInformationToken  (248, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01998   392   NtClose  (248, ... ) == 0x0
 01999   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 248, {status=0x0, info=0}, ) }, 7, 16, ... 248, {status=0x0, info=0}, ) == 0x0
 02000   392   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\351-8\374\13&\305:\237\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02001   392   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02002   392   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02003   392   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02004   392   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02005   392   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02006   392   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02007   392   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02008   392   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482112, 2, ) }, 0, 0x0, 0, ... -2147482112, 2, ) == 0x0
 02009   392   NtSetValueKey  (-2147482112,  (-2147482112, "Seed", 0, 3, "/\267d\361=\303\336\360\6[}O{\365\15bfx\202\374\6\255\346:f_\337D\23\315\241\32\327\245\267x#\267\256NS\257|\336B\356\211Vv!\245\246\201\3552*\375J\2\323L\17\6\315c\23\263S\234m\200@\315\225k\262\207+\343", 80, ... , 0, 3,  (-2147482112, "Seed", 0, 3, "/\267d\361=\303\336\360\6[}O{\365\15bfx\202\374\6\255\346:f_\337D\23\315\241\32\327\245\267x#\267\256NS\257|\336B\356\211Vv!\245\246\201\3552*\375J\2\323L\17\6\315c\23\263S\234m\200@\315\225k\262\207+\343", 80, ... , 80, ...
 02010   392   NtSetInformationFile  (-2147482808, -136511876, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02011   392   NtSetInformationFile  (-2147482808, -136511912, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02009   392   NtSetValueKey  ... ) == 0x0
 02012   392   NtClose  (-2147482112, ... ) == 0x0
 02000   392   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "w\342\37\33\312\370\334\322:\355_?\226\301(P?'\217_\324!5\273\177\240S"7\256\371I\270\4\15Q\243\202\337\311\314\221\303hB\14\350\361\277\351\265\366\216,*\330\302\277\375\372-G\226\232\31\252\21,v\366JA2\227\264m\250\253p\350zUV\232\212x>\3128L6\10\246\354\361\261\23\313\31\253\271\231\267K\16\33\366$\315,\310\305\231$\231s\37\363\264\32He\256%\253\300:jC?T\203\336\353#\310x<<3\332\215Z~\370t\370\216H\221\344}\35lt\276F\30\275\264\213\373S\15\234d\235(\33z\277\306O5\177\200\322\327\266\0\375\240\2653\353\202\255\230\216X)9/_*\243I\4\263\5\314\301,\232\336\203\272\234\327\213Ag\217\307]\205\277L\34\373m\27\233\270\207\273u.\261\210\247B\316n\367*ce\207@\322\346\222g\235\14\332\21\23\250\306\206\226\251)", ) 7\256\371I\270\4\15Q\243\202\337\311\314\221\303hB\14\350\361\277\351\265\366\216,*\330\302\277\375\372-G\226\232\31\252\21,v\366JA2\227\264m\250\253p\350zUV\232\212x>\3128L6\10\246\354\361\261\23\313\31\253\271\231\267K\16\33\366$\315,\310\305\231$\231s\37\363\264\32He\256%\253\300:jC?T\203\336\353#\310x<<3\332\215Z~\370t\370\216H\221\344}\35lt\276F\30\275\264\213\373S\15\234d\235(\33z\277\306O5\177\200\322\327\266\0\375\240\2653\353\202\255\230\216X)9/_*\243I\4\263\5\314\301,\232\336\203\272\234\327\213Ag\217\307]\205\277L\34\373m\27\233\270\207\273u.\261\210\247B\316n\367*ce\207@\322\346\222g\235\14\332\21\23\250\306\206\226\251)", ) == 0x0
 02013   392   NtClose  (244, ... ) == 0x0
 02014   392   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\311\263\236]\14a\250\16<\234\271\364]\3103\203\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02015   392   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02016   392   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02017   392   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02018   392   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02019   392   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02020   392   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02021   392   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02022   392   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482112, 2, ) }, 0, 0x0, 0, ... -2147482112, 2, ) == 0x0
 02023   392   NtSetValueKey  (-2147482112,  (-2147482112, "Seed", 0, 3, "D\244\13\307\30\21\302\301\20%As\325'\206:#\31\322\31gk\241h\322\5\227\236cUfF\1Nf\232.\264^\25\31*\24\311\20\277Y\377\10\330u=t\35\177\324\327B([\237.\201=S\35\350\27)\365#P\331%G\335\254L\205\355", 80, ... ) , 0, 3,  (-2147482112, "Seed", 0, 3, "D\244\13\307\30\21\302\301\20%As\325'\206:#\31\322\31gk\241h\322\5\227\236cUfF\1Nf\232.\264^\25\31*\24\311\20\277Y\377\10\330u=t\35\177\324\327B([\237.\201=S\35\350\27)\365#P\331%G\335\254L\205\355", 80, ... ) , 80, ... ) == 0x0
 02024   392   NtClose  (-2147482112, ... ) == 0x0
 02014   392   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "*\4\337\271\216\230\13\256N\226\352\240\346\177\253\245\214e\246\223\337N\217\347\14b`|\366!\0\301\256\361\36-\246\245\263\245sZnr\2108:\265\327\273s\265B[\350\314\365?3\30\306\31\30 r\355\321U\35P/9\210u\346\351\325\312\364\251r\245C\344V\226\336V\341t\362|{\375\331X\23\267\331D,lw\365\374@\373m\35\336\25\207\324\314\266$p\30?U\33\324J\14\360\247BC\373\354\325p\240\37\5\240\365@\216sP\376\235\324\335\255\256hY\17g\200\333\361\225|\302\313zg\227\303K\306F\267\15\321\342V\231^8\35m\36P\331\235\371\236\13\315\330\3265H\6\366Wzw4\350\267\373D\263]M\333_\3236\226\214\22\33\2431:DCe\356\242\377vT\3y\315b\11{\200\242\226,\251y\314\2026\232|1\231\20(\372\12#Wz?\251\373\373\323\30\10\330)\222\3", ) , ) == 0x0
 02025   392   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\311\263\236]\14a\250.\242:\30\363\32\245\7 \234\271\364]\3103\203\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02026   392   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02027   392   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02028   392   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02029   392   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02030   392   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02031   392   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02032   392   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02033   392   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482112, 2, ) }, 0, 0x0, 0, ... -2147482112, 2, ) == 0x0
 02034   392   NtSetValueKey  (-2147482112,  (-2147482112, "Seed", 0, 3, "H\237\344\202\2174\362\344v\351Nh5\335\222\347\324\307Y7\326N\351\326\34\352>\261i\234U\274\357\352\32\303Vv\224M\347\354b7;\313$\324\25\264\203D\264=}g\320`\214\277{\177m{\265\201@X\322\214R$\274\333\14\314\3|P\311", 80, ... ) , 0, 3,  (-2147482112, "Seed", 0, 3, "H\237\344\202\2174\362\344v\351Nh5\335\222\347\324\307Y7\326N\351\326\34\352>\261i\234U\274\357\352\32\303Vv\224M\347\354b7;\313$\324\25\264\203D\264=}g\320`\214\277{\177m{\265\201@X\322\214R$\274\333\14\314\3|P\311", 80, ... ) , 80, ... ) == 0x0
 02035   392   NtClose  (-2147482112, ... ) == 0x0
 02025   392   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\257W$w\272\365+S6\202\320\26\233\363u\223v\1\325C\266\276\317\373x\273S\226IMp\251~\317\25\316\347\363o\313=\344\246\202)\204\266qPM\207\214B.\267\216\254\372I\322\251av\226&.d7\7\345\337\3\271\370\340\21x\23\331.\264\34Q\15\201\232T\371\366'\262\0)\33\211\312H\305x\265\277\326\303\370^\252xj\334m\320\23\270\375O\321]\254a\26\373\336\220R\262\33&\302vU\307\277\366$\203\271\310g\335\307\256\371`EeK\332K,d\244 \210w2\353\15\274\300H\344)l\332\276\331r\365\270\360Q\231\337\373K\2548\334d]\252\304f\12\335\31\207\301\240\336/\331z$\365\203JN'\233\202\374LQ\367M\225\334\342\235\244^\306\225\347\317\200~\10\327do;\2710\221-\167?\327\201np\374\312Q\177\213\211bu\254\260\242\247\276\370\371cz\236;\337R", ) , ) == 0x0
 02036   392   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\311\263\236]\14a\250.\242:\30\363\32\245'\276:\30\363\32\245\7 \234\271\364]\3103\203\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02037   392   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02038   392   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02039   392   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02040   392   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02041   392   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02042   392   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02043   392   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02044   392   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482112, 2, ) }, 0, 0x0, 0, ... -2147482112, 2, ) == 0x0
 02045   392   NtSetValueKey  (-2147482112,  (-2147482112, "Seed", 0, 3, "\365\236\30\260\16T\22\372{w\372\33\225\354^.K\251]\266`\346Jf\335\267\204\256"\236\301\260\36^$\331D\322g:\255\31\232\357~}\235\222e\213\340\340\367\306\260i\361,l&^\33\223$\253F\300\201\370\307\376\327\323Uf[M\301u", 80, ... ) , 0, 3,  (-2147482112, "Seed", 0, 3, "\365\236\30\260\16T\22\372{w\372\33\225\354^.K\251]\266`\346Jf\335\267\204\256"\236\301\260\36^$\331D\322g:\255\31\232\357~}\235\222e\213\340\340\367\306\260i\361,l&^\33\223$\253F\300\201\370\307\376\327\323Uf[M\301u", 80, ... ) \236\301\260\36^$\331D\322g:\255\31\232\357~}\235\222e\213\340\340\367\306\260i\361,l&^\33\223$\253F\300\201\370\307\376\327\323Uf[M\301u", 80, ... ) == 0x0
 02046   392   NtClose  (-2147482112, ... ) == 0x0
 02036   392   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\241\262+, ) , ) == 0x0
 02047   392   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\311\263\236]\14a\250.\242:\30\363\32\245'\276:\30\363\32\245'\276:\30\363\32\245\7 \234\271\364]\3103\203\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02048   392   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02049   392   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02050   392   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02051   392   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02052   392   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02053   392   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02054   392   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02055   392   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482112, 2, ) }, 0, 0x0, 0, ... -2147482112, 2, ) == 0x0
 02056   392   NtSetValueKey  (-2147482112,  (-2147482112, "Seed", 0, 3, "\22\203?#$^>YW\352dG\261\14\343h\3-U\27\7\272J\231\261y\21L\21[\234j\321\276\1\277;\246m\312\212\253ek\214\234\374\235/$\246P\352\1\277\32z+P\235\3:&A|OQ\227\31\335\214;\264O\237\275{l\353\360", 80, ... ) , 0, 3,  (-2147482112, "Seed", 0, 3, "\22\203?#$^>YW\352dG\261\14\343h\3-U\27\7\272J\231\261y\21L\21[\234j\321\276\1\277;\246m\312\212\253ek\214\234\374\235/$\246P\352\1\277\32z+P\235\3:&A|OQ\227\31\335\214;\264O\237\275{l\353\360", 80, ... ) , 80, ... ) == 0x0
 02057   392   NtClose  (-2147482112, ... ) == 0x0
 02047   392   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\370_\324\314\207:6\266\342\341T\271\212\3434z\26w\342|\273pq\246\5]i\361.\6(\343"\360\15\34\356\277\362(q(\21\321\375\236\265\0`\252\324\31XY\32\11\334\306\367:\245\322\7[l\321\10TjUe\212\260-h\25\365!\264\207\7\2251c0\312\252\203\25TS\237\247\271694w~Z\203\334\337N\0\302\25\330s\262\36\200fV\36\322r#l\301\16\271\12\310\232\313\12\207i+=\216bO\220\371\353{\267G\334.7\376>\344V\326-\352[\312x\214\257t\333V\367\240\372\260\14\206\246\34 K\375\21\2263-\203)\267f\272\322B\272\221\354\202\366\360d\347\7\254|\240\242\3.\207\15\357\211P\226\222W\215\311\17{\20\210\363\376\261\250C\251"\1\200\341\264ES\302\1s\256\310zG^T\31\213\357\27z6)\250\253\33\31\261\\326y\37t\376\376\230W?>|", ) \360\15\34\356\277\362(q(\21\321\375\236\265\0`\252\324\31XY\32\11\334\306\367:\245\322\7[l\321\10TjUe\212\260-h\25\365!\264\207\7\2251c0\312\252\203\25TS\237\247\271694w~Z\203\334\337N\0\302\25\330s\262\36\200fV\36\322r#l\301\16\271\12\310\232\313\12\207i+=\216bO\220\371\353{\267G\334.7\376>\344V\326-\352[\312x\214\257t\333V\367\240\372\260\14\206\246\34 K\375\21\2263-\203)\267f\272\322B\272\221\354\202\366\360d\347\7\254|\240\242\3.\207\15\357\211P\226\222W\215\311\17{\20\210\363\376\261\250C\251 ... {status=0x0, info=256}, "\370_\324\314\207:6\266\342\341T\271\212\3434z\26w\342|\273pq\246\5]i\361.\6(\343"\360\15\34\356\277\362(q(\21\321\375\236\265\0`\252\324\31XY\32\11\334\306\367:\245\322\7[l\321\10TjUe\212\260-h\25\365!\264\207\7\2251c0\312\252\203\25TS\237\247\271694w~Z\203\334\337N\0\302\25\330s\262\36\200fV\36\322r#l\301\16\271\12\310\232\313\12\207i+=\216bO\220\371\353{\267G\334.7\376>\344V\326-\352[\312x\214\257t\333V\367\240\372\260\14\206\246\34 K\375\21\2263-\203)\267f\272\322B\272\221\354\202\366\360d\347\7\254|\240\242\3.\207\15\357\211P\226\222W\215\311\17{\20\210\363\376\261\250C\251"\1\200\341\264ES\302\1s\256\310zG^T\31\213\357\27z6)\250\253\33\31\261\\326y\37t\376\376\230W?>|", ) , ) == 0x0
 02058   392   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\311\263\236]\14a\250.\242:\30\363\32\245'\276:\30\363\32\245'\276:\30\363\32\245'\276:\30\363\32\245\7 \234\271\364]\3103\203\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02059   392   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02060   392   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02061   392   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02062   392   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02063   392   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02064   392   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02065   392   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02066   392   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482112, 2, ) }, 0, 0x0, 0, ... -2147482112, 2, ) == 0x0
 02067   392   NtSetValueKey  (-2147482112,  (-2147482112, "Seed", 0, 3, "\341\323JC\365\212\225\373O\274\306\346\373\1771\221}M\35\214\376\256\3338\341\326"K\20\30\337)`\254%\364t\271\255\6\224\261\3464\21\330\205\361\352w?\377\337\32\254", 80, ... ) , 0, 3,  (-2147482112, "Seed", 0, 3, "\341\323JC\365\212\225\373O\274\306\346\373\1771\221}M\35\214\376\256\3338\341\326"K\20\30\337)`\254%\364t\271\255\6\224\261\3464\21\330\205\361\352w?\377\337\32\254", 80, ... ) K\20\30\337)`\254%\364t\271\255\6\224\2613405\266\23\201\223c\2427Y\3324\13\343\355!\336\373\335>\3464\21\330\205\361\352w?\377\337\32\254", 80, ... ) == 0x0
 02068   392   NtClose  (-2147482112, ... ) == 0x0
 02058   392   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\307[%/w*\250\177\315\16?\7\315\335\36Xj\307\305(3\262\254\25)\31\300\316>\322\7\273\255\36\242.\36p+Y\34sD\357\316f\271\37J\2378\273\327)~\330\2L\31\340\334P\220\25\366\273);\255v\276\375'Q\5l\dH\373\26\24\320fz\33b\265q\354P\346u\37\347dH\2320\214\333\20C\215\241\305'X\306/\202B<\342=\236V\353=\20\267\247\265\'\257#\255`\27 _\257\3\227\300\241\240\345Nk\301\305\33PO\255x\16H;I>\11\322\346i\310\14\343\240\31nX\256\376\35+\177y^\335\375\207\363q\223\365\373\3044$\241\330\320\226\262\12)\354\341v8*\317\360\377\375\3$\367\210\235;\35\315!\275y\207G\255\307A\276\233\374\266vE8\325\11\304\343\244G,\317\242T\356\314\351\16\230\327X\366\3658P\210\241\3163:R\227\304\331!\2417", ) , ) == 0x0
 02069   392   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\311\263\236]\14a\250.\242:\30\363\32\245'\276:\30\363\32\245'\276:\30\363\32\245'\276:\30\363\32\245'\276:\30\363\32\245\7 \234\271\364]\3103\203\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02070   392   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02071   392   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02072   392   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02073   392   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02074   392   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02075   392   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02076   392   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02077   392   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482112, 2, ) }, 0, 0x0, 0, ... -2147482112, 2, ) == 0x0
 02078   392   NtSetValueKey  (-2147482112,  (-2147482112, "Seed", 0, 3, "\263\32\317/8O\226\300\334\272Vi\257\212iz\303\234\10\373\203\223\360\274\262\370\334\22\15\7# *\325\215\335\204FC\362$\324\272\307\264\227\240\342Zg\227Kkv\326\15\222{c\305\220\311\1\206\217\26O[\267\241M\347-\\3079\214\326\313\366", 80, ... ) , 0, 3,  (-2147482112, "Seed", 0, 3, "\263\32\317/8O\226\300\334\272Vi\257\212iz\303\234\10\373\203\223\360\274\262\370\334\22\15\7# *\325\215\335\204FC\362$\324\272\307\264\227\240\342Zg\227Kkv\326\15\222{c\305\220\311\1\206\217\26O[\267\241M\347-\\3079\214\326\313\366", 80, ... ) , 80, ... ) == 0x0
 02079   392   NtClose  (-2147482112, ... ) == 0x0
 02069   392   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "f\367x\307\35O\264\223\Nm\335&\6\255\363\344\257\272]\34*6\213K\344\337`\357\362pF\313F\352\263\365\376Z\320\370\2\226\2044\222L\307\266\341F\367\353\32\2\325\2255e'/y\211]\177Yn%\2236t\363<~V\262\352z\245\317\32:<\21\16\260\4PX\310\220%\22-\222R\237\35\5\307\351\17\226C\305\25\331\364\275\302\37$\255N!\352\\361\276|\313\351\35\351<\322\311\277\25\11\5\204\314\356\355:\346\270\303\246\304\35`]\3?\21'\326yy\322\220\237g+K\227n\254\251\350\203b\37\214\227\36\10\222\37\17k\204\2343@H2\260Q\277\364N\366\3122v'\320\376n\276\216\307H\12\353\261\330\267\352M~D\214;I)\360yM\10q\244\337\247H\27*\254\33^G\342Cz\372\230\35\20^\272\317\345\207\265\355\372mp*\241\242\177\347\6\224\212p{\335!d\364", ) , ) == 0x0
 02080   392   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\337\311\235\247\35x\214\311\263\236]\14a\250.\242:\30\363\32\245'\276:\30\363\32\245'\276:\30\363\32\245'\276:\30\363\32\245'\276:\30\363\32\245'\276:\30\363\32\245\7 \234\271\364]\3103\203\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02081   392   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02082   392   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02083   392   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02084   392   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02085   392   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02086   392   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02087   392   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02088   392   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482112, 2, ) }, 0, 0x0, 0, ... -2147482112, 2, ) == 0x0
 02089   392   NtSetValueKey  (-2147482112,  (-2147482112, "Seed", 0, 3, "c\14\214\364v\267o\362c\177\341\23M\17y\265\353F%\270\353\350\212s\323\325\2009\335N*p\217\3\257P\267\17\216\36s\357\365N\333_(Z\376J\235\351\357\337U&\341\34\33\3\16X0\364\360G\273\336\335\362\242-j\3\7"#f\357*", 80, ... ) , 0, 3,  (-2147482112, "Seed", 0, 3, "c\14\214\364v\267o\362c\177\341\23M\17y\265\353F%\270\353\350\212s\323\325\2009\335N*p\217\3\257P\267\17\216\36s\357\365N\333_(Z\376J\235\351\357\337U&\341\34\33\3\16X0\364\360G\273\336\335\362\242-j\3\7"#f\357*", 80, ... ) #f\357*", 80, ... ) == 0x0
 02090   392   NtClose  (-2147482112, ... ) == 0x0
 02080   392   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\326\337\204\274Pi\333\0\365\237\2651]\254\376\302\310\361\377\356\320\205\204\226Er\245_\245=C\323;\7I\220\340}\333\233\301\313\233\277Y\233^V\3279\341m!V\354n\241U[\16l\253\37j\11\326\224\335T\217kp\230\222V?lM\351\12\10\335\177\305\276\3012\357\233a\2752\216\203\260cZzz(\267\250\315Z\277\371\201\250\255\306\236\3\34,\245\23M\165\312"U#IW\341\300HT\364(t\252Fl\262\222p\357\32\371\353\275\36J\266Y\201A\13\213\330\224\10"\275&\315\211\227\301\243\214\340k1=\3073V\321D\32B\217\343\4\217D/mk1\236~\214}\212\\30\355NwU\203\265\226C\200\213\212m\24\14\352\366\11E\234\263\345iw\26\223\25\220yItOM&\21|w\255\233:Z`\270\6G\243\220f\233*a\254\37ZCt*|\37\206bi\347\264\4\253\3", ) U#IW\341\300HT\364(t\252Fl\262\222p\357\32\371\353\275\36J\266Y\201A\13\213\330\224\10 ... {status=0x0, info=256}, "\326\337\204\274Pi\333\0\365\237\2651]\254\376\302\310\361\377\356\320\205\204\226Er\245_\245=C\323;\7I\220\340}\333\233\301\313\233\277Y\233^V\3279\341m!V\354n\241U[\16l\253\37j\11\326\224\335T\217kp\230\222V?lM\351\12\10\335\177\305\276\3012\357\233a\2752\216\203\260cZzz(\267\250\315Z\277\371\201\250\255\306\236\3\34,\245\23M\165\312"U#IW\341\300HT\364(t\252Fl\262\222p\357\32\371\353\275\36J\266Y\201A\13\213\330\224\10"\275&\315\211\227\301\243\214\340k1=\3073V\321D\32B\217\343\4\217D/mk1\236~\214}\212\\30\355NwU\203\265\226C\200\213\212m\24\14\352\366\11E\234\263\345iw\26\223\25\220yItOM&\21|w\255\233:Z`\270\6G\243\220f\233*a\254\37ZCt*|\37\206bi\347\264\4\253\3", ) , ) == 0x0
 02091   392   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 244, {status=0x0, info=1}, ) }, 3, 33, ... 244, {status=0x0, info=1}, ) == 0x0
 02092   392   NtQueryVolumeInformationFile  (244, 1238964, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02093   392   NtClose  (12, ... ) == 0x0
 02094   392   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238184,  (0x80100080, {24, 0, 0x40, 0, 1238184, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 02096   392   NtQueryInformationFile  (12, 1239120, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 02097   392   NtQueryInformationFile  (12, 1239092, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02098   392   NtQueryInformationFile  (12, 1239044, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02099   392   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 02100   392   NtQueryInformationFile  (12, 1432232, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 02101   392   NtQueryInformationFile  (12, 1237588, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02102   392   NtQueryInformationFile  (12, 1237432, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 02103   392   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1237440,  (0x40110080, {24, 0, 0x40, 0, 1237440, "\??\C:\WINDOWS\System32\explorer.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 02104   392   NtClose  (-2147482112, ... ) == 0x0
