Summary:


NtAddAtom(>) 
 1 
NtGdiHfontCreate(>) 
 2 
NtOpenSymbolicLinkObject(>) 
 6 
NtQuerySection(>) 
 29 

NtAllocateLocallyUniqueId(>) 
 1 
NtLockFile(>) 
 2 
NtQuerySymbolicLinkObject(>) 
 6 
NtEnumerateKey(>) 
 31 

NtCallbackReturn(>) 
 1 
NtOpenDirectoryObject(>) 
 2 
NtResumeThread(>) 
 6 
NtContinue(>) 
 32 

NtClearEvent(>) 
 1 
NtQueryInformationJobObject(>) 
 2 
NtCreateSemaphore(>) 
 7 
NtCreateFile(>) 
 33 

NtConnectPort(>) 
 1 
NtSetEvent(>) 
 2 
NtDelayExecution(>) 
 7 
NtOpenThreadToken(>) 
 33 

NtDuplicateToken(>) 
 1 
NtUnlockFile(>) 
 2 
NtTestAlert(>) 
 7 
NtSetInformationFile(>) 
 34 

NtGdiCreateBitmap(>) 
 1 
NtUserCloseDesktop(>) 
 2 
NtUserCallNoParam(>) 
 7 
NtCreateEvent(>) 
 36 

NtGdiCreateHalftonePalette(>) 
 1 
NtUserCreateWindowEx(>) 
 2 
NtQueryVirtualMemory(>) 
 8 
NtQueryInformationFile(>) 
 37 

NtGdiCreatePaletteInternal(>) 
 1 
NtUserDestroyWindow(>) 
 2 
NtRegisterThreadTerminatePort(>) 
 8 
NtReleaseMutant(>) 
 39 

NtGdiCreatePatternBrushInternal(>) 
 1 
NtUserGetObjectInformation(>) 
 2 
NtSetEventBoostPriority(>) 
 8 
NtUnmapViewOfSection(>) 
 41 

NtGdiDoPalette(>) 
 1 
NtUserMessageCall(>) 
 2 
NtWriteVirtualMemory(>) 
 8 
NtQueryDefaultLocale(>) 
 42 

NtGdiInit(>) 
 1 
NtUserSetTimer(>) 
 2 
NtQueryDefaultUILanguage(>) 
 10 
NtQueryInformationProcess(>) 
 46 

NtGdiQueryFontAssocInfo(>) 
 1 
NtYieldExecution(>) 
 2 
NtUserGetWindowDC(>) 
 10 
NtUserUnregisterClass(>) 
 47 

NtGdiSelectBitmap(>) 
 1 
NtOpenMutant(>) 
 3 
NtSetValueKey(>) 
 11 
NtUserFindExistingCursorIcon(>) 
 49 

NtOpenKeyedEvent(>) 
 1 
NtOpenProcess(>) 
 3 
NtUserCallOneParam(>) 
 11 
NtProtectVirtualMemory(>) 
 57 

NtQueryFullAttributesFile(>) 
 1 
NtQueryInstallUILanguage(>) 
 3 
NtUserSystemParametersInfo(>) 
 11 
NtCreateSection(>) 
 59 

NtQueryObject(>) 
 1 
NtTerminateProcess(>) 
 3 
NtWriteFile(>) 
 14 
NtUserRegisterClassExWOW(>) 
 65 

NtQueryPerformanceCounter(>) 
 1 
NtTerminateThread(>) 
 3 
NtOpenProcessToken(>) 
 15 
NtOpenSection(>) 
 77 

NtQuerySystemTime(>) 
 1 
NtUserOpenDesktop(>) 
 3 
NtCreateKey(>) 
 17 
NtWaitForSingleObject(>) 
 77 

NtSecureConnectPort(>) 
 1 
NtUserRemoveProp(>) 
 3 
NtDeviceIoControlFile(>) 
 17 
NtReadFile(>) 
 82 

NtUserBuildNameList(>) 
 1 
NtWaitForMultipleObjects(>) 
 3 
NtFsControlFile(>) 
 17 
NtMapViewOfSection(>) 
 86 

NtUserGetAtomName(>) 
 1 
NtGdiCreateCompatibleDC(>) 
 4 
NtNotifyChangeKey(>) 
 17 
NtOpenFile(>) 
 91 

NtUserGetDC(>) 
 1 
NtOpenEvent(>) 
 4 
NtQueryVolumeInformationFile(>) 
 17 
NtQuerySystemInformation(>) 
 91 

NtUserGetForegroundWindow(>) 
 1 
NtQueryInformationThread(>) 
 4 
NtRequestWaitReplyPort(>) 
 17 
NtUserGetClassInfo(>) 
 91 

NtUserGetGUIThreadInfo(>) 
 1 
NtQuerySecurityObject(>) 
 4 
NtFreeVirtualMemory(>) 
 19 
NtAllocateVirtualMemory(>) 
 94 

NtUserGetThreadDesktop(>) 
 1 
NtUserBuildHwndList(>) 
 4 
NtUserRegisterWindowMessage(>) 
 19 
NtOpenProcessTokenEx(>) 
 110 

NtUserKillTimer(>) 
 1 
NtCreateMutant(>) 
 5 
NtQueryDirectoryFile(>) 
 20 
NtOpenThreadTokenEx(>) 
 110 

NtUserSetProp(>) 
 1 
NtDuplicateObject(>) 
 5 
NtEnumerateValueKey(>) 
 23 
NtUserQueryWindow(>) 
 114 

NtUserSetWindowsHookEx(>) 
 1 
NtGdiGetStockObject(>) 
 5 
NtFlushInstructionCache(>) 
 24 
NtQueryInformationToken(>) 
 127 

NtUserUnhookWindowsHookEx(>) 
 1 
NtReadVirtualMemory(>) 
 5 
NtQueryDebugFilterState(>) 
 24 
NtQueryKey(>) 
 129 

NtAccessCheck(>) 
 2 
NtSetInformationObject(>) 
 5 
NtRaiseException(>) 
 25 
NtQueryAttributesFile(>) 
 153 

NtCreateIoCompletion(>) 
 2 
NtUserGetProcessWindowStation(>) 
 5 
NtSetInformationThread(>) 
 27 
NtQueryValueKey(>) 
 306 

NtCreateProcessEx(>) 
 2 
NtCreateThread(>) 
 6 
NtReleaseSemaphore(>) 
 28 
NtOpenKey(>) 
 500 

NtGdiCreateSolidBrush(>) 
 2 
NtGdiDeleteObjectApp(>) 
 6 
NtSetInformationProcess(>) 
 28 
NtClose(>) 
 608 