 02103   392   NtCreateFile  ... 240, {status=0x0, info=2}, ) == 0x0
 02105   392   NtQueryVolumeInformationFile  (240, 1236812, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 02106   392   NtQueryInformationFile  (240, 1236772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02107   392   NtQueryVolumeInformationFile  (12, 1236812, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02108   392   NtQueryVolumeInformationFile  (12, 1236496, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02109   392   NtSetInformationFile  (240, 1236600, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02110   392   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 252, ) == 0x0
 02111   392   NtMapViewOfSection  (252, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe20000), {0, 0}, 196608, ) == 0x0
 02112   392   NtClose  (252, ... ) == 0x0
 02113   392   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\371\250E\275\305\303L\34\227(\275\232\202z5\212PE\0\0L\1\6\0\360\19F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\260\0\0\0\20\0\0\0`\1\0\0@\4\0\0\240\2\0\0 \2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\4\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\240\2\0\20\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\241\2\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02114   392   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "be\311\203\300\305\332\364\270?\34\270\347\351&\260\207\332\370!\252\33iq\205[Eq\226\214\13\33U\257\215\233\320\324\26Y\37"f\235\201v\363\10g\327\4r\324\334\375\237l5$\201\325\17\246\351"\302\226\244c\365\331\21\274!\331\311\346\357\245\237\316r\14\177\3572\213O\22\4\311\177\201h\235\267\360\362\16vS\267\24\212o\316\250\26\346\354\212\265z|]\315\220R[\316\222A\373\25[\25U\340e\247\201!\261pU\352ep\231\271\313\25\342\357\265\354\34\305\344\234\370\15bd\335;6A\305\231\16\317\336\6=]\321'\177\370]|\342\347\323\264S=\266\264\311_l\225\363\264\373|\6\264od\364+\214\37\216\374\375\23\263(\327\27\3135nJ\334\273\205\149_}{B_\265hPG\321o\374i\237b\17\13E\376\234\263R_X\265\312/\6e\324vl\36\370\310\3037\26aQI\261;P\374\345T\25\262N\264\374 8\373\3615\374%\240\32\24\275\30\211\366n\256\245\235\371k\300\336\314\304x[\37\361\373f]\313f\236,\346F\243\3050\343\275\300\233\347\340\270\374\315\362\230B\330`\261\273\271*\375\335\245lj\321\320\226\225\3125\271\224\276w+\363\23\2115\262G\202\371\266q\235m\370\327\276\371\257|\217\261\240\220\13\353\232esq\365\233jo\243\227$\366\251W\227\274+\203#\213\317~\27O\274\37b7\34\337\252\352\340\252\330\263\315E\213\220d\233\265w\275\365\373G\305\25\257Gk\267\204\237=", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) f\235\201v\363\10g\327\4r\324\334\375\237l5$\201\325\17\246\351 (240, 0, 0, 0, "be\311\203\300\305\332\364\270?\34\270\347\351&\260\207\332\370!\252\33iq\205[Eq\226\214\13\33U\257\215\233\320\324\26Y\37"f\235\201v\363\10g\327\4r\324\334\375\237l5$\201\325\17\246\351"\302\226\244c\365\331\21\274!\331\311\346\357\245\237\316r\14\177\3572\213O\22\4\311\177\201h\235\267\360\362\16vS\267\24\212o\316\250\26\346\354\212\265z|]\315\220R[\316\222A\373\25[\25U\340e\247\201!\261pU\352ep\231\271\313\25\342\357\265\354\34\305\344\234\370\15bd\335;6A\305\231\16\317\336\6=]\321'\177\370]|\342\347\323\264S=\266\264\311_l\225\363\264\373|\6\264od\364+\214\37\216\374\375\23\263(\327\27\3135nJ\334\273\205\149_}{B_\265hPG\321o\374i\237b\17\13E\376\234\263R_X\265\312/\6e\324vl\36\370\310\3037\26aQI\261;P\374\345T\25\262N\264\374 8\373\3615\374%\240\32\24\275\30\211\366n\256\245\235\371k\300\336\314\304x[\37\361\373f]\313f\236,\346F\243\3050\343\275\300\233\347\340\270\374\315\362\230B\330`\261\273\271*\375\335\245lj\321\320\226\225\3125\271\224\276w+\363\23\2115\262G\202\371\266q\235m\370\327\276\371\257|\217\261\240\220\13\353\232esq\365\233jo\243\227$\366\251W\227\274+\203#\213\317~\27O\274\37b7\34\337\252\352\340\252\330\263\315E\213\220d\233\265w\275\365\373G\305\25\257Gk\267\204\237=", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02115   392   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "\332iB \271\355%+Q\225\244\3220\265-\271\361\260\274\202\332\16\6\2368R\310I\230Buo\6\10\211\325w\256;\322\371QK\274E\351\360\255\254V\17\335\6l\32\13Q.]\242\336\374}\210(\225\300\222w\352y\307A\336}\10\232{q\216b\205\340\374$\316__%\236\15$\377od\372n.\240\22s\262\235\301\245\227\37\3\367\261M\213E\25\3407\310s\356\302\275\354\3774c\243\324\205-\20\210V\260ab\212:\223\366\204\35\314%OV\216^\227\365id\241\36!\302\247\321\271\244\247\25\20dA0pUh\177\304*\3<\35\201\360\313\205"R\267\373lJv_\321\330\315\4\23\332\246\347\356"\277g#\200\273J(\301\13\355]x\3749Z\375k\323;\246X\345R\326\114\324g:\235$V\7\342w\376\14\376\1/\200B\258\213\241b\267h\250\231&q\365&~\367\221\376\231\230\334\353\333\352a\206<*\270\221\317?~u\332r+\245\277\222\331\256&E\304z\243b\325'\343>\3450\361d\314~\366\257x\327\304\227\11<\6Ts}\315Q\24\353s\223\276ghG\4k\205\17\76\272q\324zuY\321("\16b0\2\360z\352\207(a\36]\257\345(\5\31\377\23SU\207\372\263\274!n\202\371@8A,\210\231\230\37\200_\32q\2013\314u\346R\271\2447:I\357v\307l\355O\216\2251\313\17cJu'=\203o\202\371\33l\220\3Y\231\241W\327\36i\20\206h}\232\371g\236\16>cJ\33\224U\263"Y\203}\32i\31\230\333P0\245\37s\313`\264\12\\265\370ScMn\363'r\14x\325y\337\371x\36'\337\36A\374\205b\271\315\37k\205-(_\322-n\202\344y|n\207\314=\260\277\271}\245\32", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) R\267\373lJv_\321\330\315\4\23\332\246\347\356 (240, 0, 0, 0, "\332iB \271\355%+Q\225\244\3220\265-\271\361\260\274\202\332\16\6\2368R\310I\230Buo\6\10\211\325w\256;\322\371QK\274E\351\360\255\254V\17\335\6l\32\13Q.]\242\336\374}\210(\225\300\222w\352y\307A\336}\10\232{q\216b\205\340\374$\316__%\236\15$\377od\372n.\240\22s\262\235\301\245\227\37\3\367\261M\213E\25\3407\310s\356\302\275\354\3774c\243\324\205-\20\210V\260ab\212:\223\366\204\35\314%OV\216^\227\365id\241\36!\302\247\321\271\244\247\25\20dA0pUh\177\304*\3<\35\201\360\313\205"R\267\373lJv_\321\330\315\4\23\332\246\347\356"\277g#\200\273J(\301\13\355]x\3749Z\375k\323;\246X\345R\326\114\324g:\235$V\7\342w\376\14\376\1/\200B\258\213\241b\267h\250\231&q\365&~\367\221\376\231\230\334\353\333\352a\206<*\270\221\317?~u\332r+\245\277\222\331\256&E\304z\243b\325'\343>\3450\361d\314~\366\257x\327\304\227\11<\6Ts}\315Q\24\353s\223\276ghG\4k\205\17\76\272q\324zuY\321("\16b0\2\360z\352\207(a\36]\257\345(\5\31\377\23SU\207\372\263\274!n\202\371@8A,\210\231\230\37\200_\32q\2013\314u\346R\271\2447:I\357v\307l\355O\216\2251\313\17cJu'=\203o\202\371\33l\220\3Y\231\241W\327\36i\20\206h}\232\371g\236\16>cJ\33\224U\263"Y\203}\32i\31\230\333P0\245\37s\313`\264\12\\265\370ScMn\363'r\14x\325y\337\371x\36'\337\36A\374\205b\271\315\37k\205-(_\322-n\202\344y|n\207\314=\260\277\271}\245\32", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \16b0\2\360z\352\207(a\36]\257\345(\5\31\377\23SU\207\372\263\274!n\202\371@8A,\210\231\230\37\200_\32q\2013\314u\346R\271\2447:I\357v\307l\355O\216\2251\313\17cJu'=\203o\202\371\33l\220\3Y\231\241W\327\36i\20\206h}\232\371g\236\16>cJ\33\224U\263 (240, 0, 0, 0, "\332iB \271\355%+Q\225\244\3220\265-\271\361\260\274\202\332\16\6\2368R\310I\230Buo\6\10\211\325w\256;\322\371QK\274E\351\360\255\254V\17\335\6l\32\13Q.]\242\336\374}\210(\225\300\222w\352y\307A\336}\10\232{q\216b\205\340\374$\316__%\236\15$\377od\372n.\240\22s\262\235\301\245\227\37\3\367\261M\213E\25\3407\310s\356\302\275\354\3774c\243\324\205-\20\210V\260ab\212:\223\366\204\35\314%OV\216^\227\365id\241\36!\302\247\321\271\244\247\25\20dA0pUh\177\304*\3<\35\201\360\313\205"R\267\373lJv_\321\330\315\4\23\332\246\347\356"\277g#\200\273J(\301\13\355]x\3749Z\375k\323;\246X\345R\326\114\324g:\235$V\7\342w\376\14\376\1/\200B\258\213\241b\267h\250\231&q\365&~\367\221\376\231\230\334\353\333\352a\206<*\270\221\317?~u\332r+\245\277\222\331\256&E\304z\243b\325'\343>\3450\361d\314~\366\257x\327\304\227\11<\6Ts}\315Q\24\353s\223\276ghG\4k\205\17\76\272q\324zuY\321("\16b0\2\360z\352\207(a\36]\257\345(\5\31\377\23SU\207\372\263\274!n\202\371@8A,\210\231\230\37\200_\32q\2013\314u\346R\271\2447:I\357v\307l\355O\216\2251\313\17cJu'=\203o\202\371\33l\220\3Y\231\241W\327\36i\20\206h}\232\371g\236\16>cJ\33\224U\263"Y\203}\32i\31\230\333P0\245\37s\313`\264\12\\265\370ScMn\363'r\14x\325y\337\371x\36'\337\36A\374\205b\271\315\37k\205-(_\322-n\202\344y|n\207\314=\260\277\271}\245\32", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02116   392   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "\350\207\274Yy\256\216\352\307\243\32\234_?r`9OP\262~\333\33]E\276\254\350\340\251}\267D\337\264\224\240\261\237jD\25zj@\275\210\23K\342X=d\20\351\315\276>\5\24\326\260\6\307\226\2464\263\330s\2118L\366\212}\210\322Z\227\25\246\3041Q"8:\264J\336\341\300\337\273\326\320\35\244\333D\251\31\305\324%\327\300\223rz*\350\201\371\275\3701\143\206\274%\13\301\7\361q\236T\10\316\15\305\1\303d\312M8\204\221\266\203\234@\364\3557\332\355\31\333"c\230R?`\263\1M\226b\3425\245\212\240E\340\362D\213J\307\357\2768\177\4\336c\371A\332q\4\222\303\252\221\34n\212SX\27\316\263\327&\303\4\277\23\326\12\15\346\345!Y\15\351w\212A\300d\252\265*l%\204\341n\244\17\3660\6'\370\312`\244)\253\372\263y\12\377o\241?\212\340D\225X\273\230\203\272-%/6\15\31 6A\330-\252\211\310#\14?\322\20yQ(\266l\231h+\221\42\367(\177\364o\216M\366+\245~\256\375%\32\222\317%\306Yj\322\317\7\31\233\33\304u\367;\10\366$\362S\327\322\310K\224\3511\227u_\236\351\374d\275\202\242\226\355qF\377\21\320\213\240\352\20R\241\2642q~\236\21Zcg\354+\206).\365\144\351`\361\331\322M,.\335\233\10\302@\252KD^5Ia\344V2C'\220cb\364t\206\363\200`b\31\241\242\234m\3508\210D\300\245t\376=\365>%:\274~\30|z\214\255n\370\315W\362?\216,\23\361=\377\0n\251\3267@\362l\350\244\376\1\256\355\325\24\237K\333**|n\323\306\360\357l\377*\312\0\376\245\4\3"\261z\333P\200\235\6f\227\21\266\30\3763*\376\6h\310", 11776, 0x0, 0, ... {status=0x0, info=11776}, ) 8:\264J\336\341\300\337\273\326\320\35\244\333D\251\31\305\324%\327\300\223rz*\350\201\371\275\3701\143\206\274%\13\301\7\361q\236T\10\316\15\305\1\303d\312M8\204\221\266\203\234@\364\3557\332\355\31\333 (240, 0, 0, 0, "\350\207\274Yy\256\216\352\307\243\32\234_?r`9OP\262~\333\33]E\276\254\350\340\251}\267D\337\264\224\240\261\237jD\25zj@\275\210\23K\342X=d\20\351\315\276>\5\24\326\260\6\307\226\2464\263\330s\2118L\366\212}\210\322Z\227\25\246\3041Q"8:\264J\336\341\300\337\273\326\320\35\244\333D\251\31\305\324%\327\300\223rz*\350\201\371\275\3701\143\206\274%\13\301\7\361q\236T\10\316\15\305\1\303d\312M8\204\221\266\203\234@\364\3557\332\355\31\333"c\230R?`\263\1M\226b\3425\245\212\240E\340\362D\213J\307\357\2768\177\4\336c\371A\332q\4\222\303\252\221\34n\212SX\27\316\263\327&\303\4\277\23\326\12\15\346\345!Y\15\351w\212A\300d\252\265*l%\204\341n\244\17\3660\6'\370\312`\244)\253\372\263y\12\377o\241?\212\340D\225X\273\230\203\272-%/6\15\31 6A\330-\252\211\310#\14?\322\20yQ(\266l\231h+\221\42\367(\177\364o\216M\366+\245~\256\375%\32\222\317%\306Yj\322\317\7\31\233\33\304u\367;\10\366$\362S\327\322\310K\224\3511\227u_\236\351\374d\275\202\242\226\355qF\377\21\320\213\240\352\20R\241\2642q~\236\21Zcg\354+\206).\365\144\351`\361\331\322M,.\335\233\10\302@\252KD^5Ia\344V2C'\220cb\364t\206\363\200`b\31\241\242\234m\3508\210D\300\245t\376=\365>%:\274~\30|z\214\255n\370\315W\362?\216,\23\361=\377\0n\251\3267@\362l\350\244\376\1\256\355\325\24\237K\333**|n\323\306\360\357l\377*\312\0\376\245\4\3"\261z\333P\200\235\6f\227\21\266\30\3763*\376\6h\310", 11776, 0x0, 0, ... {status=0x0, info=11776}, ) \261z\333P\200\235\6f\227\21\266\30\3763*\376\6h\310", 11776, 0x0, 0, ... {status=0x0, info=11776}, ) == 0x0
 02117   392   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 02118   392   NtSetInformationFile  (240, 1239044, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02119   392   NtClose  (12, ... ) == 0x0
 02120   392   NtClose  (240, ... ) == 0x0
 02121   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 7, 2113568, ... 240, {status=0x0, info=1}, ) }, 7, 2113568, ... 240, {status=0x0, info=1}, ) == 0x0
 02122   392   NtSetInformationFile  (240, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02123   392   NtClose  (240, ... ) == 0x0
 02124   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 7, 2113568, ... 240, {status=0x0, info=1}, ) }, 7, 2113568, ... 240, {status=0x0, info=1}, ) == 0x0
 02125   392   NtSetInformationFile  (240, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02126   392   NtClose  (240, ... ) == 0x0
 02127   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238948,  (0x80100080, {24, 0, 0x40, 0, 1238948, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 240, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 240, {status=0x0, info=1}, ) == 0x0
 02128   392   NtQueryInformationFile  (240, 1239000, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02129   392   NtClose  (240, ... ) == 0x0
 02130   392   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238948,  (0x40100080, {24, 0, 0x40, 0, 1238948, "\??\C:\WINDOWS\System32\explorer.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 240, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 240, {status=0x0, info=1}, ) == 0x0
 02131   392   NtSetInformationFile  (240, 1239000, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02132   392   NtClose  (240, ... ) == 0x0
 02133   392   NtOpenFile  (0x10080, {24, 244, 0x40, 0, 0,  (0x10080, {24, 244, 0x40, 0, 0, "efniz.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02134   392   NtCreateFile  (0x40100080, {24, 244, 0x40, 0, 1239196,  (0x40100080, {24, 244, 0x40, 0, 1239196, "efniz.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 240, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 240, {status=0x0, info=2}, ) == 0x0
 02135   392   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del efniz.bat\15\12", 121, 0x0, 0, ... {status=0x0, info=121}, ) , 121, 0x0, 0, ... {status=0x0, info=121}, ) == 0x0
 02136   392   NtClose  (240, ... ) == 0x0
 02137   392   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02138   392   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 02139   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232536, ... ) }, 1232536, ... ) == 0x0
 02140   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02141   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 240, ... 12, ) == 0x0
 02142   392   NtClose  (240, ... ) == 0x0
 02143   392   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe20000), 0x0, 262144, ) == 0x0
 02144   392   NtClose  (12, ... ) == 0x0
 02145   392   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 02146   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02147   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02148   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02149   392   NtAllocateVirtualMemory  (-1, 1441792, 0, 16384, 4096, 4, ... 1441792, 16384, ) == 0x0
 02150   392   NtUserRegisterClassExWOW  (1234620, 1234700, 1234684, 1234716, 0, 384, 0, ... ) == 0x810dc038
 02151   392   NtUserGetAtomName  (49208, 1233384, ... ) == 0x15
 02152   392   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 02153   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230908, ... ) }, 1230908, ... ) == 0x0
 02154   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 02155   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 240, ) == 0x0
 02156   392   NtClose  (12, ... ) == 0x0
 02157   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe20000), 0x0, 204800, ) == 0x0
 02158   392   NtClose  (240, ... ) == 0x0
 02159   392   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 02160   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231224, ... ) }, 1231224, ... ) == 0x0
 02161   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02162   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 12, ) == 0x0
 02163   392   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02164   392   NtClose  (240, ... ) == 0x0
 02165   392   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 02166   392   NtClose  (12, ... ) == 0x0
 02167   392   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02168   392   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02169   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02170   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 02171   392   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02172   392   NtClose  (12, ... ) == 0x0
 02173   392   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02174   392   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 02175   392   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 240, ) }, ... 240, ) == 0x0
 02176   392   NtQueryValueKey  (240,  (240, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02177   392   NtClose  (240, ... ) == 0x0
 02178   392   NtClose  (12, ... ) == 0x0
 02179   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02180   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 02181   392   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02182   392   NtClose  (12, ... ) == 0x0
 02183   392   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 02184   392   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 240, ) }, ... 240, ) == 0x0
 02185   392   NtQueryValueKey  (240,  (240, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02186   392   NtClose  (240, ... ) == 0x0
 02187   392   NtClose  (12, ... ) == 0x0
 02188   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02189   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02190   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1230724, ... ) }, 1230724, ... ) == 0x0
 02191   392   NtUserGetProcessWindowStation  (... ) == 0x28
 02192   392   NtUserGetObjectInformation  (40, 2, 0, 0, 1233020, ... ) == 0x0
 02193   392   NtUserGetObjectInformation  (40, 2, 1392432, 16, 1233020, ... ) == 0x1
 02194   392   NtUserGetGUIThreadInfo  (392, 1232976, ... ) == 0x1
 02195   392   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232796, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232796, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 02196   392   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 388, 392, 2623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 388, 392, 2623, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 388, 392, 2623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02197   392   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 388, 392, 2624, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 388, 392, 2624, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 388, 392, 2624, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02198   392   NtUserCallNoParam  (29, ...
 02199   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230268, ... ) }, 1230268, ... ) == 0x0
 02198   392   NtUserCallNoParam  ... ) == 0x0
 02200   392   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 02201   392   NtGdiHfontCreate  (1232348, 356, 0, 0, 1394080, ... ) == 0x30a0347
 02202   392   NtGdiHfontCreate  (1232348, 356, 0, 0, 1394072, ... ) == 0x30a0346
 02203   392   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 388, 392, 2625, 0} "\0\0\0\0\0\0\0\0\360\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 388, 392, 2625, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 388, 392, 2625, 0} "\0\0\0\0\0\0\0\0\360\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02204   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe20000), {0, 0}, 331776, ) == 0x0
 02205   392   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02206   392   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02207   392   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02208   392   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02209   392   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02210   392   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02211   392   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02212   392   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02213   392   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02214   392   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02215   392   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02216   392   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02217   392   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02218   392   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02219   392   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02220   392   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02221   392   NtAllocateVirtualMemory  (-1, 8871936, 0, 4096, 4096, 4, ... 8871936, 4096, ) == 0x0
 02222   392   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02223   392   NtGdiCreatePatternBrushInternal  (59048373, 0, 0, ... ) == 0x2100349
 02224   392   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02225   392   NtUserCallNoParam  (29, ...