Trace:
 00001   388   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   388   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   388   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   388   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   388   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   388   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   388   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   388   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   388   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   388   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   388   NtClose  (12, ... ) == 0x0
 00014   388   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   388   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   388   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   388   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   388   NtClose  (16, ... ) == 0x0
 00021   388   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   388   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   388   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   388   NtClose  (16, ... ) == 0x0
 00026   388   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   388   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   388   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   388   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 316, 388, 1483, 0} "\220;\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 316, 388, 1483, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 316, 388, 1483, 0} "\220;\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   388   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   388   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   388   NtClose  (16, ... ) == 0x0
 00036   388   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   388   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   388   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   388   NtClose  (28, ... ) == 0x0
 00041   388   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   388   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   388   NtClose  (28, ... ) == 0x0
 00045   388   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   388   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   388   NtClose  (28, ... ) == 0x0
 00049   388   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   388   NtClose  (28, ... ) == 0x0
 00052   388   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   388   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   388   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 316, 388, 1485, 0} "\200\324\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 316, 388, 1485, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 316, 388, 1485, 0} "\200\324\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   388   NtProtectVirtualMemory  (-1, (0x92a000), 24576, 4, ... (0x92a000), 24576, 128, ) == 0x0
 00057   388   NtProtectVirtualMemory  (-1, (0x92a000), 24576, 128, ... (0x92a000), 24576, 4, ) == 0x0
 00058   388   NtFlushInstructionCache  (-1, 9609216, 24576, ... ) == 0x0
 00059   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00060   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   388   NtClose  (28, ... ) == 0x0
 00062   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   388   NtClose  (28, ... ) == 0x0
 00065   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   388   NtClose  (28, ... ) == 0x0
 00068   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   388   NtClose  (28, ... ) == 0x0
 00071   388   NtProtectVirtualMemory  (-1, (0x92a000), 24576, 4, ... (0x92a000), 24576, 64, ) == 0x0
 00072   388   NtProtectVirtualMemory  (-1, (0x92a000), 24576, 64, ... (0x92a000), 24576, 4, ) == 0x0
 00073   388   NtFlushInstructionCache  (-1, 9609216, 24576, ... ) == 0x0
 00074   388   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   388   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   388   NtClose  (28, ... ) == 0x0
 00077   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   388   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   388   NtClose  (28, ... ) == 0x0
 00080   388   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00081   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   388   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   388   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   388   NtClose  (28, ... ) == 0x0
 00085   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   388   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   388   NtClose  (28, ... ) == 0x0
 00088   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   388   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 316, 388, 1488, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 316, 388, 1488, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 316, 388, 1488, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00093   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   388   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x930000), 0x0, 1060864, ) == 0x0
 00095   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   388   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   388   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   388   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   388   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   388   NtClose  (-2147482020, ... ) == 0x0
 00101   388   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00102   388   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00103   388   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   388   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   388   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   388   NtClose  (-2147482020, ... ) == 0x0
 00107   388   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   388   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   388   NtClose  (-2147482020, ... ) == 0x0
 00110   388   NtQueryDefaultLocale  (0, -131036660, ... ) == 0x0
 00111   388   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   388   NtUserCallNoParam  (24, ... ) == 0x0
 00113   388   NtGdiCreateCompatibleDC  (0, ...
 00114   388   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00113   388   NtGdiCreateCompatibleDC  ... ) == 0x130103bc
 00115   388   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   388   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   388   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xc0503df
 00118   388   NtGdiCreateSolidBrush  (0, 0, ...
 00119   388   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 13893632, 4096, ) == 0x0
 00118   388   NtGdiCreateSolidBrush  ... ) == 0xb1003de
 00120   388   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   388   NtGdiCreateCompatibleDC  (0, ... ) == 0x390103e4
 00122   388   NtGdiSelectBitmap  (956367844, 201655263, ... ) == 0x185000f
 00123   388   NtUserGetThreadDesktop  (388, 0, ... ) == 0x2c
 00124   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   388   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   388   NtClose  (52, ... ) == 0x0
 00127   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   388   NtAllocateVirtualMemory  (-1, 10842112, 0, 4096, 4096, 32, ... 10842112, 4096, ) == 0x0
 00142   388   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   388   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   388   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   388   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   388   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   388   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   388   NtCallbackReturn  (0, 0, 0, ...
 00152   388   NtGdiInit  (... ) == 0x1
 00153   388   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   388   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   388   NtTestAlert  (... ) == 0x0
 00156   388   NtContinue  (1244464, 1, ...
 00157   388   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x92a0cc,}, 4, ... ) == 0x0
 00158   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00159   388   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   388   NtClose  (52, ... ) == 0x0
 00161   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00162   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00163   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "LZ32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00164   388   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73dc0000), 0x0, 12288, ) == 0x0
 00165   388   NtClose  (52, ... ) == 0x0
 00166   388   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244956,  (0x40100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 2, 1, 5, 96, 0, 0, ... }, 0x0, 2, 1, 5, 96, 0, 0, ...
 00167   388   NtClose  (-2147482020, ... ) == 0x0
 00166   388   NtCreateFile  ... 52, {status=0x0, info=2}, ) == 0x0
 00168   388   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "SZDD\210\360'3A\0\0\220\0\0\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217", 17878, 0x0, 0, ... {status=0x0, info=17878}, ) , 17878, 0x0, 0, ... {status=0x0, info=17878}, ) == 0x0
 00169   388   NtClose  (52, ... ) == 0x0
 00170   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 1243636, ... ) }, 1243636, ... ) == 0x0
 00171   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244368,  (0x80100080, {24, 0, 0x40, 0, 1244368, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 0, 3, 1, 96, 0, 0, ... 52, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 52, {status=0x0, info=1}, ) == 0x0
 00172   388   NtQueryVolumeInformationFile  (52, 1244528, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00173   388   NtQueryInformationFile  (52, 1244420, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00174   388   NtQueryInformationFile  (52, 1244628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00175   388   NtSetInformationFile  (52, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00176   388   NtSetInformationFile  (52, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00177   388   NtReadFile  (52, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (52, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00178   388   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 13959168, 524288, ) == 0x0
 00179   388   NtAllocateVirtualMemory  (-1, 13959168, 0, 4096, 4096, 4, ... 13959168, 4096, ) == 0x0
 00180   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243640, ... ) }, 1243640, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244372,  (0xc0100080, {24, 0, 0x40, 0, 1244372, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00182   388   NtClose  (-2147482020, ... ) == 0x0
 00181   388   NtCreateFile  ... 56, {status=0x0, info=2}, ) == 0x0
 00183   388   NtQueryVolumeInformationFile  (56, 1244532, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00184   388   NtQueryInformationFile  (56, 1244424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00185   388   NtAllocateVirtualMemory  (-1, 1327104, 0, 8192, 4096, 4, ... 1327104, 8192, ) == 0x0
 00186   388   NtAllocateVirtualMemory  (-1, 1335296, 0, 36864, 4096, 4, ... 1335296, 36864, ) == 0x0
 00187   388   NtAllocateVirtualMemory  (-1, 1372160, 0, 36864, 4096, 4, ... 1372160, 36864, ) == 0x0