 02226   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229712, ... ) }, 1229712, ... ) == 0x0
 02225   392   NtUserCallNoParam  ... ) == 0x0
 02227   392   NtUserCallNoParam  (29, ...
 02228   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229708, ... ) }, 1229708, ... ) == 0x0
 02227   392   NtUserCallNoParam  ... ) == 0x0
 02229   392   NtUserMessageCall  (0x100e6, WM_NCCREATE, 0x0, 0x12d194, 0, 670, 0, ... ) == 0x1
 02230   392   NtUserMessageCall  (0x100e6, WM_NCCALCSIZE, 0x0, 0x12d1bc, 0, 670, 0, ... ) == 0x0
 02231   392   NtUserSetProp  (65766, 43288, -1, ... ) == 0x1
 02152   392   NtUserCreateWindowEx  ... ) == 0x100e6
 02232   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 252, ) }, ... 252, ) == 0x0
 02233   392   NtQueryValueKey  (252,  (252, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02234   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 256, ) }, ... 256, ) == 0x0
 02235   392   NtQueryValueKey  (256,  (256, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02236   392   NtClose  (256, ... ) == 0x0
 02237   392   NtClose  (252, ... ) == 0x0
 02238   392   NtAllocateVirtualMemory  (-1, 1458176, 0, 24576, 4096, 4, ... 1458176, 24576, ) == 0x0
 02239   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 02240   392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 256, ) == 0x0
 02241   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02242   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 260, ) == 0x0
 02243   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02244   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02245   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233148,  (0xc0100080, {24, 0, 0x40, 0, 1233148, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 264, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 264, {status=0x0, info=1}, ) == 0x0
 02246   392   NtSetInformationFile  (264, 1233204, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02247   392   NtSetInformationFile  (264, 1233196, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02248   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02249   392   NtWriteFile  (264, 253, 0, 0,  (264, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02250   392   NtReadFile  (264, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (264, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\342#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02251   392   NtFsControlFile  (264, 253, 0x0, 0x0, 0x11c017,  (264, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\342#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (264, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\342#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02252   392   NtClose  (260, ... ) == 0x0
 02253   392   NtClose  (264, ... ) == 0x0
 02254   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1233192, ... ) }, 1233192, ... ) == 0x0
 02255   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02256   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02257   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "efniz.bat"}, 1233012, ... ) }, 1233012, ... ) == 0x0
 02258   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02259   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02260   392   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1329480, 0,  (0x1f0003, {24, 52, 0x80, 1329480, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 264, ) }, 0, 2147483647, ... 264, ) == STATUS_OBJECT_NAME_EXISTS
 02261   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02262   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02263   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02264   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 260, ) }, ... 260, ) == 0x0
 02265   392   NtQueryValueKey  (260,  (260, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02266   392   NtClose  (260, ... ) == 0x0
 02267   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02268   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02269   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02270   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 260, ) }, ... 260, ) == 0x0
 02271   392   NtQueryValueKey  (260,  (260, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02272   392   NtClose  (260, ... ) == 0x0
 02273   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02274   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02275   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02276   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 260, ) }, ... 260, ) == 0x0
 02277   392   NtQueryValueKey  (260,  (260, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02278   392   NtClose  (260, ... ) == 0x0
 02279   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02280   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02281   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02282   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 260, ) }, ... 260, ) == 0x0
 02283   392   NtQueryValueKey  (260,  (260, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02284   392   NtClose  (260, ... ) == 0x0
 02285   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 260, ) }, ... 260, ) == 0x0
 02286   392   NtEnumerateKey  (260, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (260, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 02287   392   NtOpenKey  (0x20019, {24, 260, 0x40, 0, 0,  (0x20019, {24, 260, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 268, ) }, ... 268, ) == 0x0
 02288   392   NtQueryValueKey  (268,  (268, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02289   392   NtClose  (268, ... ) == 0x0
 02290   392   NtEnumerateKey  (260, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (260, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 02291   392   NtOpenKey  (0x20019, {24, 260, 0x40, 0, 0,  (0x20019, {24, 260, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 268, ) }, ... 268, ) == 0x0
 02292   392   NtQueryValueKey  (268,  (268, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02293   392   NtClose  (268, ... ) == 0x0
 02294   392   NtEnumerateKey  (260, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (260, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 02295   392   NtOpenKey  (0x20019, {24, 260, 0x40, 0, 0,  (0x20019, {24, 260, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 268, ) }, ... 268, ) == 0x0
 02296   392   NtQueryValueKey  (268,  (268, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02297   392   NtClose  (268, ... ) == 0x0
 02298   392   NtEnumerateKey  (260, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (260, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 02299   392   NtOpenKey  (0x20019, {24, 260, 0x40, 0, 0,  (0x20019, {24, 260, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 268, ) }, ... 268, ) == 0x0
 02300   392   NtQueryValueKey  (268,  (268, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02301   392   NtClose  (268, ... ) == 0x0
 02302   392   NtEnumerateKey  (260, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02303   392   NtClose  (260, ... ) == 0x0
 02304   392   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02305   392   NtOpenProcessToken  (-1, 0x8, ... 260, ) == 0x0
 02306   392   NtQueryInformationToken  (260, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02307   392   NtClose  (260, ... ) == 0x0
 02308   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02309   392   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 260, 2, ) }, 0, 0x0, 0, ... 260, 2, ) == 0x0
 02310   392   NtOpenKey  (0x2000000, {24, 260, 0x40, 0, 0, ""}, ... 268, ) == 0x0
 02311   392   NtCreateKey  (0x20019, {24, 268, 0x40, 0, 0,  (0x20019, {24, 268, 0x40, 0, 0, "SessionInfo\0000000000009248"}, 0, 0x0, 1, ... 272, 2, ) }, 0, 0x0, 1, ... 272, 2, ) == 0x0
 02312   392   NtClose  (268, ... ) == 0x0
 02313   392   NtOpenKey  (0x20019, {24, 272, 0x40, 0, 0,  (0x20019, {24, 272, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02314   392   NtClose  (272, ... ) == 0x0
 02315   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02316   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 272, ) == 0x0
 02317   392   NtQueryInformationToken  (272, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02318   392   NtClose  (272, ... ) == 0x0
 02319   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 272, ) }, ... 272, ) == 0x0
 02320   392   NtSetInformationObject  (274, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 02321   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02322   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02323   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 268, ) }, ... 268, ) == 0x0
 02324   392   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02325   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02326   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02327   392   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02328   392   NtClose  (276, ... ) == 0x0
 02329   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02330   392   NtQueryValueKey  (270,  (270, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02331   392   NtClose  (270, ... ) == 0x0
 02332   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02333   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02334   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 268, ) }, ... 268, ) == 0x0
 02335   392   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02336   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02337   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02338   392   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02339   392   NtClose  (276, ... ) == 0x0
 02340   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02341   392   NtQueryValueKey  (270,  (270, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02342   392   NtClose  (270, ... ) == 0x0
 02343   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02344   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02345   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 268, ) }, ... 268, ) == 0x0
 02346   392   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02347   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02348   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02349   392   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02350   392   NtClose  (276, ... ) == 0x0
 02351   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02352   392   NtQueryValueKey  (270,  (270, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (270, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02353   392   NtClose  (270, ... ) == 0x0
 02354   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02355   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 02356   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02357   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 268, ) }, ... 268, ) == 0x0
 02358   392   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02359   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02360   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02361   392   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02362   392   NtClose  (276, ... ) == 0x0
 02363   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02364   392   NtQueryValueKey  (270, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (270, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02365   392   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02366   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02367   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02368   392   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02369   392   NtClose  (276, ... ) == 0x0
 02370   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02371   392   NtQueryValueKey  (270,  (270, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02372   392   NtClose  (270, ... ) == 0x0
 02373   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02374   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02375   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02376   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 268, ) }, ... 268, ) == 0x0
 02377   392   NtQueryValueKey  (268,  (268, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02378   392   NtClose  (268, ... ) == 0x0
 02379   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 268, ) }, ... 268, ) == 0x0
 02380   392   NtQueryValueKey  (268,  (268, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02381   392   NtClose  (268, ... ) == 0x0
 02382   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 268, ) }, ... 268, ) == 0x0
 02383   392   NtQueryValueKey  (268, " (268, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (268, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 02384   392   NtClose  (268, ... ) == 0x0
 02385   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) == 0x0
 02386   392   NtQueryVolumeInformationFile  (268, 1233332, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02387   392   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 276, ) }, ... 276, ) == 0x0
 02388   392   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 02389   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 280, ) }, ... 280, ) == 0x0
 02390   392   NtMapViewOfSection  (280, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xe00000), {0, 0}, 57344, ) == 0x0
 02391   392   NtQueryInformationFile  (268, 1233296, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02392   392   NtQueryInformationFile  (268, 1233336, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02393   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02394   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 02395   392   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02396   392   NtClose  (284, ... ) == 0x0
 02397   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02398   392   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 02399   392   NtClose  (268, ... ) == 0x0
 02400   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 268, ) }, ... 268, ) == 0x0
 02401   392   NtQueryValueKey  (268,  (268, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02402   392   NtClose  (268, ... ) == 0x0
 02403   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02404   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1231084, ... ) }, 1231084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02405   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "CLBCATQ.DLL"}, 1231084, ... ) }, 1231084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02406   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1231084, ... ) }, 1231084, ... ) == 0x0
 02407   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 268, {status=0x0, info=1}, ) }, 5, 96, ... 268, {status=0x0, info=1}, ) == 0x0
 02408   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 268, ... 284, ) == 0x0
 02409   392   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02410   392   NtClose  (268, ... ) == 0x0
 02411   392   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 02412   392   NtClose  (284, ... ) == 0x0
 02413   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02414   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1230280, ... ) }, 1230280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02415   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "COMRes.dll"}, 1230280, ... ) }, 1230280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02416   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1230280, ... ) }, 1230280, ... ) == 0x0
 02417   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02418   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 268, ) == 0x0
 02419   392   NtQuerySection  (268, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02420   392   NtClose  (284, ... ) == 0x0
 02421   392   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 02422   392   NtClose  (268, ... ) == 0x0
 02423   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 268, ) }, ... 268, ) == 0x0
 02424   392   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 02425   392   NtClose  (268, ... ) == 0x0
 02426   392   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02427   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 268, ) }, ... 268, ) == 0x0
 02429   392   NtQueryValueKey  (268,  (268, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02430   392   NtQueryValueKey  (268,  (268, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02431   392   NtClose  (268, ... ) == 0x0
 02432   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1231112, ... ) }, 1231112, ... ) == 0x0
 02433   392   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02434   392   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02435   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 268, ) }, ... 268, ) == 0x0
 02436   392   NtQueryValueKey  (268,  (268, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02437   392   NtClose  (268, ... ) == 0x0
 02438   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 268, ) }, ... 268, ) == 0x0
 02439   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 02440   392   NtNotifyChangeKey  (268, 284, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02441   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 288, ) }, ... 288, ) == 0x0
 02442   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 292, ) == 0x0
 02443   392   NtNotifyChangeKey  (288, 292, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02444   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 296, ) == 0x0
 02445   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 300, ) }, ... 300, ) == 0x0
 02446   392   NtSetInformationObject  (300, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 02447   392   NtNotifyChangeKey  (300, 296, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02448   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 304, ) }, ... 304, ) == 0x0
 02449   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 308, ) == 0x0
 02450   392   NtNotifyChangeKey  (304, 308, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02451   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 312, ) == 0x0
 02452   392   NtNotifyChangeKey  (300, 312, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02453   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 316, ) }, ... 316, ) == 0x0
 02454   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 320, ) == 0x0
 02455   392   NtNotifyChangeKey  (316, 320, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02456   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 324, ) }, ... 324, ) == 0x0
 02457   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 328, ) == 0x0
 02458   392   NtNotifyChangeKey  (324, 328, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02459   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 332, ) }, ... 332, ) == 0x0
 02460   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 336, ) == 0x0
 02461   392   NtNotifyChangeKey  (332, 336, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02462   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 340, ) }, ... 340, ) == 0x0
 02463   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 344, ) == 0x0
 02464   392   NtNotifyChangeKey  (340, 344, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02465   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 348, ) }, ... 348, ) == 0x0
 02466   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 352, ) == 0x0
 02467   392   NtNotifyChangeKey  (348, 352, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02468   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 356, ) == 0x0
 02469   392   NtNotifyChangeKey  (300, 356, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02470   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 360, ) }, ... 360, ) == 0x0
 02471   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 364, ) == 0x0
 02472   392   NtNotifyChangeKey  (360, 364, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02473   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 368, ) }, ... 368, ) == 0x0
 02474   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 372, ) == 0x0
 02475   392   NtNotifyChangeKey  (368, 372, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02476   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 376, ) }, ... 376, ) == 0x0
 02477   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 380, ) == 0x0
 02478   392   NtNotifyChangeKey  (376, 380, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02479   392   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02480   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 384, ) }, ... 384, ) == 0x0
 02481   392   NtQueryValueKey  (384,  (384, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (384, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02482   392   NtClose  (384, ... ) == 0x0
 02483   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02484   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02485   392   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 384, ) }, ... 384, ) == 0x0
 02486   392   NtMapViewOfSection  (384, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe80000), {0, 0}, 24576, ) == 0x0
 02487   392   NtAllocateVirtualMemory  (-1, 8876032, 0, 8192, 4096, 4, ... 8876032, 8192, ) == 0x0
 02488   392   NtAllocateVirtualMemory  (-1, 1482752, 0, 4096, 4096, 4, ... 1482752, 4096, ) == 0x0
 02489   392   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02490   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 388, ) }, ... 388, ) == 0x0
 02491   392   NtQueryValueKey  (388,  (388, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (388, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02492   392   NtClose  (388, ... ) == 0x0
 02493   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02494   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02495   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 15269888, 65536, ) == 0x0
 02496   392   NtAllocateVirtualMemory  (-1, 15269888, 0, 4096, 4096, 4, ... 15269888, 4096, ) == 0x0
 02497   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02498   392   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02499   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02500   392   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02501   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02502   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02503   392   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02504   392   NtClose  (392, ... ) == 0x0
 02505   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02506   392   NtOpenKey  (0x1, {24, 390, 0x40, 0, 0,  (0x1, {24, 390, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02507   392   NtClose  (390, ... ) == 0x0
 02508   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02509   392   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02510   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02511   392   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02512   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02513   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02514   392   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02515   392   NtClose  (392, ... ) == 0x0
 02516   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02517   392   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocServer32"}, ... 392, ) }, ... 392, ) == 0x0
 02518   392   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02519   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02520   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02521   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02522   392   NtClose  (396, ... ) == 0x0
 02523   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02524   392   NtQueryValueKey  (394,  (394, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02525   392   NtClose  (394, ... ) == 0x0
 02526   392   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02527   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02528   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02529   392   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02530   392   NtClose  (392, ... ) == 0x0
 02531   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02532   392   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02533   392   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02534   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02535   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02536   392   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02537   392   NtClose  (392, ... ) == 0x0
 02538   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02539   392   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02540   392   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02541   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02542   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02543   392   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02544   392   NtClose  (392, ... ) == 0x0
 02545   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02546   392   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocServer32"}, ... 392, ) }, ... 392, ) == 0x0
 02547   392   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02548   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02549   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02550   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02551   392   NtClose  (396, ... ) == 0x0
 02552   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02553   392   NtQueryValueKey  (394, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (394, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02554   392   NtClose  (394, ... ) == 0x0
 02555   392   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02556   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02557   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02558   392   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02559   392   NtClose  (392, ... ) == 0x0
 02560   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02561   392   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02562   392   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02563   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02564   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02565   392   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02566   392   NtClose  (392, ... ) == 0x0
 02567   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02568   392   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02569   392   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02570   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02571   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02572   392   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02573   392   NtClose  (392, ... ) == 0x0
 02574   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02575   392   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02576   392   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02577   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02578   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02579   392   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02580   392   NtClose  (392, ... ) == 0x0
 02581   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02582   392   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02583   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02584   392   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02585   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 392, ) }, ... 392, ) == 0x0
 02586   392   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02587   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02588   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02589   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02590   392   NtClose  (396, ... ) == 0x0
 02591   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02592   392   NtQueryValueKey  (394,  (394, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02593   392   NtClose  (394, ... ) == 0x0
 02594   392   NtClose  (390, ... ) == 0x0
 02595   392   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {388, 0}, ... 388, ) == 0x0
 02596   392   NtQueryInformationProcess  (388, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02597   392   NtClose  (388, ... ) == 0x0
 02598   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02599   392   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02600   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02601   392   NtClose  (390, ... ) == 0x0
 02602   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 02603   392   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02604   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02605   392   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02606   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02607   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02608   392   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02609   392   NtClose  (392, ... ) == 0x0
 02610   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02611   392   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocServer32"}, ... 392, ) }, ... 392, ) == 0x0
 02612   392   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02613   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02614   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02615   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02616   392   NtClose  (396, ... ) == 0x0
 02617   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02618   392   NtQueryValueKey  (394,  (394, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (394, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 02619   392   NtClose  (394, ... ) == 0x0
 02620   392   NtClose  (390, ... ) == 0x0
 02621   392   NtAllocateVirtualMemory  (-1, 1486848, 0, 8192, 4096, 4, ... 1486848, 8192, ) == 0x0
 02622   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02623   392   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02624   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02625   392   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02626   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02627   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02628   392   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02629   392   NtClose  (392, ... ) == 0x0
 02630   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02631   392   NtOpenKey  (0x1, {24, 390, 0x40, 0, 0,  (0x1, {24, 390, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02632   392   NtClose  (390, ... ) == 0x0
 02633   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227504, ... ) }, 1227504, ... ) == 0x0
 02634   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02635   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 392, ) == 0x0
 02636   392   NtClose  (388, ... ) == 0x0
 02637   392   NtMapViewOfSection  (392, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xea0000), 0x0, 1339392, ) == 0x0
 02638   392   NtClose  (392, ... ) == 0x0
 02639   392   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 02640   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227820, ... ) }, 1227820, ... ) == 0x0
 02641   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 392, {status=0x0, info=1}, ) }, 5, 96, ... 392, {status=0x0, info=1}, ) == 0x0
 02642   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 392, ... 388, ) == 0x0
 02643   392   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02644   392   NtClose  (392, ... ) == 0x0
 02645   392   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 02646   392   NtClose  (388, ... ) == 0x0
 02647   392   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 02648   392   NtQueryDefaultUILanguage  (1226184, ...