 00188   388   NtQueryInformationFile  (52, 1244892, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00189   388   NtSetInformationFile  (52, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00190   388   NtSetInformationFile  (52, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00191   388   NtReadFile  (52, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (52, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00192   388   NtSetInformationFile  (52, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00193   388   NtSetInformationFile  (56, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00194   388   NtReadFile  (52, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864},  (52, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864}, "\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217m\237m\257m\277m\0\317m\337m\357m", ) , ) == 0x0
 00195   388   NtWriteFile  (56, 0, 0, 0,  (56, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0ei\350\341!\10\206\262!\10\206\262!\10\206\262\242\24\210\262$\10\206\262C\27\225\262(\10\206\262!\10\207\262h\10\206\262\311\27\220\262 \10\206\262\311\27\202\262 \10\206\262Rich!\10\206\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0R\344\315D\0\0\0\0\0\0\0\0\340\0\16!\13\1\6\0\0P\0\0\0\260\0\0\0\0\0\00D\0\0\0\20\0\0\0`\0\0\0\0\0\20\0\20\0\0\0\20\0\0\4\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\0\20\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\220Q\0\0F\0\0\0\30K\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\04\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\326A\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 00196   388   NtWriteFile  (56, 0, 0, 0,  (56, 0, 0, 0, "\0\20\0\0D\1\0\0<1@1L1P1\1`1l1p1|1\2001\2141\2201\2341\2401\2541\2601Z2\3262\3532\33\263>3E3Y3a3\2123\2243\2733\3013\3243\3343\3473\3543\3623\3773\104\234\304\36454=4\1774\2204\376475a5n5\2055\2145\2355\3245\3465\3535\226\3456\3636\3716\3776\77(7-7\2477\3127\3277\3557\18\148\268D8Y8_8f8s8\2018\3148\3318\3428\3578\3668\3758\119\179$999N9d9j9\2029\2159\2239\2359\2519\3249\3369\3609\3729\27:$:/:;:V:[:\225:\317:\344:\10;\25;6;O;n;\255;\272;\341;\15\16>\25>@>M>U>c>i>p>\202>\217>\227>\245>\253>\262>\37?&?+?1?L?e?\236?\250?\257?\267?\302?\325?\334?\366?\0\0\0 \0\0,\2\0\0&0+0\2640\3150\3320\3520\3570\3670!101l1\2011\3151\3541\3611\3671\132\222\272\352*2H2_2k2y2\2142\2362\2532\3372\3702\173\313/343:3@3F3N3T3Z3b3k3s3\1773\2133\2213\2273\2623\2723\3253\3353\3743\204\324(4.444F4P4Z4h4m4\2044\2114\2174\2244\2324\2404\2604\3134\3264\3344\3564\3644\65\145"5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) 5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00197   388   NtQueryInformationFile  (52, 1244896, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00198   388   NtSetInformationFile  (56, 1244896, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00199   388   NtFreeVirtualMemory  (-1, (0x144000), 81920, 16384, ... (0x144000), 81920, ) == 0x0
 00200   388   NtClose  (56, ... ) == 0x0
 00201   388   NtClose  (52, ... ) == 0x0
 00202   388   NtUnmapViewOfSection  (-1, 0x73dc0000, ... ) == 0x0
 00203   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1242748, ... ) }, 1242748, ... ) == 0x0
 00204   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00205   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 56, ) == 0x0
 00206   388   NtClose  (52, ... ) == 0x0
 00207   388   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdd0000), 0x0, 36864, ) == 0x0
 00208   388   NtClose  (56, ... ) == 0x0
 00209   388   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 00210   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243064, ... ) }, 1243064, ... ) == 0x0
 00211   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00212   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00213   388   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00214   388   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00215   388   NtQueryInformationToken  (60, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00216   388   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00217   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0
 00218   388   NtQueryValueKey  (64,  (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00219   388   NtClose  (64, ... ) == 0x0
 00220   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00221   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00222   388   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00223   388   NtClose  (64, ... ) == 0x0
 00224   388   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00225   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00226   388   NtClose  (60, ... ) == 0x0
 00227   388   NtClose  (56, ... ) == 0x0
 00228   388   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 69632, ) == 0x0
 00229   388   NtClose  (52, ... ) == 0x0
 00230   388   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 128, ) == 0x0
 00231   388   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 128, ... (0x10001000), 4096, 4, ) == 0x0
 00232   388   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00233   388   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00234   388   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00235   388   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00236   388   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00237   388   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00238   388   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00239   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242280, ... ) }, 1242280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   388   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242280, ... ) }, 1242280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242280, ... ) }, 1242280, ... ) == 0x0
 00243   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00244   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0
 00245   388   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00246   388   NtClose  (52, ... ) == 0x0
 00247   388   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00248   388   NtClose  (56, ... ) == 0x0
 00249   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00250   388   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00251   388   NtClose  (56, ... ) == 0x0
 00252   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241476, ... ) }, 1241476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   388   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241476, ... ) }, 1241476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241476, ... ) }, 1241476, ... ) == 0x0
 00256   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00257   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00258   388   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00259   388   NtClose  (56, ... ) == 0x0
 00260   388   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00261   388   NtClose  (52, ... ) == 0x0
 00262   388   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00263   388   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00264   388   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00265   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00266   388   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14483456, 65536, ) == 0x0
 00267   388   NtAllocateVirtualMemory  (-1, 14483456, 0, 4096, 4096, 4, ... 14483456, 4096, ) == 0x0
 00268   388   NtAllocateVirtualMemory  (-1, 14487552, 0, 8192, 4096, 4, ... 14487552, 8192, ) == 0x0
 00269   388   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00270   388   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xde0000), 0x0, 12288, ) == 0x0
 00271   388   NtClose  (52, ... ) == 0x0
 00272   388   NtAllocateVirtualMemory  (-1, 14495744, 0, 4096, 4096, 4, ... 14495744, 4096, ) == 0x0
 00273   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00274   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00275   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00276   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00277   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1240980, ... ) }, 1240980, ... ) == 0x0
 00278   388   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00279   388   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "_kuku_joker_v3.09_"}, 0, ... 56, ) }, 0, ... 56, ) == 0x0
 00280   388   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x0
 00281   388   NtUserSetWindowsHookEx  (268435456, 1242684, 0, 3, 268446576, 2, ... ) == 0x3004d
 00282   388   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14614528, 1048576, ) == 0x0
 00283   388   NtAllocateVirtualMemory  (-1, 15654912, 0, 8192, 4096, 4, ... 15654912, 8192, ) == 0x0
 00284   388   NtProtectVirtualMemory  (-1, (0xeee000), 4096, 260, ... (0xeee000), 4096, 4, ) == 0x0
 00285   388   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 60, {316, 564}, ) == 0x0
 00286   388   NtQueryInformationThread  (60, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=316,Tid=564,}, 0x0, ) == 0x0
 00287   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 50463490, 50463490, 50463490, 50463490}  (24, {28, 56, new_msg, 0, 50463490, 50463490, 50463490, 50463490} "\0\0\0\0\1\0\1\0E\0R\03\02\0<\0\0\0<\1\0\04\2\0\0" ... {28, 56, reply, 0, 316, 388, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0<\0\0\0<\1\0\04\2\0\0" )  ... {28, 56, reply, 0, 316, 388, 1499, 0}  (24, {28, 56, new_msg, 0, 50463490, 50463490, 50463490, 50463490} "\0\0\0\0\1\0\1\0E\0R\03\02\0<\0\0\0<\1\0\04\2\0\0" ... {28, 56, reply, 0, 316, 388, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0<\0\0\0<\1\0\04\2\0\0" )  ) == 0x0
 00288   388   NtResumeThread  (60, ... 1, ) == 0x0
 00289   388   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15663104, 1048576, ) == 0x0
 00290   388   NtAllocateVirtualMemory  (-1, 16703488, 0, 8192, 4096, 4, ... 16703488, 8192, ) == 0x0
 00291   564   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 64, ) == 0x0
 00292   564   NtWaitForSingleObject  (64, 0, 0x0, ...
 00293   388   NtProtectVirtualMemory  (-1, (0xfee000), 4096, 260, ... (0xfee000), 4096, 4, ) == 0x0
 00294   388   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 68, {316, 384}, ) == 0x0
 00295   388   NtQueryInformationThread  (68, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=316,Tid=384,}, 0x0, ) == 0x0
 00296   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 388, 1499, 0}  (24, {28, 56, new_msg, 0, 316, 388, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0D\0\0\0<\1\0\0\200\1\0\0" ... {28, 56, reply, 0, 316, 388, 1500, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0D\0\0\0<\1\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 316, 388, 1500, 0}  (24, {28, 56, new_msg, 0, 316, 388, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0D\0\0\0<\1\0\0\200\1\0\0" ... {28, 56, reply, 0, 316, 388, 1500, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0D\0\0\0<\1\0\0\200\1\0\0" )  ) == 0x0
 00297   388   NtResumeThread  (68, ... 1, ) == 0x0
 00298   388   NtUserSetTimer  (0, 0, 4096, 268451664, ...
 00299   384   NtWaitForSingleObject  (64, 0, 0x0, ...
 00298   388   NtUserSetTimer  ... ) == 0x7ff9
 00300   388   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16711680, 1048576, ) == 0x0
 00301   388   NtAllocateVirtualMemory  (-1, 17752064, 0, 8192, 4096, 4, ... 17752064, 8192, ) == 0x0
 00302   388   NtProtectVirtualMemory  (-1, (0x10ee000), 4096, 260, ... (0x10ee000), 4096, 4, ) == 0x0
 00303   388   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 72, {316, 380}, ) == 0x0
 00304   388   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=316,Tid=380,}, 0x0, ) == 0x0