 02649   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02650   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482112, ) == 0x0
 02651   392   NtQueryInformationToken  (-2147482112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02652   392   NtClose  (-2147482112, ... ) == 0x0
 02653   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482112, ) }, ... -2147482112, ) == 0x0
 02654   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02655   392   NtOpenKey  (0x80000000, {24, -2147482112, 0x640, 0, 0,  (0x80000000, {24, -2147482112, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482104, ) }, ... -2147482104, ) == 0x0
 02656   392   NtQueryValueKey  (-2147482104,  (-2147482104, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02657   392   NtClose  (-2147482104, ... ) == 0x0
 02658   392   NtClose  (-2147482112, ... ) == 0x0
 02648   392   NtQueryDefaultUILanguage  ... ) == 0x0
 02659   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02660   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 388, {status=0x0, info=1}, ) }, 1, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02661   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 388, ... 392, ) == 0x0
 02662   392   NtMapViewOfSection  (392, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xea0000), 0x0, 1339392, ) == 0x0
 02663   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02664   392   NtQueryDefaultLocale  (1, 1224220, ... ) == 0x0
 02665   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02666   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1225076, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1225076, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\204\1\0\0\377\377\377\377\0\0\0\0\10\340\365\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 392, 2626, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\204\1\0\0\377\377\377\377\0\0\0\0\10\340\365\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 392, 2626, 0}  (24, {128, 156, new_msg, 0, 1225076, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\204\1\0\0\377\377\377\377\0\0\0\0\10\340\365\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 392, 2626, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\204\1\0\0\377\377\377\377\0\0\0\0\10\340\365\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0t\270\22\0\0\0\0\0" )  ) == 0x0
 02667   392   NtClose  (388, ... ) == 0x0
 02668   392   NtClose  (392, ... ) == 0x0
 02669   392   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 02670   392   NtUnmapViewOfSection  (-1, 0x12b874, ... ) == STATUS_NOT_MAPPED_VIEW
 02671   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02672   392   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02673   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02674   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02675   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1222760, ... ) }, 1222760, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02676   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02677   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02678   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02679   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1223352, ... ) }, 1223352, ... ) == 0x0
 02680   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 392, {status=0x0, info=1}, ) }, 3, 33, ... 392, {status=0x0, info=1}, ) == 0x0
 02681   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02682   392   NtUserFindExistingCursorIcon  (1227304, 1227320, 1227888, ... ) == 0x10011
 02683   392   NtUserRegisterClassExWOW  (1227756, 1227836, 1227820, 1227852, 0, 384, 0, ... ) == 0x810d0000
 02684   392   NtUserGetClassInfo  (1905590272, 1227920, 1227872, 1227948, 0, ... ) == 0xc05f
 02685   392   NtGdiCreateHalftonePalette  (0, ... ) == 0x11080465
 02686   392   NtGdiDoPalette  (285738085, 0, 256, 1227012, 2, 0, ... ) == 0x100
 02687   392   NtGdiDeleteObjectApp  (285738085, ... ) == 0x1
 02688   392   NtGdiCreateCompatibleDC  (0, ... ) == 0x12010465
 02689   392   NtGdiCreatePaletteInternal  (1227008, 256, ... ) == 0xd08046c
 02690   392   NtGdiDeleteObjectApp  (302056549, ... ) == 0x1
 02691   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 02692   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02693   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 388, ) }, ... 388, ) == 0x0
 02694   392   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 02695   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02696   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02697   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02698   392   NtClose  (396, ... ) == 0x0
 02699   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02700   392   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02701   392   NtClose  (390, ... ) == 0x0
 02702   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02703   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02704   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 388, ) }, ... 388, ) == 0x0
 02705   392   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02706   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02707   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02708   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02709   392   NtClose  (396, ... ) == 0x0
 02710   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02711   392   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02712   392   NtClose  (390, ... ) == 0x0
 02713   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02714   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02715   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 388, ) }, ... 388, ) == 0x0
 02716   392   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02717   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02718   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02719   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02720   392   NtClose  (396, ... ) == 0x0
 02721   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02722   392   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02723   392   NtClose  (390, ... ) == 0x0
 02724   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02725   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02726   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 388, ) }, ... 388, ) == 0x0
 02727   392   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02728   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02729   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02730   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02731   392   NtClose  (396, ... ) == 0x0
 02732   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02733   392   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02734   392   NtClose  (390, ... ) == 0x0
 02735   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02736   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02737   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 388, ) }, ... 388, ) == 0x0
 02738   392   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02739   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02740   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02741   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02742   392   NtClose  (396, ... ) == 0x0
 02743   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02744   392   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02745   392   NtClose  (390, ... ) == 0x0
 02746   392   NtAllocateVirtualMemory  (-1, 1495040, 0, 4096, 4096, 4, ... 1495040, 4096, ) == 0x0
 02747   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02748   392   NtAllocateVirtualMemory  (-1, 1499136, 0, 12288, 4096, 4, ... 1499136, 12288, ) == 0x0
 02749   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02750   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02751   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 388, ) }, ... 388, ) == 0x0
 02752   392   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02753   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02754   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02755   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02756   392   NtClose  (396, ... ) == 0x0
 02757   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02758   392   NtQueryValueKey  (390,  (390, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02759   392   NtClose  (390, ... ) == 0x0
 02760   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02761   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02762   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 388, ) }, ... 388, ) == 0x0
 02763   392   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 02764   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02765   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02766   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02767   392   NtClose  (396, ... ) == 0x0
 02768   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02769   392   NtQueryValueKey  (390,  (390, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02770   392   NtClose  (390, ... ) == 0x0
 02771   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02772   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02773   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 388, ) }, ... 388, ) == 0x0
 02774   392   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 02775   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02776   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02777   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02778   392   NtClose  (396, ... ) == 0x0
 02779   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02780   392   NtQueryValueKey  (390,  (390, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02781   392   NtClose  (390, ... ) == 0x0
 02782   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02783   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02784   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 388, ) }, ... 388, ) == 0x0
 02785   392   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02786   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02787   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02788   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02789   392   NtClose  (396, ... ) == 0x0
 02790   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02791   392   NtQueryValueKey  (390,  (390, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02792   392   NtClose  (390, ... ) == 0x0
 02793   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 388, ) }, ... 388, ) == 0x0
 02794   392   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 02795   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02796   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02797   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 396, ) }, ... 396, ) == 0x0
 02798   392   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02799   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02800   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 02801   392   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02802   392   NtClose  (400, ... ) == 0x0
 02803   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02804   392   NtQueryValueKey  (398, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (398, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 02805   392   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02806   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02807   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 02808   392   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02809   392   NtClose  (400, ... ) == 0x0
 02810   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02811   392   NtQueryValueKey  (398,  (398, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02812   392   NtClose  (398, ... ) == 0x0
 02813   392   NtEnumerateValueKey  (388, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02814   392   NtClose  (388, ... ) == 0x0
 02815   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02816   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02817   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\efniz.bat"}, 1232464, ... ) }, 1232464, ... ) == 0x0
 02818   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02819   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02820   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 02821   392   NtQueryValueKey  (388,  (388, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (388, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (388, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 02822   392   NtClose  (388, ... ) == 0x0
 02823   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02824   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02825   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\efniz.bat"}, 1233492, ... ) }, 1233492, ... ) == 0x0
 02826   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02827   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02828   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 02829   392   NtQueryValueKey  (388,  (388, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02830   392   NtQueryValueKey  (388,  (388, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (388, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 02831   392   NtClose  (388, ... ) == 0x0
 02832   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234316,  (0x80100080, {24, 0, 0x40, 0, 1234316, "\??\u:\work\efniz.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 388, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 388, {status=0x0, info=1}, ) == 0x0
 02833   392   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 396, ) }, ... 396, ) == 0x0
 02834   392   NtQuerySymbolicLinkObject  (396, ...  (396, ... "\Device\WinDfs\U:0000000000009248", 66, ) , 66, ) == 0x0
 02835   392   NtClose  (396, ... ) == 0x0
 02836   392   NtQueryInformationFile  (388, 1232760, 528, Name, ... {status=0x0, info=70}, ) == 0x0
 02837   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02838   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02839   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\efniz.bat"}, 1231440, ... ) }, 1231440, ... ) == 0x0
 02840   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02841   392   NtQueryDirectoryFile  (396, 0, 0, 0, 1230800, 616, BothDirectory, 1,  (396, 0, 0, 0, 1230800, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 02842   392   NtClose  (396, ... ) == 0x0
 02843   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02844   392   NtQueryDirectoryFile  (396, 0, 0, 0, 1230800, 616, BothDirectory, 1,  (396, 0, 0, 0, 1230800, 616, BothDirectory, 1, "efniz.bat", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02845   392   NtClose  (396, ... ) == 0x0
 02846   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02847   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02848   392   NtSetInformationFile  (388, 1234200, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02849   392   NtReadFile  (388, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (388, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "@e", ) , ) == 0x0
 02850   392   NtWaitForSingleObject  (108, 0, 0x0, ... ) == 0x0
 02851   392   NtClearEvent  (128, ... ) == 0x0
 02852   392   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 02853   392   NtWaitForSingleObject  (108, 0, 0x0, ... ) == 0x0
 02854   392   NtSetEvent  (128, ... 0x0, ) == 0x0
 02855   392   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 02856   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02857   392   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02858   392   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0
 02859   392   NtClose  (396, ... ) == 0x0
 02860   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02861   392   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02862   392   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02863   392   NtClose  (396, ... ) == 0x0
 02864   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02865   392   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02866   392   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0
 02867   392   NtClose  (396, ... ) == 0x0
 02868   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02869   392   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02870   392   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0
 02871   392   NtClose  (396, ... ) == 0x0
 02872   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02873   392   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02874   392   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0
 02875   392   NtClose  (396, ... ) == 0x0
 02876   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02877   392   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02878   392   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0
 02879   392   NtClose  (396, ... ) == 0x0
 02880   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02881   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02882   392   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02883   392   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0
 02884   392   NtClose  (396, ... ) == 0x0
 02885   392   NtWaitForMultipleObjects  (2, (108, 128, ), 0, 0, 0x0, ... ) == 0x0
 02886   392   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 02887   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02888   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02889   392   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02890   392   NtClose  (396, ... ) == 0x0
 02891   392   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 396, ) }, ... 396, ) == 0x0
 02892   392   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02893   392   NtClose  (396, ... ) == 0x0
 02894   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 396, ) }, ... 396, ) == 0x0
 02895   392   NtQueryValueKey  (396,  (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02896   392   NtQueryValueKey  (396,  (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02897   392   NtQueryValueKey  (396,  (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02898   392   NtQueryValueKey  (396,  (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02899   392   NtClose  (396, ... ) == 0x0
 02900   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 396, ) }, ... 396, ) == 0x0
 02901   392   NtQueryValueKey  (396,  (396, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02902   392   NtQueryValueKey  (396,  (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02903   392   NtQueryValueKey  (396,  (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02904   392   NtQueryValueKey  (396,  (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02905   392   NtQueryValueKey  (396,  (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02906   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1231488, ... ) }, 1231488, ... ) == 0x0
 02907   392   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 400, ) }, ... 400, ) == 0x0
 02908   392   NtQueryValueKey  (400,  (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02909   392   NtQueryValueKey  (400,  (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02910   392   NtQueryValueKey  (400,  (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02911   392   NtQueryValueKey  (400,  (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02912   392   NtClose  (400, ... ) == 0x0
 02913   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02914   392   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02915   392   NtOpenProcessToken  (-1, 0x8, ... 400, ) == 0x0
 02916   392   NtQueryInformationToken  (400, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 02917   392   NtClose  (400, ... ) == 0x0
 02918   392   NtClose  (396, ... ) == 0x0
 02919   392   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02920   392   NtOpenProcessToken  (-1, 0x8, ... 396, ) == 0x0
 02921   392   NtQueryInformationToken  (396, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02922   392   NtClose  (396, ... ) == 0x0
 02923   392   NtOpenKey  (0x2000000, {24, 300, 0x40, 0, 0,  (0x2000000, {24, 300, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 396, ) }, ... 396, ) == 0x0
 02924   392   NtCreateKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 400, 2, ) }, 0, 0x0, 0, ... 400, 2, ) == 0x0
 02925   392   NtClose  (396, ... ) == 0x0
 02926   392   NtQueryValueKey  (400,  (400, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0
 02927   392   NtClose  (400, ... ) == 0x0
 02928   392   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02929   392   NtOpenProcessToken  (-1, 0x8, ... 400, ) == 0x0
 02930   392   NtQueryInformationToken  (400, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02931   392   NtClose  (400, ... ) == 0x0
 02932   392   NtOpenKey  (0x2000000, {24, 300, 0x40, 0, 0,  (0x2000000, {24, 300, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 400, ) }, ... 400, ) == 0x0
 02933   392   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 396, ) }, ... 396, ) == 0x0
 02934   392   NtClose  (400, ... ) == 0x0
 02935   392   NtQueryValueKey  (396,  (396, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0
 02936   392   NtClose  (396, ... ) == 0x0
 02937   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02938   392   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02939   392   NtOpenProcessToken  (-1, 0x8, ... 396, ) == 0x0
 02940   392   NtQueryInformationToken  (396, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02941   392   NtClose  (396, ... ) == 0x0
 02942   392   NtOpenKey  (0x2000000, {24, 300, 0x40, 0, 0,  (0x2000000, {24, 300, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 396, ) }, ... 396, ) == 0x0
 02943   392   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02944   392   NtClose  (396, ... ) == 0x0
 02945   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02946   392   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 388, ... 396, ) == 0x0
 02947   392   NtMapViewOfSection  (396, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xea0000), {0, 0}, 4096, ) == 0x0
 02948   392   NtClose  (396, ... ) == 0x0
 02949   392   NtQueryInformationFile  (388, 1233704, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02950   392   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 02951   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 396, ) }, ... 396, ) == 0x0
 02952   392   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "EncodingType 0"}, ... 400, ) }, ... 400, ) == 0x0
 02953   392   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 404, ) }, ... 404, ) == 0x0
 02954   392   NtEnumerateKey  (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02955   392   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 408, ) }, ... 408, ) == 0x0
 02956   392   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02957   392   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02958   392   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02959   392   NtClose  (408, ... ) == 0x0
 02960   392   NtEnumerateKey  (404, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02961   392   NtClose  (404, ... ) == 0x0
 02962   392   NtClose  (400, ... ) == 0x0
 02963   392   NtClose  (396, ... ) == 0x0
 02964   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 396, ) }, ... 396, ) == 0x0
 02965   392   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "EncodingType 0"}, ... 400, ) }, ... 400, ) == 0x0
 02966   392   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 404, ) }, ... 404, ) == 0x0
 02967   392   NtEnumerateKey  (404, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (404, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02968   392   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 408, ) }, ... 408, ) == 0x0
 02969   392   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02970   392   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02971   392   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02972   392   NtClose  (408, ... ) == 0x0
 02973   392   NtEnumerateKey  (404, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (404, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02974   392   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 408, ) }, ... 408, ) == 0x0
 02975   392   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02976   392   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02977   392   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02978   392   NtClose  (408, ... ) == 0x0
 02979   392   NtEnumerateKey  (404, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (404, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02980   392   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 408, ) }, ... 408, ) == 0x0
 02981   392   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02982   392   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02983   392   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02984   392   NtClose  (408, ... ) == 0x0
 02985   392   NtEnumerateKey  (404, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (404, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02986   392   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 408, ) }, ... 408, ) == 0x0
 02987   392   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02988   392   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02989   392   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02990   392   NtClose  (408, ... ) == 0x0
 02991   392   NtEnumerateKey  (404, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02992   392   NtClose  (404, ... ) == 0x0
 02993   392   NtClose  (400, ... ) == 0x0
 02994   392   NtClose  (396, ... ) == 0x0
 02995   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 396, ) }, ... 396, ) == 0x0
 02996   392   NtEnumerateKey  (396, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (396, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02997   392   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "EncodingType 0"}, ... 400, ) }, ... 400, ) == 0x0
 02998   392   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 404, ) }, ... 404, ) == 0x0
 02999   392   NtEnumerateKey  (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 03000   392   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 408, ) }, ... 408, ) == 0x0
 03001   392   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03002   392   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 03003   392   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 03004   392   NtClose  (408, ... ) == 0x0
 03005   392   NtEnumerateKey  (404, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03006   392   NtClose  (404, ... ) == 0x0
 03007   392   NtClose  (400, ... ) == 0x0
 03008   392   NtEnumerateKey  (396, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (396, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 03009   392   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "EncodingType 1"}, ... 400, ) }, ... 400, ) == 0x0
 03010   392   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03011   392   NtClose  (400, ... ) == 0x0
 03012   392   NtEnumerateKey  (396, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03013   392   NtClose  (396, ... ) == 0x0
 03014   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231232, ... ) }, 1231232, ... ) == 0x0
 03015   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 396, {status=0x0, info=1}, ) }, 5, 96, ... 396, {status=0x0, info=1}, ) == 0x0
 03016   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 396, ... 400, ) == 0x0
 03017   392   NtClose  (396, ... ) == 0x0
 03018   392   NtMapViewOfSection  (400, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xea0000), 0x0, 16384, ) == 0x0
 03019   392   NtClose  (400, ... ) == 0x0
 03020   392   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 03021   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231548, ... ) }, 1231548, ... ) == 0x0
 03022   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 400, {status=0x0, info=1}, ) }, 5, 96, ... 400, {status=0x0, info=1}, ) == 0x0
 03023   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 400, ... 396, ) == 0x0
 03024   392   NtQuerySection  (396, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03025   392   NtClose  (400, ... ) == 0x0
 03026   392   NtMapViewOfSection  (396, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x70eb0000), 0x0, 28672, ) == 0x0
 03027   392   NtClose  (396, ... ) == 0x0
 03028   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPT32.dll"}, 1230808, ... ) }, 1230808, ... ) == 0x0
 03029   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 03030   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15335424, 1048576, ) == 0x0
 03031   392   NtAllocateVirtualMemory  (-1, 16375808, 0, 8192, 4096, 4, ... 16375808, 8192, ) == 0x0
 03032   392   NtProtectVirtualMemory  (-1, (0xf9e000), 4096, 260, ... (0xf9e000), 4096, 4, ) == 0x0
 03033   392   NtCreateThread  (0x1f03ff, 0x0, -1, 1232756, 1233472, 1, ... 400, {388, 164}, ) == 0x0
 03034   392   NtQueryInformationThread  (400, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=388,Tid=164,}, 0x0, ) == 0x0
 03035   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\0\220\1\0\0\204\1\0\0\244\0\0\0" ... {28, 56, reply, 0, 388, 392, 2627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\220\1\0\0\204\1\0\0\244\0\0\0" )  ... {28, 56, reply, 0, 388, 392, 2627, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\0\220\1\0\0\204\1\0\0\244\0\0\0" ... {28, 56, reply, 0, 388, 392, 2627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\220\1\0\0\204\1\0\0\244\0\0\0" )  ) == 0x0
 03036   392   NtResumeThread  (400, ... 1, ) == 0x0
 03037   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 404, ) }, ... 404, ) == 0x0
 03038   392   NtEnumerateKey  (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 03039   164   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03040   164   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03041   164   NtTestAlert  (... ) == 0x0
 03042   164   NtContinue  (16383280, 1, ...
 03043   164   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03044   164   NtWaitForMultipleObjects  (1, (396, ), 1, 0, {-150000000, -1}, ...
 03045   392   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "EncodingType 0"}, ... 408, ) }, ... 408, ) == 0x0
 03046   392   NtOpenKey  (0x20019, {24, 408, 0x40, 0, 0,  (0x20019, {24, 408, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 412, ) }, ... 412, ) == 0x0
 03047   392   NtEnumerateKey  (412, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (412, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 03048   392   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 416, ) }, ... 416, ) == 0x0
 03049   392   NtQueryKey  (416, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03050   392   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 03051   392   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 03052   392   NtClose  (416, ... ) == 0x0
 03053   392   NtEnumerateKey  (412, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (412, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 03054   392   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 416, ) }, ... 416, ) == 0x0
 03055   392   NtQueryKey  (416, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03056   392   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 03057   392   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 03058   392   NtClose  (416, ... ) == 0x0
 03059   392   NtEnumerateKey  (412, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (412, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 03060   392   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 416, ) }, ... 416, ) == 0x0
 03061   392   NtQueryKey  (416, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03062   392   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 03063   392   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 03064   392   NtClose  (416, ... ) == 0x0
 03065   392   NtEnumerateKey  (412, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (412, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 03066   392   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 416, ) }, ... 416, ) == 0x0
 03067   392   NtQueryKey  (416, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03068   392   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 03069   392   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 03070   392   NtClose  (416, ... ) == 0x0
 03071   392   NtEnumerateKey  (412, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03072   392   NtClose  (412, ... ) == 0x0
 03073   392   NtClose  (408, ... ) == 0x0
 03074   392   NtEnumerateKey  (404, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (404, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 03075   392   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "EncodingType 1"}, ... 408, ) }, ... 408, ) == 0x0
 03076   392   NtOpenKey  (0x20019, {24, 408, 0x40, 0, 0,  (0x20019, {24, 408, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03077   392   NtClose  (408, ... ) == 0x0
 03078   392   NtEnumerateKey  (404, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03079   392   NtClose  (404, ... ) == 0x0
 03080   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSISIP.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03081   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSISIP.DLL"}, 1231540, ... ) }, 1231540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03082   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "MSISIP.DLL"}, 1231540, ... ) }, 1231540, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03083   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 1231540, ... ) }, 1231540, ... ) == 0x0
 03084   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 5, 96, ... 404, {status=0x0, info=1}, ) }, 5, 96, ... 404, {status=0x0, info=1}, ) == 0x0
 03085   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 404, ... 408, ) == 0x0
 03086   392   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03087   392   NtClose  (404, ... ) == 0x0
 03088   392   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x605f0000), 0x0, 53248, ) == 0x0
 03089   392   NtClose  (408, ... ) == 0x0
 03090   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03091   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16384000, 65536, ) == 0x0
 03092   392   NtAllocateVirtualMemory  (-1, 16384000, 0, 4096, 4096, 4, ... 16384000, 4096, ) == 0x0
 03093   392   NtAllocateVirtualMemory  (-1, 16388096, 0, 8192, 4096, 4, ... 16388096, 8192, ) == 0x0
 03094   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1231128, ... ) }, 1231128, ... ) == 0x0
 03095   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03096   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 408, ... 404, ) == 0x0
 03097   392   NtClose  (408, ... ) == 0x0
 03098   392   NtMapViewOfSection  (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 262144, ) == 0x0
 03099   392   NtClose  (404, ... ) == 0x0
 03100   392   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03101   392   NtAllocateLocallyUniqueId  (... {106043, 0}, ) == 0x0
 03102   392   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 03103   392   NtOpenProcessToken  (-1, 0x20008, ... 404, ) == 0x0
 03104   392   NtQueryInformationToken  (404, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 03105   392   NtClose  (404, ... ) == 0x0
 03106   392   NtCreateSection  (0xf0007, {24, 52, 0x80, 1232448, 0,  (0xf0007, {24, 52, 0x80, 1232448, 0, "DfSharedHeap19E3B"}, {4194304, 0}, 4, 67108864, 0, ... 404, ) }, {4194304, 0}, 4, 67108864, 0, ... 404, ) == 0x0
 03107   392   NtMapViewOfSection  (404, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1090000), {0, 0}, 4194304, ) == 0x0
 03108   392   NtAllocateVirtualMemory  (-1, 17367040, 0, 16376, 4096, 4, ... 17367040, 16384, ) == 0x0
 03109   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1229964,  (0x80100080, {24, 0, 0x40, 0, 1229964, "\??\UNC\missouri\binaries\work\efniz.bat"}, 0x0, 128, 3, 1, 2144, 0, 0, ... 408, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 2144, 0, 0, ... 408, {status=0x0, info=1}, ) == 0x0
 03110   392   NtReadFile  (408, 0, 0, 1232668, 512, {0, 0}, 0, ... {status=0x0, info=121},  (408, 0, 0, 1232668, 512, {0, 0}, 0, ... {status=0x0, info=121}, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del efniz.bat\15\12", ) , ) == 0x0
 03111   392   NtClose  (408, ... ) == 0x0
 03112   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231232, ... ) }, 1231232, ... ) == 0x0
 03113   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03114   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 408, ... 412, ) == 0x0
 03115   392   NtClose  (408, ... ) == 0x0
 03116   392   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 69632, ) == 0x0
 03117   392   NtClose  (412, ... ) == 0x0
 03118   392   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03119   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231548, ... ) }, 1231548, ... ) == 0x0
 03120   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03121   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 412, ... 408, ) == 0x0
 03122   392   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03123   392   NtClose  (412, ... ) == 0x0
 03124   392   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74ea0000), 0x0, 65536, ) == 0x0
 03125   392   NtClose  (408, ... ) == 0x0
 03126   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 408, ) }, ... 408, ) == 0x0
 03127   392   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 03128   392   NtClose  (408, ... ) == 0x0
 03129   392   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03130   392   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03131   392   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 03132   392   NtProtectVirtualMemory  (-1, (0x74eaa000), 672, 4, ... (0x74eaa000), 4096, 2, ) == 0x0
 03133   392   NtProtectVirtualMemory  (-1, (0x74eaa000), 4096, 2, ... (0x74eaa000), 4096, 4, ) == 0x0
 03134   392   NtFlushInstructionCache  (-1, 1961533440, 672, ... ) == 0x0
 03135   392   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 03136   392   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 03137   392   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 03138   392   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 03139   392   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 03140   392   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 03141   392   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 03142   392   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 03143   392   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 03144   392   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 03145   392   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 03146   392   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 03147   392   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 03148   392   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 03149   392   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 03150   392   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 03151   392   NtOpenProcessToken  (-1, 0x8, ... 408, ) == 0x0
 03152   392   NtQueryInformationToken  (408, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03153   392   NtClose  (408, ... ) == 0x0
 03154   392   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 03155   392   NtReleaseMutant  (16, ...
 03156   392   NtContinue  (-136511352, 0, ...
 03155   392   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 03157   392   NtQueryDefaultLocale  (1, 1230228, ... ) == 0x0
 03158   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228220, ... ) }, 1228220, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03159   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228536, ... ) }, 1228536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03160   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03161   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03162   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03163   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03164   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03165   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03166   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03167   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03168   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03169   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228220, ... ) }, 1228220, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03170   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228536, ... ) }, 1228536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03171   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03172   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03173   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03174   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03175   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03176   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03177   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03178   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03179   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03180   392   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 03181   392   NtReleaseMutant  (16, ...
 03182   392   NtContinue  (-136511352, 0, ...
 03181   392   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 03183   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228220, ... ) }, 1228220, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03184   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228536, ... ) }, 1228536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03185   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03186   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03187   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03188   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03189   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03190   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03191   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03192   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03193   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228528, ... ) }, 1228528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03194   392   NtClose  (388, ... ) == 0x0
 03195   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 03196   392   NtQueryValueKey  (388,  (388, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03197   392   NtClose  (388, ... ) == 0x0
 03198   392   NtOpenThreadToken  (-2, 0x2000a, 1, ... ) == STATUS_NO_TOKEN
 03199   392   NtOpenProcessToken  (-1, 0x2000a, ... 388, ) == 0x0
 03200   392   NtQueryInformationToken  (388, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03201   392   NtQueryInformationToken  (388, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03202   392   NtClose  (388, ... ) == 0x0
 03203   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03204   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03205   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03206   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03207   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 388, ) }, ... 388, ) == 0x0
 03208   392   NtQueryValueKey  (388,  (388, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03209   392   NtClose  (388, ... ) == 0x0
 03210   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03211   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03212   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03213   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 388, ) }, ... 388, ) == 0x0
 03214   392   NtQueryValueKey  (388,  (388, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03215   392   NtClose  (388, ... ) == 0x0
 03216   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 03217   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03218   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 388, ) }, ... 388, ) == 0x0
 03219   392   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 03220   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03221   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03222   392   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03223   392   NtClose  (408, ... ) == 0x0
 03224   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03225   392   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03226   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1230836, ... ) }, 1230836, ... ) == 0x0
 03227   392   NtClose  (390, ... ) == 0x0
 03228   392   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03229   392   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 388, {status=0x0, info=1}, ) }, 3, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03230   392   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 408, ) }, ... 408, ) == 0x0
 03231   392   NtQuerySymbolicLinkObject  (408, ...  (408, ... "\Device\WinDfs\U:0000000000009248", 66, ) , 66, ) == 0x0
 03232   392   NtClose  (408, ... ) == 0x0
 03233   392   NtQueryVolumeInformationFile  (388, 1234188, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03234   392   NtClose  (388, ... ) == 0x0
 03235   392   NtWaitForSingleObject  (120, 0, {0, 0}, ... ) == 0x102
 03236   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 388, ) }, ... 388, ) == 0x0
 03237   392   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 408, ) }, ... 408, ) == 0x0
 03238   392   NtQueryValueKey  (408,  (408, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 03239   392   NtQueryValueKey  (408,  (408, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 03240   392   NtClose  (408, ... ) == 0x0
 03241   392   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 408, ) }, ... 408, ) == 0x0
 03242   392   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03243   392   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03244   392   NtQueryValueKey  (408,  (408, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03245   392   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 03246   392   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 03247   392   NtClose  (408, ... ) == 0x0
 03248   392   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 408, ) }, ... 408, ) == 0x0
 03249   392   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 03250   392   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 03251   392   NtQueryValueKey  (408,  (408, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03252   392   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 03253   392   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 03254   392   NtClose  (408, ... ) == 0x0
 03255   392   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 408, ) }, ... 408, ) == 0x0
 03256   392   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 03257   392   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 03258   392   NtQueryValueKey  (408,  (408, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03259   392   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03260   392   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03261   392   NtClose  (408, ... ) == 0x0
 03262   392   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 408, ) }, ... 408, ) == 0x0
 03263   392   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03264   392   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03265   392   NtQueryValueKey  (408,  (408, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03266   392   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 03267   392   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 03268   392   NtClose  (408, ... ) == 0x0
 03269   392   NtClose  (388, ... ) == 0x0
 03270   392   NtQueryDefaultLocale  (1, 1233740, ... ) == 0x0
 03271   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231752, ... ) }, 1231752, ... ) == 0x0
 03272   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03273   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 408, ) == 0x0
 03274   392   NtClose  (388, ... ) == 0x0
 03275   392   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 12288, ) == 0x0
 03276   392   NtClose  (408, ... ) == 0x0
 03277   392   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03278   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1232068, ... ) }, 1232068, ... ) == 0x0
 03279   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03280   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 388, ) == 0x0
 03281   392   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03282   392   NtClose  (408, ... ) == 0x0
 03283   392   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 03284   392   NtClose  (388, ... ) == 0x0
 03285   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 388, ) }, ... 388, ) == 0x0
 03286   392   NtQueryValueKey  (388,  (388, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (388, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03287   392   NtClose  (388, ... ) == 0x0
 03288   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231752, ... ) }, 1231752, ... ) == 0x0
 03289   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03290   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 408, ) == 0x0
 03291   392   NtClose  (388, ... ) == 0x0
 03292   392   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 40960, ) == 0x0
 03293   392   NtClose  (408, ... ) == 0x0
 03294   392   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03295   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1232068, ... ) }, 1232068, ... ) == 0x0
 03296   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03297   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 388, ) == 0x0
 03298   392   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03299   392   NtClose  (408, ... ) == 0x0
 03300   392   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 03301   392   NtClose  (388, ... ) == 0x0
 03302   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03303   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1231256, ... ) }, 1231256, ... ) == 0x0
 03304   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03305   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 388, ... 408, ) == 0x0
 03306   392   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03307   392   NtClose  (388, ... ) == 0x0
 03308   392   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 03309   392   NtClose  (408, ... ) == 0x0
 03310   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03311   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1231256, ... ) }, 1231256, ... ) == 0x0
 03312   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03313   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 388, ) == 0x0
 03314   392   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03315   392   NtClose  (408, ... ) == 0x0
 03316   392   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 03317   392   NtClose  (388, ... ) == 0x0
 03318   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03319   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1230452, ... ) }, 1230452, ... ) == 0x0
 03320   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03321   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 388, ... 408, ) == 0x0
 03322   392   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03323   392   NtClose  (388, ... ) == 0x0
 03324   392   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 03325   392   NtClose  (408, ... ) == 0x0
 03326   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03327   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1230452, ... ) }, 1230452, ... ) == 0x0
 03328   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03329   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 388, ) == 0x0
 03330   392   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03331   392   NtClose  (408, ... ) == 0x0
 03332   392   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 03333   392   NtClose  (388, ... ) == 0x0
 03334   392   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 388, ) }, ... 388, ) == 0x0
 03335   392   NtQueryValueKey  (388,  (388, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03336   392   NtAllocateVirtualMemory  (-1, 8884224, 0, 4096, 4096, 4, ... 8884224, 4096, ) == 0x0
 03337   392   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 408, ) == 0x0
 03338   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231752, ... ) }, 1231752, ... ) == 0x0
 03339   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03340   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 412, ... 416, ) == 0x0
 03341   392   NtClose  (412, ... ) == 0x0
 03342   392   NtMapViewOfSection  (416, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 24576, ) == 0x0
 03343   392   NtClose  (416, ... ) == 0x0
 03344   392   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03345   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1232068, ... ) }, 1232068, ... ) == 0x0
 03346   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 03347   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 416, ... 412, ) == 0x0
 03348   392   NtQuerySection  (412, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03349   392   NtClose  (416, ... ) == 0x0
 03350   392   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 03351   392   NtClose  (412, ... ) == 0x0
 03352   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 412, ) }, ... 412, ) == 0x0
 03353   392   NtQueryValueKey  (412,  (412, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 03354   392   NtClose  (412, ... ) == 0x0
 03355   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03356   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03357   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03358   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03359   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231744, ... ) }, 1231744, ... ) == 0x0
 03360   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03361   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 412, ... 416, ) == 0x0
 03362   392   NtClose  (412, ... ) == 0x0
 03363   392   NtMapViewOfSection  (416, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 122880, ) == 0x0
 03364   392   NtClose  (416, ... ) == 0x0
 03365   392   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03366   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03367   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03368   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03369   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03370   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1232060, ... ) }, 1232060, ... ) == 0x0
 03371   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 03372   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 416, ... 412, ) == 0x0
 03373   392   NtQuerySection  (412, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03374   392   NtClose  (416, ... ) == 0x0
 03375   392   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xfb0000), 0x0, 131072, ) == STATUS_IMAGE_NOT_AT_BASE
 03376   392   NtProtectVirtualMemory  (-1, (0xfb1000), 81920, 4, ... (0xfb1000), 81920, 32, ) == 0x0
 03377   392   NtProtectVirtualMemory  (-1, (0xfc5000), 12288, 4, ... (0xfc5000), 12288, 2, ) == 0x0
 03378   392   NtProtectVirtualMemory  (-1, (0xfce000), 8192, 4, ... (0xfce000), 8192, 2, ) == 0x0
 03379   392   NtMapViewOfSection  (412, -1, (0xfb0000), 0, 0, 0x0, 131072, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 03380   392   NtProtectVirtualMemory  (-1, (0xfb1000), 81920, 16, ... (0xfb1000), 81920, 4, ) == 0x0
 03381   392   NtProtectVirtualMemory  (-1, (0xfc5000), 12288, 2, ... (0xfc5000), 12288, 4, ) == 0x0
 03382   392   NtProtectVirtualMemory  (-1, (0xfce000), 8192, 2, ... (0xfce000), 8192, 8, ) == 0x0
 03383   392   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 03384   392   NtClose  (412, ... ) == 0x0
 03385   392   NtProtectVirtualMemory  (-1, (0xfc5000), 416, 4, ... (0xfc5000), 4096, 2, ) == 0x0
 03386   392   NtProtectVirtualMemory  (-1, (0xfc5000), 4096, 2, ... (0xfc5000), 4096, 4, ) == 0x0
 03387   392   NtFlushInstructionCache  (-1, 16535552, 416, ... ) == 0x0
 03388   392   NtProtectVirtualMemory  (-1, (0xfc5000), 416, 4, ... (0xfc5000), 4096, 2, ) == 0x0
 03389   392   NtProtectVirtualMemory  (-1, (0xfc5000), 4096, 2, ... (0xfc5000), 4096, 4, ) == 0x0
 03390   392   NtFlushInstructionCache  (-1, 16535552, 416, ... ) == 0x0
 03391   392   NtProtectVirtualMemory  (-1, (0xfc5000), 416, 4, ... (0xfc5000), 4096, 2, ) == 0x0
 03392   392   NtProtectVirtualMemory  (-1, (0xfc5000), 4096, 2, ... (0xfc5000), 4096, 4, ) == 0x0
 03393   392   NtFlushInstructionCache  (-1, 16535552, 416, ... ) == 0x0
 03394   392   NtProtectVirtualMemory  (-1, (0xfc5000), 416, 4, ... (0xfc5000), 4096, 2, ) == 0x0
 03395   392   NtProtectVirtualMemory  (-1, (0xfc5000), 4096, 2, ... (0xfc5000), 4096, 4, ) == 0x0
 03396   392   NtFlushInstructionCache  (-1, 16535552, 416, ... ) == 0x0
 03397   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03398   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16580608, 65536, ) == 0x0
 03399   392   NtAllocateVirtualMemory  (-1, 16580608, 0, 4096, 4096, 4, ... 16580608, 4096, ) == 0x0
 03400   392   NtAllocateVirtualMemory  (-1, 16584704, 0, 8192, 4096, 4, ... 16584704, 8192, ) == 0x0
 03401   392   NtAllocateVirtualMemory  (-1, 16592896, 0, 4096, 4096, 4, ... 16592896, 4096, ) == 0x0
 03402   392   NtQueryPerformanceCounter  (... {320784776, 0}, {3579545, 0}, ) == 0x0
 03403   392   NtRaiseException  (1231552, 1230812, 1, ...
 03404   392   NtContinue  (1229608, 0, ...
 03405   392   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 412, ) }, ... 412, ) == 0x0
 03406   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03407   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03408   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03409   392   NtRaiseException  (1221528, 1220788, 1, ...
 03410   392   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 03411   392   NtContinue  (1219584, 0, ...
 03412   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03413   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03414   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03415   392   NtRaiseException  (1223288, 1222548, 1, ...
 03416   392   NtContinue  (1221344, 0, ...
 03417   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03418   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03419   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03420   392   NtRaiseException  (1223292, 1222552, 1, ...
 03421   392   NtContinue  (1221348, 0, ...
 03422   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03423   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03424   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03425   392   NtRaiseException  (1223288, 1222548, 1, ...
 03426   392   NtContinue  (1221344, 0, ...
 03427   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03428   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03429   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03430   392   NtRaiseException  (1223292, 1222552, 1, ...
 03431   392   NtContinue  (1221348, 0, ...
 03432   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03433   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03434   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03435   392   NtRaiseException  (1223288, 1222548, 1, ...
 03436   392   NtContinue  (1221344, 0, ...
 03437   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03438   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03439   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03440   392   NtRaiseException  (1223292, 1222552, 1, ...
 03441   392   NtContinue  (1221348, 0, ...
 03442   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03443   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03444   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03445   392   NtRaiseException  (1223288, 1222548, 1, ...
 03446   392   NtContinue  (1221344, 0, ...
 03447   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03448   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03449   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03450   392   NtRaiseException  (1223292, 1222552, 1, ...
 03451   392   NtContinue  (1221348, 0, ...
 03452   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03453   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03454   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03455   392   NtRaiseException  (1223288, 1222548, 1, ...
 03456   392   NtContinue  (1221344, 0, ...
 03457   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03458   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03459   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03460   392   NtRaiseException  (1223292, 1222552, 1, ...
 03461   392   NtContinue  (1221348, 0, ...
 03462   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03463   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03464   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03465   392   NtRaiseException  (1223288, 1222548, 1, ...
 03466   392   NtContinue  (1221344, 0, ...
 03467   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03468   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03469   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03470   392   NtRaiseException  (1223292, 1222552, 1, ...
 03471   392   NtContinue  (1221348, 0, ...
 03472   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03473   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03474   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03475   392   NtRaiseException  (1223288, 1222548, 1, ...
 03476   392   NtContinue  (1221344, 0, ...
 03477   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03478   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03479   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03480   392   NtRaiseException  (1223292, 1222552, 1, ...
 03481   392   NtContinue  (1221348, 0, ...
 03482   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03483   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03484   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03485   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231720, ... ) }, 1231720, ... ) == 0x0
 03486   392   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {388, 0}, ... 416, ) == 0x0
 03487   392   NtQueryInformationProcess  (416, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 03488   392   NtClose  (416, ... ) == 0x0
 03489   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231720, ... ) }, 1231720, ... ) == 0x0
 03490   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03491   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 416, ) == 0x0
 03492   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03493   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03494   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230768,  (0xc0100080, {24, 0, 0x40, 0, 1230768, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 03495   392   NtSetInformationFile  (420, 1230824, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03496   392   NtSetInformationFile  (420, 1230816, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03497   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03498   392   NtWriteFile  (420, 253, 0, 0,  (420, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03499   392   NtReadFile  (420, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (420, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\343#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03500   392   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\343#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\343#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03501   392   NtClose  (416, ... ) == 0x0
 03502   392   NtClose  (420, ... ) == 0x0
 03503   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03504   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 420, ) == 0x0
 03505   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03506   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03507   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230768,  (0xc0100080, {24, 0, 0x40, 0, 1230768, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 03508   392   NtSetInformationFile  (416, 1230824, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03509   392   NtSetInformationFile  (416, 1230816, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03510   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03511   392   NtWriteFile  (416, 253, 0, 0,  (416, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03512   392   NtReadFile  (416, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (416, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\344#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03513   392   NtFsControlFile  (416, 253, 0x0, 0x0, 0x11c017,  (416, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\344#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (416, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\344#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03514   392   NtClose  (420, ... ) == 0x0
 03515   392   NtClose  (416, ... ) == 0x0
 03516   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 416, ) }, ... 416, ) == 0x0
 03517   392   NtQueryKey  (416, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 03518   392   NtQuerySecurityObject  (416, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03519   392   NtQuerySecurityObject  (416, 15, 0, ... ) == STATUS_ACCESS_DENIED
 03520   392   NtQueryValueKey  (416,  (416, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 03521   392   NtClose  (416, ... ) == 0x0
 03522   392   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 03523   392   NtFsControlFile  (416, 0, 0x0, 0x0, 0x600bc,  (416, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (416, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03524   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03525   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 420, ) == 0x0
 03526   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03527   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03528   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232208,  (0xc0100080, {24, 0, 0x40, 0, 1232208, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 424, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 424, {status=0x0, info=1}, ) == 0x0
 03529   392   NtSetInformationFile  (424, 1232264, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03530   392   NtSetInformationFile  (424, 1232256, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03531   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03532   392   NtWriteFile  (424, 253, 0, 0,  (424, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03533   392   NtReadFile  (424, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (424, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\345#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03534   392   NtFsControlFile  (424, 253, 0x0, 0x0, 0x11c017,  (424, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\270\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\345#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (424, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\270\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\345#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03535   392   NtClose  (420, ... ) == 0x0
 03536   392   NtClose  (424, ... ) == 0x0
 03537   392   NtWaitForSingleObject  (408, 0, {-70000000, -1}, ... ) == 0x0
 03538   392   NtReleaseSemaphore  (408, 1, ... 0x0, ) == 0x0
 03539   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231720, ... ) }, 1231720, ... ) == 0x0
 03540   392   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 424, ) }, ... 424, ) == 0x0
 03541   392   NtWaitForSingleObject  (424, 0, {-1800000000, -1}, ... ) == 0x0
 03542   392   NtClose  (424, ... ) == 0x0
 03543   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03544   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 424, ) == 0x0
 03545   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03546   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03547   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232244,  (0xc0100080, {24, 0, 0x40, 0, 1232244, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 03548   392   NtSetInformationFile  (420, 1232300, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03549   392   NtSetInformationFile  (420, 1232292, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03550   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03551   392   NtWriteFile  (420, 253, 0, 0,  (420, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03552   392   NtReadFile  (420, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (420, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 03553   392   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 03554   392   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0vZb\3457Y\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0vZb\3457Y\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0vZb\3457Y\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0vZb\3457Y\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03555   392   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0wZb\3457Y\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0wZb\3457Y\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0wZb\3457Y\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0wZb\3457Y\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03556   392   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0vZb\3457Y\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0vZb\3457Y\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03557   392   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0wZb\3457Y\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0wZb\3457Y\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03558   392   NtClose  (424, ... ) == 0x0
 03559   392   NtClose  (420, ... ) == 0x0
 03560   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03561   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03562   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03563   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03564   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231712, ... ) }, 1231712, ... ) == 0x0
 03565   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 420, ) }, ... 420, ) == 0x0
 03566   392   NtQueryValueKey  (420,  (420, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 03567   392   NtClose  (420, ... ) == 0x0
 03568   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 420, ) }, ... 420, ) == 0x0
 03569   392   NtQueryValueKey  (420,  (420, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 03570   392   NtClose  (420, ... ) == 0x0
 03571   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 420, ) }, ... 420, ) == 0x0
 03572   392   NtQueryValueKey  (420,  (420, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03573   392   NtClose  (420, ... ) == 0x0
 03574   392   NtRaiseException  (1222212, 1221472, 1, ...
 03575   392   NtContinue  (1220268, 0, ...
 03576   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03577   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03578   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03579   392   NtRaiseException  (1222208, 1221468, 1, ...
 03580   392   NtContinue  (1220264, 0, ...
 03581   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03582   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03583   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03584   392   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1232876, 0,  (0x1f0001, {24, 52, 0x80, 1232876, 0, "HGFSMUTEX"}, 1, ... 420, ) }, 1, ... 420, ) == STATUS_OBJECT_NAME_EXISTS
 03585   392   NtWaitForSingleObject  (420, 0, 0x0, ... ) == 0x0
 03586   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "HGFSMEMORY"}, ... 424, ) }, ... 424, ) == 0x0
 03587   392   NtMapViewOfSection  (424, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xfe0000), {0, 0}, 28672, ) == 0x0
 03588   392   NtReleaseMutant  (420, ... 0x0, ) == 0x0
 03589   392   NtRaiseException  (1223264, 1222524, 1, ...
 03590   392   NtContinue  (1221320, 0, ...
 03591   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03592   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03593   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03594   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1233920, 1233508,  (0xc0100080, {24, 0, 0x40, 1233920, 1233508, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 428, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 428, {status=0x0, info=0}, ) == 0x0
 03595   392   NtDeviceIoControlFile  (428, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (428, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 03596   392   NtClose  (428, ... ) == 0x0
 03597   392   NtRaiseException  (1223244, 1222504, 1, ...
 03598   392   NtContinue  (1221300, 0, ...
 03599   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03600   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03601   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03602   392   NtRaiseException  (1223264, 1222524, 1, ...
 03603   392   NtContinue  (1221320, 0, ...
 03604   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03605   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03606   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03607   392   NtAllocateVirtualMemory  (-1, 1511424, 0, 20480, 4096, 4, ... 1511424, 20480, ) == 0x0
 03608   392   NtAllocateVirtualMemory  (-1, 1531904, 0, 20480, 4096, 4, ... 1531904, 20480, ) == 0x0
 03609   392   NtWaitForSingleObject  (408, 0, {-70000000, -1}, ... ) == 0x0
 03610   392   NtReleaseSemaphore  (408, 1, ... 0x0, ) == 0x0
 03611   392   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 428, ) }, ... 428, ) == 0x0
 03612   392   NtWaitForSingleObject  (428, 0, {-1800000000, -1}, ... ) == 0x0
 03613   392   NtClose  (428, ... ) == 0x0
 03614   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03615   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 428, ) == 0x0
 03616   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03617   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03618   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232184,  (0xc0100080, {24, 0, 0x40, 0, 1232184, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 432, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 432, {status=0x0, info=1}, ) == 0x0
 03619   392   NtSetInformationFile  (432, 1232240, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03620   392   NtSetInformationFile  (432, 1232232, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03621   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03622   392   NtWriteFile  (432, 253, 0, 0,  (432, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03623   392   NtReadFile  (432, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (432, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20r"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 03624   392   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20r"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20r"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 03625   392   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0xZb\3457Y\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0xZb\3457Y\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0xZb\3457Y\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0xZb\3457Y\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03626   392   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0yZb\3457Y\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0yZb\3457Y\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0yZb\3457Y\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0yZb\3457Y\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03627   392   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0xZb\3457Y\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0xZb\3457Y\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03628   392   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0yZb\3457Y\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0yZb\3457Y\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03629   392   NtClose  (428, ... ) == 0x0
 03630   392   NtClose  (432, ... ) == 0x0
 03631   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03632   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 432, ) == 0x0
 03633   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03634   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03635   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232276,  (0xc0100080, {24, 0, 0x40, 0, 1232276, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 428, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 428, {status=0x0, info=1}, ) == 0x0
 03636   392   NtSetInformationFile  (428, 1232332, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03637   392   NtSetInformationFile  (428, 1232324, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03638   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03639   392   NtWriteFile  (428, 253, 0, 0,  (428, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03640   392   NtReadFile  (428, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (428, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\22'\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03641   392   NtFsControlFile  (428, 253, 0x0, 0x0, 0x11c017,  (428, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\22'\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (428, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\22'\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03642   392   NtClose  (432, ... ) == 0x0
 03643   392   NtClose  (428, ... ) == 0x0
 03644   392   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 428, 2, ) }, 0, 0x0, 0, ... 428, 2, ) == 0x0
 03645   392   NtSetValueKey  (428,  (428, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (428, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03646   392   NtClose  (428, ... ) == 0x0
 03647   392   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 428, ) }, ... 428, ) == 0x0
 03648   392   NtQueryValueKey  (428,  (428, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03649   392   NtClose  (428, ... ) == 0x0
 03650   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03651   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03652   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03653   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03654   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03655   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03656   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03657   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03658   392   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 428, 2, ) }, 0, 0x0, 0, ... 428, 2, ) == 0x0
 03659   392   NtSetValueKey  (428,  (428, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (428, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03660   392   NtClose  (428, ... ) == 0x0
 03661   392   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 428, ) }, ... 428, ) == 0x0
 03662   392   NtQueryValueKey  (428,  (428, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03663   392   NtClose  (428, ... ) == 0x0
 03664   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03665   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03666   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03667   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03668   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03669   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03670   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03671   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03672   392   NtWaitForSingleObject  (408, 0, {-70000000, -1}, ... ) == 0x0
 03673   392   NtReleaseSemaphore  (408, 1, ... 0x0, ) == 0x0
 03674   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03675   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03676   392   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03677   392   NtClose  (428, ... ) == 0x0
 03678   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 428, ) }, ... 428, ) == 0x0
 03679   392   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "Network"}, ... 432, ) }, ... 432, ) == 0x0
 03680   392   NtClose  (428, ... ) == 0x0
 03681   392   NtQueryKey  (432, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (432, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 03682   392   NtQuerySecurityObject  (432, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03683   392   NtQuerySecurityObject  (432, 15, 0, ... ) == STATUS_ACCESS_DENIED
 03684   392   NtWaitForSingleObject  (120, 0, {0, 0}, ... ) == 0x102
 03685   392   NtEnumerateKey  (432, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (432, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 03686   392   NtOpenKey  (0x2001f, {24, 432, 0x40, 0, 0,  (0x2001f, {24, 432, 0x40, 0, 0, "f"}, ... 428, ) }, ... 428, ) == 0x0
 03687   392   NtQueryValueKey  (428,  (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03688   392   NtQueryValueKey  (428,  (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03689   392   NtQueryValueKey  (428,  (428, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03690   392   NtQueryValueKey  (428,  (428, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03691   392   NtQueryValueKey  (428,  (428, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03692   392   NtQueryValueKey  (428,  (428, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03693   392   NtQueryValueKey  (428,  (428, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03694   392   NtClose  (428, ... ) == 0x0
 03695   392   NtEnumerateKey  (432, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (432, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 03696   392   NtOpenKey  (0x2001f, {24, 432, 0x40, 0, 0,  (0x2001f, {24, 432, 0x40, 0, 0, "u"}, ... 428, ) }, ... 428, ) == 0x0
 03697   392   NtQueryValueKey  (428,  (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03698   392   NtQueryValueKey  (428,  (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03699   392   NtQueryValueKey  (428,  (428, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03700   392   NtQueryValueKey  (428,  (428, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03701   392   NtQueryValueKey  (428,  (428, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03702   392   NtQueryValueKey  (428,  (428, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03703   392   NtQueryValueKey  (428,  (428, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03704   392   NtClose  (428, ... ) == 0x0
 03705   392   NtClose  (432, ... ) == 0x0
 03706   392   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03707   392   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03708   392   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03709   392   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03710   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03711   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03712   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 432, ) }, ... 432, ) == 0x0
 03713   392   NtQueryKey  (434, Name, 392, ... {Name= (434, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 03714   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03715   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03716   392   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03717   392   NtClose  (428, ... ) == 0x0
 03718   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03719   392   NtEnumerateKey  (434, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (434, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 03720   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03721   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03722   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 428, ) }, ... 428, ) == 0x0
 03723   392   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 03724   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03725   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03726   392   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03727   392   NtClose  (436, ... ) == 0x0
 03728   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03729   392   NtQueryValueKey  (430,  (430, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (430, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03730   392   NtClose  (430, ... ) == 0x0
 03731   392   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03732   392   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 428, {status=0x0, info=1}, ) }, 3, 96, ... 428, {status=0x0, info=1}, ) == 0x0
 03733   392   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 436, ) }, ... 436, ) == 0x0
 03734   392   NtQuerySymbolicLinkObject  (436, ...  (436, ... "\Device\WinDfs\U:0000000000009248", 66, ) , 66, ) == 0x0
 03735   392   NtClose  (436, ... ) == 0x0
 03736   392   NtQueryVolumeInformationFile  (428, 1233596, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03737   392   NtClose  (428, ... ) == 0x0
 03738   392   NtEnumerateKey  (434, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03739   392   NtClose  (434, ... ) == 0x0
 03740   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03741   392   NtQueryDirectoryFile  (432, 0, 0, 0, 1232384, 616, BothDirectory, 1,  (432, 0, 0, 0, 1232384, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 03742   392   NtClose  (432, ... ) == 0x0
 03743   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03744   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03745   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 432, ) }, ... 432, ) == 0x0
 03746   392   NtQueryKey  (434, Name, 384, ... {Name= (434, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03747   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03748   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03749   392   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03750   392   NtClose  (428, ... ) == 0x0
 03751   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03752   392   NtOpenKey  (0x1, {24, 434, 0x40, 0, 0,  (0x1, {24, 434, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03753   392   NtQueryKey  (434, Name, 384, ... {Name= (434, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03754   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03755   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03756   392   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03757   392   NtClose  (428, ... ) == 0x0
 03758   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03759   392   NtOpenKey  (0x2000000, {24, 434, 0x40, 0, 0, ""}, ... 428, ) == 0x0
 03760   392   NtClose  (434, ... ) == 0x0
 03761   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03762   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03763   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03764   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03765   392   NtQueryValueKey  (432,  (432, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03766   392   NtClose  (432, ... ) == 0x0
 03767   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03768   392   NtOpenKey  (0x2000000, {24, 260, 0x40, 0, 0, ""}, ... 432, ) == 0x0
 03769   392   NtQueryValueKey  (432,  (432, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (432, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03770   392   NtQueryValueKey  (432,  (432, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (432, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03771   392   NtClose  (432, ... ) == 0x0
 03772   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03773   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03774   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03775   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03776   392   NtQueryValueKey  (432,  (432, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03777   392   NtClose  (432, ... ) == 0x0
 03778   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03779   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03780   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03781   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03782   392   NtQueryValueKey  (432,  (432, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03783   392   NtClose  (432, ... ) == 0x0
 03784   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03785   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03786   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03787   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03788   392   NtQueryValueKey  (432,  (432, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03789   392   NtClose  (432, ... ) == 0x0
 03790   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03791   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03792   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03793   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03794   392   NtQueryValueKey  (432,  (432, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03795   392   NtClose  (432, ... ) == 0x0
 03796   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03797   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03798   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03799   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03800   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03801   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03802   392   NtQueryValueKey  (432,  (432, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03803   392   NtClose  (432, ... ) == 0x0
 03804   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03805   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03806   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03807   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03808   392   NtQueryValueKey  (432,  (432, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03809   392   NtClose  (432, ... ) == 0x0
 03810   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03811   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03812   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03813   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03814   392   NtQueryValueKey  (432,  (432, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03815   392   NtClose  (432, ... ) == 0x0
 03816   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03817   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03818   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03819   392   NtOpenKey  (0x2000000, {24, 260, 0x40, 0, 0,  (0x2000000, {24, 260, 0x40, 0, 0, "Advanced"}, ... 432, ) }, ... 432, ) == 0x0
 03820   392   NtQueryValueKey  (432,  (432, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 03821   392   NtQueryValueKey  (432,  (432, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03822   392   NtQueryValueKey  (432,  (432, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03823   392   NtQueryValueKey  (432,  (432, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03824   392   NtQueryValueKey  (432,  (432, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03825   392   NtQueryValueKey  (432,  (432, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03826   392   NtQueryValueKey  (432,  (432, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03827   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03828   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03829   392   NtQueryValueKey  (432,  (432, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03830   392   NtQueryValueKey  (432,  (432, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03831   392   NtQueryValueKey  (432,  (432, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03832   392   NtQueryValueKey  (432,  (432, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03833   392   NtQueryValueKey  (432,  (432, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03834   392   NtClose  (432, ... ) == 0x0
 03835   392   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1329480, 0,  (0x1f0003, {24, 52, 0x80, 1329480, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 432, ) }, 0, 2147483647, ... 432, ) == STATUS_OBJECT_NAME_EXISTS
 03836   392   NtReleaseSemaphore  (432, 1, ... 0, ) == 0x0
 03837   392   NtWaitForSingleObject  (432, 0, {0, 0}, ... ) == 0x0
 03838   392   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03839   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03840   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03841   392   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03842   392   NtClose  (436, ... ) == 0x0
 03843   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03844   392   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03845   392   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03846   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03847   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03848   392   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03849   392   NtClose  (436, ... ) == 0x0
 03850   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03851   392   NtQueryValueKey  (430,  (430, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03852   392   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03853   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03854   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03855   392   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03856   392   NtClose  (436, ... ) == 0x0
 03857   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03858   392   NtQueryValueKey  (430,  (430, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03859   392   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03860   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03861   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03862   392   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03863   392   NtClose  (436, ... ) == 0x0
 03864   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03865   392   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03866   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03867   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03868   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 436, ) }, ... 436, ) == 0x0
 03869   392   NtQueryKey  (438, Name, 384, ... {Name= (438, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 03870   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03871   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03872   392   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03873   392   NtClose  (440, ... ) == 0x0
 03874   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03875   392   NtOpenKey  (0x1, {24, 438, 0x40, 0, 0,  (0x1, {24, 438, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03876   392   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03877   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03878   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03879   392   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03880   392   NtClose  (440, ... ) == 0x0
 03881   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03882   392   NtQueryValueKey  (430,  (430, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03883   392   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03884   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03885   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03886   392   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03887   392   NtClose  (440, ... ) == 0x0
 03888   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03889   392   NtQueryValueKey  (430,  (430, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (430, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03890   392   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03891   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03892   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03893   392   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03894   392   NtClose  (440, ... ) == 0x0
 03895   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03896   392   NtQueryValueKey  (430,  (430, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03897   392   NtClose  (430, ... ) == 0x0
 03898   392   NtClose  (438, ... ) == 0x0
 03899   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\work\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 03900   392   NtQueryDirectoryFile  (436, 0, 0, 0, 1232312, 616, BothDirectory, 1,  (436, 0, 0, 0, 1232312, 616, BothDirectory, 1, "efniz.bat", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03901   392   NtClose  (436, ... ) == 0x0
 03902   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03903   392   NtOpenKey  (0x2000000, {24, 260, 0x40, 0, 0,  (0x2000000, {24, 260, 0x40, 0, 0, "FileExts"}, ... 436, ) }, ... 436, ) == 0x0
 03904   392   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03905   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03906   392   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03907   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03908   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03909   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 428, ) }, ... 428, ) == 0x0
 03910   392   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03911   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03912   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03913   392   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03914   392   NtClose  (440, ... ) == 0x0
 03915   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03916   392   NtQueryValueKey  (430, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (430, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03917   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03918   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03919   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 440, ) }, ... 440, ) == 0x0
 03920   392   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03921   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03922   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 03923   392   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03924   392   NtClose  (444, ... ) == 0x0
 03925   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03926   392   NtOpenKey  (0x1, {24, 442, 0x40, 0, 0,  (0x1, {24, 442, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03927   392   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03928   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03929   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 03930   392   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03931   392   NtClose  (444, ... ) == 0x0
 03932   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03933   392   NtOpenKey  (0x2000000, {24, 442, 0x40, 0, 0, ""}, ... 444, ) == 0x0
 03934   392   NtClose  (442, ... ) == 0x0
 03935   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03936   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03937   392   NtReleaseSemaphore  (432, 1, ... 0, ) == 0x0
 03938   392   NtWaitForSingleObject  (432, 0, {0, 0}, ... ) == 0x0
 03939   392   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03940   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03941   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03942   392   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03943   392   NtClose  (440, ... ) == 0x0
 03944   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03945   392   NtOpenKey  (0x1, {24, 446, 0x40, 0, 0,  (0x1, {24, 446, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03946   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03947   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03948   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03949   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03950   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03951   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 440, ) }, ... 440, ) == 0x0
 03952   392   NtQueryKey  (442, Name, 392, ... {Name= (442, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03953   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03954   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 03955   392   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03956   392   NtClose  (448, ... ) == 0x0
 03957   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03958   392   NtQueryValueKey  (442,  (442, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03959   392   NtClose  (442, ... ) == 0x0
 03960   392   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03961   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03962   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03963   392   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03964   392   NtClose  (440, ... ) == 0x0
 03965   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03966   392   NtQueryValueKey  (446,  (446, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03967   392   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03968   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03969   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03970   392   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03971   392   NtClose  (440, ... ) == 0x0
 03972   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03973   392   NtQueryValueKey  (446,  (446, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03974   392   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03975   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03976   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03977   392   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03978   392   NtClose  (440, ... ) == 0x0
 03979   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03980   392   NtOpenKey  (0x1, {24, 446, 0x40, 0, 0,  (0x1, {24, 446, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03981   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03982   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03983   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 440, ) }, ... 440, ) == 0x0
 03984   392   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03985   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03986   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 03987   392   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03988   392   NtClose  (448, ... ) == 0x0
 03989   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03990   392   NtOpenKey  (0x1, {24, 442, 0x40, 0, 0,  (0x1, {24, 442, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03991   392   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03992   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03993   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 03994   392   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03995   392   NtClose  (448, ... ) == 0x0
 03996   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03997   392   NtQueryValueKey  (446,  (446, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03998   392   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03999   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04000   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04001   392   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04002   392   NtClose  (448, ... ) == 0x0
 04003   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04004   392   NtQueryValueKey  (446,  (446, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04005   392   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04006   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04007   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04008   392   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04009   392   NtClose  (448, ... ) == 0x0
 04010   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04011   392   NtQueryValueKey  (446,  (446, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04012   392   NtClose  (430, ... ) == 0x0
 04013   392   NtClose  (446, ... ) == 0x0
 04014   392   NtClose  (442, ... ) == 0x0
 04015   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04016   392   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04017   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04018   392   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04019   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04020   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04021   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 440, ) }, ... 440, ) == 0x0
 04022   392   NtQueryKey  (442, Name, 392, ... {Name= (442, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 04023   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04024   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 04025   392   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04026   392   NtClose  (444, ... ) == 0x0
 04027   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04028   392   NtQueryValueKey  (442, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (442, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 04029   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04030   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04031   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 444, ) }, ... 444, ) == 0x0
 04032   392   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04033   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04034   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 04035   392   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04036   392   NtClose  (428, ... ) == 0x0
 04037   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04038   392   NtOpenKey  (0x1, {24, 446, 0x40, 0, 0,  (0x1, {24, 446, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04039   392   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04040   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04041   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 04042   392   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04043   392   NtClose  (428, ... ) == 0x0
 04044   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04045   392   NtOpenKey  (0x2000000, {24, 446, 0x40, 0, 0, ""}, ... 428, ) == 0x0
 04046   392   NtClose  (446, ... ) == 0x0
 04047   392   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04048   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04049   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 04050   392   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04051   392   NtClose  (444, ... ) == 0x0
 04052   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04053   392   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04054   392   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 04055   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04056   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 04057   392   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04058   392   NtClose  (444, ... ) == 0x0
 04059   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04060   392   NtOpenKey  (0x1, {24, 442, 0x40, 0, 0,  (0x1, {24, 442, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04061   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04062   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04063   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04064   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 04065   392   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04066   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 444, ) }, ... 444, ) == 0x0
 04067   392   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 04068   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04069   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04070   392   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04071   392   NtClose  (448, ... ) == 0x0
 04072   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04073   392   NtQueryValueKey  (446,  (446, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04074   392   NtClose  (446, ... ) == 0x0
 04075   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04076   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04077   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 444, ) }, ... 444, ) == 0x0
 04078   392   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 04079   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04080   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04081   392   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04082   392   NtClose  (448, ... ) == 0x0
 04083   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04084   392   NtOpenKey  (0x1, {24, 446, 0x40, 0, 0,  (0x1, {24, 446, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04085   392   NtClose  (442, ... ) == 0x0
 04086   392   NtClose  (430, ... ) == 0x0
 04087   392   NtClose  (446, ... ) == 0x0
 04088   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04089   392   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04090   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04091   392   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04092   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04093   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04094   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 444, ) }, ... 444, ) == 0x0
 04095   392   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 04096   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04097   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 04098   392   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04099   392   NtClose  (428, ... ) == 0x0
 04100   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04101   392   NtQueryValueKey  (446, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (446, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 04102   392   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04103   392   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04104   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 428, ) }, ... 428, ) == 0x0
 04105   392   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04106   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04107   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 04108   392   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04109   392   NtClose  (440, ... ) == 0x0
 04110   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04111   392   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04112   392   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04113   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04114   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 04115   392   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04116   392   NtClose  (440, ... ) == 0x0
 04117   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04118   392   NtOpenKey  (0x2000000, {24, 430, 0x40, 0, 0, ""}, ... 440, ) == 0x0
 04119   392   NtClose  (430, ... ) == 0x0
 04120   392   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04121   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04122   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 04123   392   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04124   392   NtClose  (428, ... ) == 0x0
 04125   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04126   392   NtOpenKey  (0x2000000, {24, 442, 0x40, 0, 0,  (0x2000000, {24, 442, 0x40, 0, 0, "shell\open"}, ... 428, ) }, ... 428, ) == 0x0
 04127   392   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04128   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04129   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04130   392   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04131   392   NtClose  (448, ... ) == 0x0
 04132   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04133   392   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "command"}, ... 448, ) }, ... 448, ) == 0x0
 04134   392   NtQueryKey  (450, Name, 392, ... {Name= (450, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04135   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04136   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 452, ) == 0x0
 04137   392   NtQueryInformationToken  (452, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04138   392   NtClose  (452, ... ) == 0x0
 04139   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04140   392   NtQueryValueKey  (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 04141   392   NtClose  (450, ... ) == 0x0
 04142   392   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04143   392   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 04144   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04145   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04146   392   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04147   392   NtClose  (448, ... ) == 0x0
 04148   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04149   392   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "command"}, ... 448, ) }, ... 448, ) == 0x0
 04150   392   NtQueryKey  (450, Name, 392, ... {Name= (450, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04151   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04152   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 452, ) == 0x0
 04153   392   NtQueryInformationToken  (452, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04154   392   NtClose  (452, ... ) == 0x0
 04155   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04156   392   NtQueryValueKey  (450,  (450, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04157   392   NtClose  (450, ... ) == 0x0
 04158   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\efniz.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04159   392   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 04160   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04161   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04162   392   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04163   392   NtClose  (448, ... ) == 0x0
 04164   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04165   392   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "command"}, ... 448, ) }, ... 448, ) == 0x0
 04166   392   NtQueryKey  (450, Name, 392, ... {Name= (450, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04167   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04168   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 452, ) == 0x0
 04169   392   NtQueryInformationToken  (452, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04170   392   NtClose  (452, ... ) == 0x0
 04171   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04172   392   NtQueryValueKey  (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 04173   392   NtClose  (450, ... ) == 0x0
 04174   392   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04175   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04176   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04177   392   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04178   392   NtClose  (448, ... ) == 0x0
 04179   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04180   392   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04181   392   NtUserGetForegroundWindow  (... ) == 0x100a8
 04182   392   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04183   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04184   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04185   392   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04186   392   NtClose  (448, ... ) == 0x0
 04187   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04188   392   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "command"}, ... 448, ) }, ... 448, ) == 0x0
 04189   392   NtQueryKey  (450, Name, 392, ... {Name= (450, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04190   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04191   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 452, ) == 0x0
 04192   392   NtQueryInformationToken  (452, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04193   392   NtClose  (452, ... ) == 0x0
 04194   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04195   392   NtQueryValueKey  (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 04196   392   NtClose  (450, ... ) == 0x0
 04197   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 04198   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 04199   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04200   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 448, ) }, ... 448, ) == 0x0
 04201   392   NtQueryValueKey  (448,  (448, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04202   392   NtClose  (448, ... ) == 0x0
 04203   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 04204   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 04205   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04206   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 448, ) }, ... 448, ) == 0x0
 04207   392   NtQueryValueKey  (448,  (448, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04208   392   NtClose  (448, ... ) == 0x0
 04209   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\efniz.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04210   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04211   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\efniz.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04212   392   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 04213   392   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 04214   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04215   392   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 448, ) }, ... 448, ) == 0x0
 04216   392   NtQueryValueKey  (448,  (448, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04217   392   NtClose  (448, ... ) == 0x0
 04218   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\efniz.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04219   392   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 04220   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\efniz.bat"}, 1228792, ... ) }, 1228792, ... ) == 0x0
 04221   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\efniz.bat"}, 1229484, ... ) }, 1229484, ... ) == 0x0
 04222   392   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\efniz.bat"}, 5, 96, ... 448, {status=0x0, info=1}, ) }, 5, 96, ... 448, {status=0x0, info=1}, ) == 0x0
 04223   392   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 448, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 04224   392   NtQueryVolumeInformationFile  (448, 1228792, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04225   392   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 04226   392   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 04227   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 452, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 452, {status=0x0, info=1}, ) == 0x0
 04228   392   NtQueryInformationFile  (452, 1227380, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04229   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 452, ... 456, ) == 0x0
 04230   392   NtMapViewOfSection  (456, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1490000), 0x0, 1028096, ) == 0x0
 04231   392   NtQueryInformationFile  (452, 1227476, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04232   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04233   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04234   392   NtQueryDirectoryFile  (460, 0, 0, 0, 1225040, 616, BothDirectory, 1,  (460, 0, 0, 0, 1225040, 616, BothDirectory, 1, "efniz.bat", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04235   392   NtClose  (460, ... ) == 0x0
 04236   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04237   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04238   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\efniz.bat"}, 1224428, ... ) }, 1224428, ... ) == 0x0
 04239   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04240   392   NtQueryDirectoryFile  (460, 0, 0, 0, 1223788, 616, BothDirectory, 1,  (460, 0, 0, 0, 1223788, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04241   392   NtClose  (460, ... ) == 0x0
 04242   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04243   392   NtQueryDirectoryFile  (460, 0, 0, 0, 1223788, 616, BothDirectory, 1,  (460, 0, 0, 0, 1223788, 616, BothDirectory, 1, "efniz.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 04244   392   NtClose  (460, ... ) == 0x0
 04245   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04246   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04247   392   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04248   392   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 460, {status=0x0, info=1}, ) }, 3, 96, ... 460, {status=0x0, info=1}, ) == 0x0
 04249   392   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 464, ) }, ... 464, ) == 0x0
 04250   392   NtQuerySymbolicLinkObject  (464, ...  (464, ... "\Device\WinDfs\U:0000000000009248", 66, ) , 66, ) == 0x0
 04251   392   NtClose  (464, ... ) == 0x0
 04252   392   NtQueryVolumeInformationFile  (460, 1225180, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04253   392   NtClose  (460, ... ) == 0x0
 04254   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04255   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 460, ) == 0x0
 04256   392   NtQueryInformationToken  (460, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04257   392   NtClose  (460, ... ) == 0x0
 04258   392   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04259   392   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\efniz.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04260   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04261   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04262   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\efniz.bat"}, 1226708, ... ) }, 1226708, ... ) == 0x0
 04263   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04264   392   NtQueryDirectoryFile  (460, 0, 0, 0, 1226068, 616, BothDirectory, 1,  (460, 0, 0, 0, 1226068, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04265   392   NtClose  (460, ... ) == 0x0
 04266   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04267   392   NtQueryDirectoryFile  (460, 0, 0, 0, 1226068, 616, BothDirectory, 1,  (460, 0, 0, 0, 1226068, 616, BothDirectory, 1, "efniz.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 04268   392   NtClose  (460, ... ) == 0x0
 04269   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04270   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04271   392   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 04272   392   NtQueryVolumeInformationFile  (448, 1227352, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04273   392   NtQueryInformationFile  (448, 1227332, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 04274   392   NtQueryInformationFile  (448, 1227372, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04275   392   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 04276   392   NtUnmapViewOfSection  (-1, 0x1490000, ... ) == 0x0
 04277   392   NtClose  (456, ... ) == 0x0
 04278   392   NtClose  (452, ... ) == 0x0
 04279   392   NtClose  (448, ... ) == 0x0
 04280   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1228768, ... ) }, 1228768, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04281   392   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "cmd.exe"}, 1228768, ... ) }, 1228768, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04282   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1228768, ... ) }, 1228768, ... ) == 0x0
 04283   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1229484, ... ) }, 1229484, ... ) == 0x0
 04284   392   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 448, {status=0x0, info=1}, ) }, 5, 96, ... 448, {status=0x0, info=1}, ) == 0x0
 04285   392   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 448, ... 452, ) == 0x0
 04286   392   NtQuerySection  (452, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04287   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04288   392   NtCreateProcessEx  (1231420, 2035711, 0, -1, 0, 452, 0, 0, 0, ... ) == 0x0
 04289   392   NtSetInformationProcess  (456, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04290   392   NtQueryInformationProcess  (456, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=180,ParentPid=388,}, 0x0, ) == 0x0
 04291   392   NtReadVirtualMemory  (456, 0x7ffdf008, 4, ...  (456, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 04292   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04293   392   NtReadVirtualMemory  (456, 0x4ad00000, 4096, ...  (456, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 04294   392   NtReadVirtualMemory  (456, 0x4ad3b000, 256, ...  (456, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 04295   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04296   392   NtQueryInformationProcess  (456, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=180,ParentPid=388,}, 0x0, ) == 0x0
 04297   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1229484, ... ) }, 1229484, ... ) == 0x0
 04298   392   NtAllocateVirtualMemory  (-1, 0, 0, 1640, 4096, 4, ... 16777216, 4096, ) == 0x0
 04299   392   NtAllocateVirtualMemory  (456, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 04300   392   NtWriteVirtualMemory  (456, 0x10000,  (456, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 04301   392   NtAllocateVirtualMemory  (456, 0, 0, 1640, 4096, 4, ... 131072, 4096, ) == 0x0
 04302   392   NtWriteVirtualMemory  (456, 0x20000,  (456, 0x20000, "\0\20\0\0h\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0:\0<\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\14\6\0\0\36\0 \0D\6\0\0\0\0\2\0d\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1640, ... 0x0, ) , 1640, ... 0x0, ) == 0x0
 04303   392   NtWriteVirtualMemory  (456, 0x7ffdf010,  (456, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04304   392   NtWriteVirtualMemory  (456, 0x7ffdf1e8,  (456, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04305   392   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 4096, ) == 0x0
 04306   392   NtAllocateVirtualMemory  (456, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 04307   392   NtAllocateVirtualMemory  (456, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 04308   392   NtCreateThread  (0x1f03ff, 0x0, 456, 1229684, 1230404, 1, ... 460, {180, 212}, ) == 0x0
 04309   392   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1231516, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1231516, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\310\1\0\0\314\1\0\0\264\0\0\0\324\0\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 388, 392, 2629, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\310\1\0\0\314\1\0\0\264\0\0\0\324\0\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 388, 392, 2629, 0}  (24, {168, 196, new_msg, 0, 0, 1231516, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\310\1\0\0\314\1\0\0\264\0\0\0\324\0\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 388, 392, 2629, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\310\1\0\0\314\1\0\0\264\0\0\0\324\0\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0(\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04310   392   NtResumeThread  (460, ... 1, ) == 0x0
 04311   392   NtClose  (448, ... ) == 0x0
 04312   392   NtClose  (452, ... ) == 0x0
 04313   392   NtClose  (430, ... ) == 0x0
 04314   392   NtClose  (446, ... ) == 0x0
 04315   392   NtClose  (442, ... ) == 0x0
 04316   392   NtClose  (456, ... ) == 0x0
 04317   392   NtClose  (460, ... ) == 0x0
 04318   392   NtFreeVirtualMemory  (-1, (0x162000), 20480, 16384, ... (0x162000), 20480, ) == 0x0
 04319   392   NtGdiDeleteObjectApp  (218629228, ... ) == 0x1
 04320   392   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04321   392   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04322   392   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04323   392   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04324   392   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04325   392   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04326   392   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04327   392   NtUserGetClassInfo  (1989935104, 1233724, 1233676, 1233752, 0, ... ) == 0x0
 04328   392   NtUnmapViewOfSection  (-1, 0xff0000, ... ) == 0x0
 04329   392   NtClose  (392, ... ) == 0x0
 04330   392   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 04331   392   NtUserDestroyWindow  (65766, ...
 04332   392   NtUserRemoveProp  (65766, 43288, ... ) == 0xffffffff
 04333   392   NtUserRemoveProp  (65766, 43282, ... ) == 0x0
 04334   392   NtUserRemoveProp  (65766, 43287, ... ) == 0x0
 04331   392   NtUserDestroyWindow  ... ) == 0x1
 04335   392   NtUserUnregisterClass  (1234864, 1998258176, 1234852, ... ) == 0x1
 04336   392   NtClose  (296, ... ) == 0x0
 04337   392   NtClose  (288, ... ) == 0x0
 04338   392   NtClose  (292, ... ) == 0x0
 04339   392   NtClose  (268, ... ) == 0x0
 04340   392   NtClose  (284, ... ) == 0x0
 04341   392   NtClose  (316, ... ) == 0x0
 04342   392   NtClose  (320, ... ) == 0x0
 04343   392   NtClose  (312, ... ) == 0x0
 04344   392   NtClose  (304, ... ) == 0x0
 04345   392   NtClose  (308, ... ) == 0x0
 04346   392   NtClose  (332, ... ) == 0x0
 04347   392   NtClose  (336, ... ) == 0x0
 04348   392   NtClose  (324, ... ) == 0x0
 04349   392   NtClose  (328, ... ) == 0x0
 04350   392   NtClose  (356, ... ) == 0x0
 04351   392   NtClose  (348, ... ) == 0x0
 04352   392   NtClose  (352, ... ) == 0x0
 04353   392   NtClose  (340, ... ) == 0x0
 04354   392   NtClose  (344, ... ) == 0x0
 04355   392   NtClose  (360, ... ) == 0x0
 04356   392   NtClose  (364, ... ) == 0x0
 04357   392   NtClose  (376, ... ) == 0x0
 04358   392   NtClose  (380, ... ) == 0x0
 04359   392   NtClose  (368, ... ) == 0x0
 04360   392   NtClose  (372, ... ) == 0x0
 04361   392   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 04362   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 1235740, ... ) }, 1235740, ... ) == 0x0
 04363   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 1236432, ... ) }, 1236432, ... ) == 0x0
 04364   392   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 5, 96, ... 372, {status=0x0, info=1}, ) }, 5, 96, ... 372, {status=0x0, info=1}, ) == 0x0
 04365   392   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 372, ... 368, ) == 0x0
 04366   392   NtQueryVolumeInformationFile  (372, 1235740, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04367   392   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 04368   392   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 04369   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 380, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 380, {status=0x0, info=1}, ) == 0x0
 04370   392   NtQueryInformationFile  (380, 1234328, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04371   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 380, ... 376, ) == 0x0
 04372   392   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1490000), 0x0, 1028096, ) == 0x0
 04373   392   NtQueryInformationFile  (380, 1234424, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04374   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04375   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04376   392   NtQueryDirectoryFile  (364, 0, 0, 0, 1231988, 616, BothDirectory, 1,  (364, 0, 0, 0, 1231988, 616, BothDirectory, 1, "explorer.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 04377   392   NtClose  (364, ... ) == 0x0
 04378   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04379   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04380   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 1231376, ... ) }, 1231376, ... ) == 0x0
 04381   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04382   392   NtQueryDirectoryFile  (364, 0, 0, 0, 1230736, 616, BothDirectory, 1,  (364, 0, 0, 0, 1230736, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04383   392   NtClose  (364, ... ) == 0x0
 04384   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04385   392   NtQueryDirectoryFile  (364, 0, 0, 0, 1230736, 616, BothDirectory, 1,  (364, 0, 0, 0, 1230736, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04386   392   NtClose  (364, ... ) == 0x0
 04387   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04388   392   NtQueryDirectoryFile  (364, 0, 0, 0, 1230736, 616, BothDirectory, 1,  (364, 0, 0, 0, 1230736, 616, BothDirectory, 1, "explorer.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 04389   392   NtClose  (364, ... ) == 0x0
 04390   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04391   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04392   392   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04393   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04394   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 04395   392   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04396   392   NtClose  (364, ... ) == 0x0
 04397   392   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04398   392   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\explorer.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04399   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04400   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04401   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 1233656, ... ) }, 1233656, ... ) == 0x0
 04402   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04403   392   NtQueryDirectoryFile  (364, 0, 0, 0, 1233016, 616, BothDirectory, 1,  (364, 0, 0, 0, 1233016, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04404   392   NtClose  (364, ... ) == 0x0
 04405   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04406   392   NtQueryDirectoryFile  (364, 0, 0, 0, 1233016, 616, BothDirectory, 1,  (364, 0, 0, 0, 1233016, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04407   392   NtClose  (364, ... ) == 0x0
 04408   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04409   392   NtQueryDirectoryFile  (364, 0, 0, 0, 1233016, 616, BothDirectory, 1,  (364, 0, 0, 0, 1233016, 616, BothDirectory, 1, "explorer.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 04410   392   NtClose  (364, ... ) == 0x0
 04411   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04412   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04413   392   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 04414   392   NtQueryVolumeInformationFile  (372, 1234300, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04415   392   NtQueryInformationFile  (372, 1234280, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 04416   392   NtQueryInformationFile  (372, 1234320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04417   392   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 04418   392   NtUnmapViewOfSection  (-1, 0x1490000, ... ) == 0x0
 04419   392   NtClose  (376, ... ) == 0x0
 04420   392   NtClose  (380, ... ) == 0x0
 04421   392   NtQuerySection  (368, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04422   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04423   392   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 04424   392   NtOpenProcessToken  (-1, 0xa, ... 380, ) == 0x0
 04425   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 376, ) }, ... 376, ) == 0x0
 04426   392   NtQueryValueKey  (376,  (376, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 04427   392   NtQueryValueKey  (376,  (376, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (376, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 04428   392   NtClose  (376, ... ) == 0x0
 04429   392   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 376, ) }, ... 376, ) == 0x0
 04430   392   NtQuerySymbolicLinkObject  (376, ...  (376, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 04431   392   NtClose  (376, ... ) == 0x0
 04432   392   NtQueryInformationFile  (372, 1234092, 528, Name, ... {status=0x0, info=64}, ) == 0x0
 04433   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04434   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04435   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 1232772, ... ) }, 1232772, ... ) == 0x0
 04436   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 04437   392   NtQueryDirectoryFile  (376, 0, 0, 0, 1232132, 616, BothDirectory, 1,  (376, 0, 0, 0, 1232132, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04438   392   NtClose  (376, ... ) == 0x0
 04439   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 04440   392   NtQueryDirectoryFile  (376, 0, 0, 0, 1232132, 616, BothDirectory, 1,  (376, 0, 0, 0, 1232132, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04441   392   NtClose  (376, ... ) == 0x0
 04442   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 04443   392   NtQueryDirectoryFile  (376, 0, 0, 0, 1232132, 616, BothDirectory, 1,  (376, 0, 0, 0, 1232132, 616, BothDirectory, 1, "explorer.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 04444   392   NtClose  (376, ... ) == 0x0
 04445   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04446   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04447   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 376, ) }, ... 376, ) == 0x0
 04448   392   NtQueryValueKey  (376,  (376, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04449   392   NtClose  (376, ... ) == 0x0
 04450   392   NtQueryInformationToken  (380, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 04451   392   NtQueryInformationToken  (380, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 04452   392   NtClose  (380, ... ) == 0x0
 04453   392   NtCreateProcessEx  (1238368, 2035711, 0, -1, 4, 368, 0, 0, 0, ... ) == 0x0
 04454   392   NtSetInformationProcess  (380, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 04455   392   NtQueryInformationProcess  (380, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=228,ParentPid=388,}, 0x0, ) == 0x0
 04456   392   NtReadVirtualMemory  (380, 0x7ffdf008, 4, ...  (380, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 04457   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04458   392   NtReadVirtualMemory  (380, 0x400000, 4096, ...  (380, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\371\250E\275\305\303L\34\227(\275\232\202z5\212PE\0\0L\1\6\0\360\19F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\260\0\0\0\20\0\0\0`\1\0\0@\4\0\0\240\2\0\0 \2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\4\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\240\2\0\20\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\241\2\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 04459   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04460   392   NtQueryInformationProcess  (380, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=228,ParentPid=388,}, 0x0, ) == 0x0
 04461   392   NtAllocateVirtualMemory  (-1, 0, 0, 1672, 4096, 4, ... 16711680, 4096, ) == 0x0
 04462   392   NtAllocateVirtualMemory  (380, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 04463   392   NtWriteVirtualMemory  (380, 0x10000,  (380, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 04464   392   NtAllocateVirtualMemory  (380, 0, 0, 1672, 4096, 4, ... 131072, 4096, ) == 0x0
 04465   392   NtWriteVirtualMemory  (380, 0x20000,  (380, 0x20000, "\0\20\0\0\210\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\10\2\220\2\0\0\367\0\0\0\374\0\376\0\230\4\0\0@\0B\0\230\5\0\0@\0B\0\334\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0B\0 \6\0\0\36\0 \0d\6\0\0\0\0\2\0\204\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1672, ... 0x0, ) , 1672, ... 0x0, ) == 0x0
 04466   392   NtWriteVirtualMemory  (380, 0x7ffdf010,  (380, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04467   392   NtWriteVirtualMemory  (380, 0x7ffdf1e8,  (380, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04468   392   NtFreeVirtualMemory  (-1, (0xff0000), 0, 32768, ... (0xff0000), 4096, ) == 0x0
 04469   392   NtAllocateVirtualMemory  (380, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 04470   392   NtAllocateVirtualMemory  (380, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 04471   392   NtProtectVirtualMemory  (380, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 04472   392   NtCreateThread  (0x1f03ff, 0x0, 380, 1236632, 1237352, 1, ... 376, {228, 664}, ) == 0x0
 04473   392   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1522672, 1238452}  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1522672, 1238452} "\0\0\0\0\0\0\1\0\2$\370w U\367w\177\1\0\0x\1\0\0\344\0\0\0\230\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 388, 392, 2653, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w|\1\0\0x\1\0\0\344\0\0\0\230\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 388, 392, 2653, 0}  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1522672, 1238452} "\0\0\0\0\0\0\1\0\2$\370w U\367w\177\1\0\0x\1\0\0\344\0\0\0\230\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 388, 392, 2653, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w|\1\0\0x\1\0\0\344\0\0\0\230\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04474   392   NtResumeThread  (376, ... 1, ) == 0x0
 04475   392   NtClose  (372, ... ) == 0x0
 04476   392   NtClose  (368, ... ) == 0x0
 04477   392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 368, ) == 0x0
 04478   392   NtYieldExecution  (... ) == 0x0
 04479   392   NtFreeVirtualMemory  (-1, (0x148000), 4096, 16384, ... (0x148000), 4096, ) == 0x0
 04480   392   NtClose  (96, ... ) == 0x0
 04481   392   NtClose  (92, ... ) == 0x0
 04482   392   NtFreeVirtualMemory  (-1, (0xdb0000), 0, 32768, ... (0xdb0000), 65536, ) == 0x0
 04483   392   NtYieldExecution  (... ) == 0x0
 04484   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 04485   392   NtClearEvent  (212, ... ) == 0x0
 04486   392   NtClose  (212, ... ) == 0x0
 04487   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 04488   392   NtUnmapViewOfSection  (-1, 0x76fb0000, ... ) == 0x0
 04489   392   NtUnmapViewOfSection  (-1, 0x76f60000, ... ) == 0x0
 04490   392   NtUnmapViewOfSection  (-1, 0x71a50000, ... ) == 0x0
 04491   392   NtClose  (104, ... ) == 0x0
 04492   392   NtClose  (100, ... ) == 0x0
 04493   392   NtTerminateProcess  (0, 0, ...
 01734  1492   NtDelayExecution  ... ) == 0xc0
 01722  1500   NtDelayExecution  ... ) == 0xc0
 01743  1504   NtDelayExecution  ... ) == 0xc0
 03044   164   NtWaitForMultipleObjects  ... ) == 0xc0
 04493   392   NtTerminateProcess  ... ) == 0x0
 04494   392   NtRaiseException  (1238116, 1237376, 1, ...
 04495   392   NtContinue  (1236172, 0, ...
 04496   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 04497   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04498   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 04499   392   NtRaiseException  (1228092, 1227352, 1, ...
 04500   392   NtContinue  (1226148, 0, ...
 04501   392   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 04502   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04503   392   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 04504   392   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 04505   392   NtClose  (424, ... ) == 0x0
 04506   392   NtClose  (420, ... ) == 0x0
 04507   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x14,}, 4, ... ) == 0x0
 04508   392   NtFreeVirtualMemory  (-1, (0xfd0000), 0, 32768, ... (0xfd0000), 65536, ) == 0x0
 04509   392   NtClose  (408, ... ) == 0x0
 04510   392   NtClose  (416, ... ) == 0x0
 04511   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x13,}, 4, ... ) == 0x0
 04512   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 416, ) }, ... 416, ) == 0x0
 04513   392   NtQueryValueKey  (416,  (416, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 04514   392   NtClose  (416, ... ) == 0x0
 04515   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 04516   392   NtFreeVirtualMemory  (-1, (0xfa0000), 0, 32768, ... (0xfa0000), 65536, ) == 0x0
 04517   392   NtUnmapViewOfSection  (-1, 0xe80000, ... ) == 0x0
 04518   392   NtClose  (384, ... ) == 0x0
 04519   392   NtFreeVirtualMemory  (-1, (0xe90000), 4096, 16384, ... (0xe90000), 4096, ) == 0x0
 04520   392   NtFreeVirtualMemory  (-1, (0xe90000), 0, 32768, ... (0xe90000), 65536, ) == 0x0
 04521   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 04522   392   NtFreeVirtualMemory  (-1, (0x15e000), 12288, 16384, ... (0x15e000), 12288, ) == 0x0
 04523   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 04524   392   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 04525   392   NtClose  (240, ... ) == 0x0
 04526   392   NtGdiDeleteObjectApp  (34603849, ... ) == 0x1
 04527   392   NtUserGetProcessWindowStation  (... ) == 0x28
 04528   392   NtUserBuildNameList  (40, 256, 1328520, 1238756, ... ) == 0x0
 04529   392   NtUserGetProcessWindowStation  (... ) == 0x28
 04530   392   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0xf0
 04531   392   NtUserBuildHwndList  (240, 0, 0, 0, 64, ... (0x3004c, 0x100de, 0x100ae, 0x60036, 0x20060, 0x2005c, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100e8, 0x300c6, 0x100d8, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100a8, 0x100e4, 0x200e2, 0x100d6, 0x100cc, 0x100ca, 0x2005e, 0x20062, 0x100a2, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 43, ) == 0x0
 04532   392   NtUserQueryWindow  (196684, 0, ... ) == 0x768
 04533   392   NtUserQueryWindow  (196684, 1, ... ) == 0x77c
 04534   392   NtUserQueryWindow  (65758, 0, ... ) == 0x768
 04535   392   NtUserQueryWindow  (65758, 1, ... ) == 0x77c
 04536   392   NtUserQueryWindow  (65710, 0, ... ) == 0x7b0
 04537   392   NtUserQueryWindow  (65710, 1, ... ) == 0x7b4
 04538   392   NtUserQueryWindow  (393270, 0, ... ) == 0x7b0
 04539   392   NtUserQueryWindow  (393270, 1, ... ) == 0x7b4
 04540   392   NtUserQueryWindow  (131168, 0, ... ) == 0x7b0
 04541   392   NtUserQueryWindow  (131168, 1, ... ) == 0x7b4
 04542   392   NtUserQueryWindow  (131164, 0, ... ) == 0x7b0
 04543   392   NtUserQueryWindow  (131164, 1, ... ) == 0x7b4
 04544   392   NtUserQueryWindow  (65696, 0, ... ) == 0x768
 04545   392   NtUserQueryWindow  (65696, 1, ... ) == 0x77c
 04546   392   NtUserQueryWindow  (65662, 0, ... ) == 0x768
 04547   392   NtUserQueryWindow  (65662, 1, ... ) == 0x77c
 04548   392   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 04549   392   NtUserQueryWindow  (65664, 0, ... ) == 0x768
 04550   392   NtUserQueryWindow  (65664, 1, ... ) == 0x77c
 04551   392   NtUserQueryWindow  (65670, 0, ... ) == 0x768
 04552   392   NtUserQueryWindow  (65670, 1, ... ) == 0x77c
 04553   392   NtUserQueryWindow  (65672, 0, ... ) == 0x768
 04554   392   NtUserQueryWindow  (65672, 1, ... ) == 0x77c
 04555   392   NtUserQueryWindow  (65674, 0, ... ) == 0x768
 04556   392   NtUserQueryWindow  (65674, 1, ... ) == 0x77c
 04557   392   NtUserQueryWindow  (65678, 0, ... ) == 0x768
 04558   392   NtUserQueryWindow  (65678, 1, ... ) == 0x77c
 04559   392   NtUserQueryWindow  (65680, 0, ... ) == 0x768
 04560   392   NtUserQueryWindow  (65680, 1, ... ) == 0x77c
 04561   392   NtUserQueryWindow  (65682, 0, ... ) == 0x768
 04562   392   NtUserQueryWindow  (65682, 1, ... ) == 0x77c
 04563   392   NtUserQueryWindow  (65684, 0, ... ) == 0x768
 04564   392   NtUserQueryWindow  (65684, 1, ... ) == 0x77c
 04565   392   NtUserQueryWindow  (65686, 0, ... ) == 0x768
 04566   392   NtUserQueryWindow  (65686, 1, ... ) == 0x77c
 04567   392   NtUserQueryWindow  (65690, 0, ... ) == 0x768
 04568   392   NtUserQueryWindow  (65690, 1, ... ) == 0x77c
 04569   392   NtUserQueryWindow  (65692, 0, ... ) == 0x768
 04570   392   NtUserQueryWindow  (65692, 1, ... ) == 0x77c
 04571   392   NtUserQueryWindow  (65694, 0, ... ) == 0x768
 04572   392   NtUserQueryWindow  (65694, 1, ... ) == 0x77c
 04573   392   NtUserQueryWindow  (65652, 0, ... ) == 0x768
 04574   392   NtUserQueryWindow  (65652, 1, ... ) == 0x77c
 04575   392   NtUserQueryWindow  (65640, 0, ... ) == 0x768
 04576   392   NtUserQueryWindow  (65640, 1, ... ) == 0x77c
 04577   392   NtUserQueryWindow  (196682, 0, ... ) == 0x768
 04578   392   NtUserQueryWindow  (196682, 1, ... ) == 0x77c
 04579   392   NtUserQueryWindow  (65638, 0, ... ) == 0x768
 04580   392   NtUserQueryWindow  (65638, 1, ... ) == 0x77c
 04581   392   NtUserQueryWindow  (196668, 0, ... ) == 0x768
 04582   392   NtUserQueryWindow  (196668, 1, ... ) == 0x77c
 04583   392   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 04584   392   NtUserQueryWindow  (196670, 0, ... ) == 0x768
 04585   392   NtUserQueryWindow  (196670, 1, ... ) == 0x77c
 04586   392   NtUserQueryWindow  (196674, 0, ... ) == 0x768
 04587   392   NtUserQueryWindow  (196674, 1, ... ) == 0x77c
 04588   392   NtUserQueryWindow  (196672, 0, ... ) == 0x768
 04589   392   NtUserQueryWindow  (196672, 1, ... ) == 0x77c
 04590   392   NtUserQueryWindow  (196676, 0, ... ) == 0x768
 04591   392   NtUserQueryWindow  (196676, 1, ... ) == 0x77c
 04592   392   NtUserQueryWindow  (196678, 0, ... ) == 0x768
 04593   392   NtUserQueryWindow  (196678, 1, ... ) == 0x77c
 04594   392   NtUserQueryWindow  (196680, 0, ... ) == 0x768
 04595   392   NtUserQueryWindow  (196680, 1, ... ) == 0x77c
 04596   392   NtUserQueryWindow  (65642, 0, ... ) == 0x768
 04597   392   NtUserQueryWindow  (65642, 1, ... ) == 0x77c
 04598   392   NtUserQueryWindow  (65646, 0, ... ) == 0x768
 04599   392   NtUserQueryWindow  (65646, 1, ... ) == 0x77c
 04600   392   NtUserQueryWindow  (65650, 0, ... ) == 0x768
 04601   392   NtUserQueryWindow  (65650, 1, ... ) == 0x77c
 04602   392   NtUserQueryWindow  (65688, 0, ... ) == 0x768
 04603   392   NtUserQueryWindow  (65688, 1, ... ) == 0x77c
 04604   392   NtUserQueryWindow  (65676, 0, ... ) == 0x768
 04605   392   NtUserQueryWindow  (65676, 1, ... ) == 0x77c
 04606   392   NtUserQueryWindow  (65660, 0, ... ) == 0x768
 04607   392   NtUserQueryWindow  (65660, 1, ... ) == 0x76c
 04608   392   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 04609   392   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 04610   392   NtUserQueryWindow  (65768, 0, ... ) == 0xb4
 04611   392   NtUserQueryWindow  (65768, 1, ... ) == 0xd4
 04612   392   NtUserQueryWindow  (196806, 0, ... ) == 0x4d4
 04613   392   NtUserQueryWindow  (196806, 1, ... ) == 0x4d8
 04614   392   NtUserQueryWindow  (65752, 0, ... ) == 0x4d4
 04615   392   NtUserQueryWindow  (65752, 1, ... ) == 0x4d8
 04616   392   NtUserQueryWindow  (65726, 0, ... ) == 0x7c8
 04617   392   NtUserQueryWindow  (65726, 1, ... ) == 0x7cc
 04618   392   NtUserQueryWindow  (65724, 0, ... ) == 0x7c8
 04619   392   NtUserQueryWindow  (65724, 1, ... ) == 0x7cc
 04620   392   NtUserQueryWindow  (65722, 0, ... ) == 0x7c8
 04621   392   NtUserQueryWindow  (65722, 1, ... ) == 0x7cc
 04622   392   NtUserQueryWindow  (65720, 0, ... ) == 0x7c8
 04623   392   NtUserQueryWindow  (65720, 1, ... ) == 0x7cc
 04624   392   NtUserQueryWindow  (65718, 0, ... ) == 0x7c8
 04625   392   NtUserQueryWindow  (65718, 1, ... ) == 0x7cc
 04626   392   NtUserQueryWindow  (65716, 0, ... ) == 0x7c8
 04627   392   NtUserQueryWindow  (65716, 1, ... ) == 0x7cc
 04628   392   NtUserQueryWindow  (65712, 0, ... ) == 0x7c8
 04629   392   NtUserQueryWindow  (65712, 1, ... ) == 0x7cc
 04630   392   NtUserQueryWindow  (65704, 0, ... ) == 0x7e0
 04631   392   NtUserQueryWindow  (65704, 1, ... ) == 0x7e4
 04632   392   NtUserQueryWindow  (65764, 0, ... ) == 0x768
 04633   392   NtUserQueryWindow  (65764, 1, ... ) == 0x440
 04634   392   NtUserQueryWindow  (131298, 0, ... ) == 0x768
 04635   392   NtUserQueryWindow  (131298, 1, ... ) == 0x528
 04636   392   NtUserQueryWindow  (65750, 0, ... ) == 0x768
 04637   392   NtUserQueryWindow  (65750, 1, ... ) == 0x4f0
 04638   392   NtUserQueryWindow  (65740, 0, ... ) == 0x768
 04639   392   NtUserQueryWindow  (65740, 1, ... ) == 0x4f0
 04640   392   NtUserBuildHwndList  (0, 65740, 1, 0, 64, ... (0x100ce, 0x100d0, 0x100d2, 0x100d4, 0x1, ), 5, ) == 0x0
 04641   392   NtUserQueryWindow  (65742, 0, ... ) == 0x768
 04642   392   NtUserQueryWindow  (65742, 1, ... ) == 0x4f0
 04643   392   NtUserQueryWindow  (65744, 0, ... ) == 0x768
 04644   392   NtUserQueryWindow  (65744, 1, ... ) == 0x4f0
 04645   392   NtUserQueryWindow  (65746, 0, ... ) == 0x768
 04646   392   NtUserQueryWindow  (65746, 1, ... ) == 0x4f0
 04647   392   NtUserQueryWindow  (65748, 0, ... ) == 0x768
 04648   392   NtUserQueryWindow  (65748, 1, ... ) == 0x4f0
 04649   392   NtUserQueryWindow  (65738, 0, ... ) == 0x768
 04650   392   NtUserQueryWindow  (65738, 1, ... ) == 0x77c
 04651   392   NtUserQueryWindow  (131166, 0, ... ) == 0x7c8
 04652   392   NtUserQueryWindow  (131166, 1, ... ) == 0x7cc
 04653   392   NtUserQueryWindow  (131170, 0, ... ) == 0x7b0
 04654   392   NtUserQueryWindow  (131170, 1, ... ) == 0x7b4
 04655   392   NtUserQueryWindow  (65698, 0, ... ) == 0x7a8
 04656   392   NtUserQueryWindow  (65698, 1, ... ) == 0x7ac
 04657   392   NtUserQueryWindow  (65644, 0, ... ) == 0x768
 04658   392   NtUserQueryWindow  (65644, 1, ... ) == 0x794
 04659   392   NtUserQueryWindow  (327760, 0, ... ) == 0x768
 04660   392   NtUserQueryWindow  (327760, 1, ... ) == 0x76c
 04661   392   NtUserQueryWindow  (262228, 0, ... ) == 0x768
 04662   392   NtUserQueryWindow  (262228, 1, ... ) == 0x76c
 04663   392   NtUserQueryWindow  (327758, 0, ... ) == 0x768
 04664   392   NtUserQueryWindow  (327758, 1, ... ) == 0x76c
 04665   392   NtUserQueryWindow  (65666, 0, ... ) == 0x768
 04666   392   NtUserQueryWindow  (65666, 1, ... ) == 0x76c
 04667   392   NtUserQueryWindow  (65654, 0, ... ) == 0x768
 04668   392   NtUserQueryWindow  (65654, 1, ... ) == 0x76c
 04669   392   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 04670   392   NtUserQueryWindow  (65656, 0, ... ) == 0x768
 04671   392   NtUserQueryWindow  (65656, 1, ... ) == 0x76c
 04672   392   NtUserQueryWindow  (65658, 0, ... ) == 0x768
 04673   392   NtUserQueryWindow  (65658, 1, ... ) == 0x76c
 04674   392   NtUserCloseDesktop  (240, ...
 04675   392   NtClose  (240, ... ) == 0x0
 04674   392   NtUserCloseDesktop  ... ) == 0x1
 04676   392   NtUserGetProcessWindowStation  (... ) == 0x28
 04677   392   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04678   392   NtUserGetProcessWindowStation  (... ) == 0x28
 04679   392   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04680   392   NtGdiDeleteObjectApp  (50987847, ... ) == 0x1
 04681   392   NtGdiDeleteObjectApp  (50987846, ... ) == 0x1
 04682   392   NtClose  (12, ... ) == 0x0
 04683   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 04684   392   NtFreeVirtualMemory  (-1, (0x158000), 16384, 16384, ... (0x158000), 16384, ) == 0x0
 04685   392   NtFreeVirtualMemory  (-1, (0xdc0000), 0, 32768, ... (0xdc0000), 262144, ) == 0x0
 04686   392   NtUserUnregisterClass  (1238716, 1991376896, 1238704, ... ) == 0x0
 04687   392   NtClose  (192, ... ) == 0x0
 04688   392   NtUnmapViewOfSection  (-1, 0xe10000, ... ) == 0x0
 04689   392   NtClose  (196, ... ) == 0x0
 04690   392   NtClose  (188, ... ) == 0x0
 04691   392   NtFreeVirtualMemory  (-1, (0x151000), 4096, 16384, ... (0x151000), 4096, ) == 0x0
 04692   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 04693   392   NtFreeVirtualMemory  (-1, (0xc30000), 0, 32768, ... (0xc30000), 262144, ) == 0x0
 04694   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04695   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04696   392   NtReleaseMutant  (76, ... 0x0, ) == 0x0
 04697   392   NtUserUnhookWindowsHookEx  (196667, ... ) == 0x1
 04698   392   NtTerminateThread  (80, 0, ... ) == 0x0
 04699   392   NtTerminateThread  (56, 0, ... ) == 0x0
 04700   392   NtTerminateThread  (72, 0, ... ) == 0x0
 04701   392   NtUserKillTimer  (0, 32761, ... ) == 0x1
 04702   392   NtClose  (84, ... ) == 0x0
 04703   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc03b
 04704   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04705   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc03d
 04706   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04707   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc03f
 04708   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04709   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc041
 04710   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04711   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc043
 04712   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04713   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc045
 04714   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04715   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc047
 04716   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04717   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc049
 04718   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04719   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc04b
 04720   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04721   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc04d
 04722   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04723   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc04f
 04724   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04725   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc051
 04726   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04727   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc053
 04728   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04729   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc057
 04730   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04731   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc059
 04732   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04733   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc05b
 04734   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04735   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc05d
 04736   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04737   392   NtUserGetClassInfo  (1999896576, 1238804, 1238756, 1238832, 0, ... ) == 0xc05f
 04738   392   NtUserUnregisterClass  (1238808, 1999896576, 1238796, ... ) == 0x1
 04739   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc03b
 04740   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04741   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc03d
 04742   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04743   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc03f
 04744   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04745   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc041
 04746   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04747   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc043
 04748   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04749   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc045
 04750   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04751   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc047
 04752   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04753   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc049
 04754   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04755   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc04b
 04756   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04757   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc04d
 04758   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04759   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc04f
 04760   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04761   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc051
 04762   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04763   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc053
 04764   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04765   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc057
 04766   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04767   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc059
 04768   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04769   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc05b
 04770   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04771   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc05d
 04772   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04773   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc05f
 04774   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04775   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc017
 04776   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04777   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc019
 04778   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04779   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc018
 04780   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04781   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01a
 04782   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04783   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01c
 04784   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04785   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01e
 04786   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04787   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc01b
 04788   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04789   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc068
 04790   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04791   392   NtUserGetClassInfo  (1905590272, 1238804, 1238756, 1238832, 0, ... ) == 0xc06a
 04792   392   NtUserUnregisterClass  (1238808, 1905590272, 1238796, ... ) == 0x1
 04793   392   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 04794   392   NtFreeVirtualMemory  (-1, (0x175000), 4096, 16384, ... (0x175000), 4096, ) == 0x0
 04795   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 04796   392   NtClose  (264, ... ) == 0x0
 04797   392   NtClose  (432, ... ) == 0x0
 04798   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 04799   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 04800   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 04801   392   NtClose  (260, ... ) == 0x0
 04802   392   NtClose  (436, ... ) == 0x0
 04803   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 04804   392   NtUnmapViewOfSection  (-1, 0x1090000, ... ) == 0x0
 04805   392   NtClose  (404, ... ) == 0x0
 04806   392   NtClose  (248, ... ) == 0x0
 04807   392   NtFreeVirtualMemory  (-1, (0x890000), 4096, 32768, ... (0x890000), 4096, ) == 0x0
 04808   392   NtClose  (388, ... ) == 0x0
 04809   392   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 1239308, 2012553151, 1310720}  (24, {20, 48, new_msg, 0, 0, 1239308, 2012553151, 1310720} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 388, 392, 2710, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 388, 392, 2710, 0}  (24, {20, 48, new_msg, 0, 0, 1239308, 2012553151, 1310720} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 388, 392, 2710, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04810   392   NtTerminateProcess  (-1, 0, ...
 04811   392   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtOpenDirectoryObject(>)	2	NtUserCallNoParam(>)	7	NtQueryDefaultLocale(>)	42
NtAllocateLocallyUniqueId(>)	1	NtQueryInstallUILanguage(>)	2	NtCreateThread(>)	8	NtContinue(>)	45
NtCallbackReturn(>)	1	NtSetEvent(>)	2	NtOpenSymbolicLinkObject(>)	8	NtCreateEvent(>)	46
NtDuplicateToken(>)	1	NtUnlockFile(>)	2	NtQuerySymbolicLinkObject(>)	8	NtUserUnregisterClass(>)	47
NtGdiCreateBitmap(>)	1	NtUserCloseDesktop(>)	2	NtRegisterThreadTerminatePort(>)	8	NtUserFindExistingCursorIcon(>)	49
NtGdiCreateHalftonePalette(>)	1	NtUserCreateWindowEx(>)	2	NtResumeThread(>)	8	NtQueryInformationFile(>)	50
NtGdiCreatePaletteInternal(>)	1	NtUserDestroyWindow(>)	2	NtQueryVirtualMemory(>)	9	NtSetInformationFile(>)	50
NtGdiCreatePatternBrushInternal(>)	1	NtUserGetObjectInformation(>)	2	NtReadVirtualMemory(>)	9	NtCreateFile(>)	52
NtGdiDoPalette(>)	1	NtUserMessageCall(>)	2	NtQueryDefaultUILanguage(>)	10	NtQueryDirectoryFile(>)	52
NtGdiInit(>)	1	NtYieldExecution(>)	2	NtUserGetWindowDC(>)	10	NtDelayExecution(>)	59
NtGdiQueryFontAssocInfo(>)	1	NtOpenMutant(>)	3	NtUserCallOneParam(>)	11	NtQueryInformationProcess(>)	63
NtGdiSelectBitmap(>)	1	NtOpenProcess(>)	3	NtUserSystemParametersInfo(>)	11	NtUserRegisterClassExWOW(>)	65
NtOpenKeyedEvent(>)	1	NtTerminateProcess(>)	3	NtSetValueKey(>)	13	NtProtectVirtualMemory(>)	72
NtQueryFullAttributesFile(>)	1	NtTerminateThread(>)	3	NtWriteVirtualMemory(>)	16	NtUnmapViewOfSection(>)	72
NtQueryObject(>)	1	NtUserOpenDesktop(>)	3	NtNotifyChangeKey(>)	17	NtWaitForSingleObject(>)	74
NtQueryPerformanceCounter(>)	1	NtUserRemoveProp(>)	3	NtOpenProcessToken(>)	17	NtCreateSection(>)	75
NtQuerySystemTime(>)	1	NtWaitForMultipleObjects(>)	3	NtCreateKey(>)	18	NtOpenSection(>)	78
NtSecureConnectPort(>)	1	NtConnectPort(>)	4	NtDeviceIoControlFile(>)	18	NtReadFile(>)	83
NtUserBuildNameList(>)	1	NtCreateProcessEx(>)	4	NtUserRegisterWindowMessage(>)	19	NtUserGetClassInfo(>)	91
NtUserGetAtomName(>)	1	NtGdiCreateCompatibleDC(>)	4	NtWriteFile(>)	20	NtQuerySystemInformation(>)	95
NtUserGetDC(>)	1	NtOpenEvent(>)	4	NtQueryVolumeInformationFile(>)	21	NtOpenProcessTokenEx(>)	112
NtUserGetForegroundWindow(>)	1	NtQueryInformationJobObject(>)	4	NtFsControlFile(>)	22	NtOpenThreadTokenEx(>)	112
NtUserGetGUIThreadInfo(>)	1	NtQueryInformationThread(>)	4	NtRaiseException(>)	23	NtAllocateVirtualMemory(>)	119
NtUserGetThreadDesktop(>)	1	NtQuerySecurityObject(>)	4	NtFlushInstructionCache(>)	24	NtMapViewOfSection(>)	120
NtUserKillTimer(>)	1	NtUserWaitForInputIdle(>)	4	NtFreeVirtualMemory(>)	24	NtQueryKey(>)	129
NtUserSetProp(>)	1	NtCreateMutant(>)	5	NtQueryDebugFilterState(>)	26	NtOpenFile(>)	130
NtUserSetTimer(>)	1	NtGdiGetStockObject(>)	5	NtReleaseSemaphore(>)	27	NtQueryInformationToken(>)	133
NtUserSetWindowsHookEx(>)	1	NtSetInformationObject(>)	5	NtRequestWaitReplyPort(>)	29	NtUserQueryWindow(>)	138
NtUserUnhookWindowsHookEx(>)	1	NtUserBuildHwndList(>)	5	NtEnumerateKey(>)	31	NtQueryAttributesFile(>)	182
NtAccessCheck(>)	2	NtUserGetProcessWindowStation(>)	5	NtSetInformationThread(>)	31	NtQueryValueKey(>)	373
NtClearEvent(>)	2	NtCreateSemaphore(>)	6	NtEnumerateValueKey(>)	33	NtOpenKey(>)	528
NtCreateIoCompletion(>)	2	NtGdiDeleteObjectApp(>)	6	NtOpenThreadToken(>)	36	NtClose(>)	713
NtGdiCreateSolidBrush(>)	2	NtSetEventBoostPriority(>)	6	NtSetInformationProcess(>)	36
NtGdiHfontCreate(>)	2	NtDuplicateObject(>)	7	NtQuerySection(>)	37
NtLockFile(>)	2