 00305   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 388, 1500, 0}  (24, {28, 56, new_msg, 0, 316, 388, 1500, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0<\1\0\0|\1\0\0" ... {28, 56, reply, 0, 316, 388, 1501, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0<\1\0\0|\1\0\0" )  ... {28, 56, reply, 0, 316, 388, 1501, 0}  (24, {28, 56, new_msg, 0, 316, 388, 1500, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0<\1\0\0|\1\0\0" ... {28, 56, reply, 0, 316, 388, 1501, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0<\1\0\0|\1\0\0" )  ) == 0x0
 00306   388   NtResumeThread  (72, ... 1, ) == 0x0
 00307   388   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "m_Tem_v3.06"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   380   NtWaitForSingleObject  (64, 0, 0x0, ...
 00309   388   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "m_Tem_v3.06"}, {20480, 0}, 4, 134217728, 0, ... 76, ) }, {20480, 0}, 4, 134217728, 0, ... 76, ) == 0x0
 00310   388   NtSetEventBoostPriority  (64, ...
 00292   564   NtWaitForSingleObject  ... ) == 0x0
 00311   564   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00312   564   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00313   564   NtSetEventBoostPriority  (64, ...
 00299   384   NtWaitForSingleObject  ... ) == 0x0
 00314   384   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00315   384   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00316   384   NtSetEventBoostPriority  (64, ...
 00308   380   NtWaitForSingleObject  ... ) == 0x0
 00317   380   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00318   380   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00319   380   NtTestAlert  (... ) == 0x0
 00320   380   NtContinue  (17759536, 1, ...
 00321   380   NtRegisterThreadTerminatePort  (24, ...
 00316   384   NtSetEventBoostPriority  ... ) == 0x0
 00313   564   NtSetEventBoostPriority  ... ) == 0x0
 00310   388   NtSetEventBoostPriority  ... ) == 0x0
 00322   384   NtTestAlert  (...
 00323   564   NtTestAlert  (...
 00324   388   NtMapViewOfSection  (76, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ...
 00322   384   NtTestAlert  ... ) == 0x0
 00323   564   NtTestAlert  ... ) == 0x0
 00324   388   NtMapViewOfSection  ... (0x10f0000), {0, 0}, 20480, ) == 0x0
 00321   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 00325   384   NtContinue  (16710960, 1, ...
 00326   564   NtContinue  (15662384, 1, ...
 00327   380   NtDelayExecution  (0, {-20480000, -1}, ...
 00328   384   NtRegisterThreadTerminatePort  (24, ...
 00329   564   NtRegisterThreadTerminatePort  (24, ...
 00328   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 00329   564   NtRegisterThreadTerminatePort  ... ) == 0x0
 00330   564   NtDelayExecution  (0, {-40960000, -1}, ...
 00331   388   NtUnmapViewOfSection  (-1, 0x10f0000, ... ) == 0x0
 00332   388   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 64, ... 17760256, 8192, ) == 0x0
 00333   388   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 64, ... 17825792, 4096, ) == 0x0
 00334   384   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 80, ) }, ... 80, ) == 0x0
 00335   384   NtQueryValueKey  (80,  (80, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00336   384   NtQueryValueKey  (80,  (80, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00337   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00338   384   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Protocol_Catalog9"}, ... 88, ) }, ... 88, ) == 0x0
 00339   384   NtQueryValueKey  (88,  (88, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00340   384   NtNotifyChangeKey  (88, 84, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00341   384   NtQueryValueKey  (88,  (88, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00342   384   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00343   388   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00344   388   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 64, ... 17891328, 4096, ) == 0x0
 00345   384   NtQueryValueKey  (88,  (88, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00346   384   NtQueryValueKey  (88,  (88, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00347   384   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Catalog_Entries"}, ... 92, ) }, ... 92, ) == 0x0
 00348   384   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000001"}, ... 96, ) }, ... 96, ) == 0x0
 00349   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 00350   388   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00351   388   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 64, ... 17956864, 8192, ) == 0x0
 00349   384   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 00352   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00353   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0b\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0<\1\0\0\204\1\0\0:\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0,\0\0\0\0\0\0\0\0\0\0\0\0@\0\0c\1\0\0<\1\0\0\204\1\0\0:\0\0\0\1\0\1\0\240\0\0\300\0\0\0\0d\1\0\0<\1\0\0\204\1\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\376i\0\0\0\20\0\0@\0\0\0d\1\0\0<\1\0\0\204\1\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\23\1\0\0\0\0\0p\0\0e\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0e\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0f\1\0\0<\1\0\0\200\1\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0b\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0<\1\0\0\204\1\0\0:\0\0\0\0\0\1\0\0\0\0\0\30\0\0\0\377\377\377\377\0\0\0\0,\0\0\0\0\0\0\0\0\0\0\0\0@\0\0c\1\0\0<\1\0\0\204\1\0\0:\0\0\0\1\0\1\0\240\0\0\300\0\0\0\0d\1\0\0<\1\0\0\204\1\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\376i\0\0\0\20\0\0@\0\0\0d\1\0\0<\1\0\0\204\1\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\23\1\0\0\0\0\0p\0\0e\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0e\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0f\1\0\0<\1\0\0\200\1\0\0"}, 900, ) }, 900, ) == 0x0
 00354   384   NtClose  (96, ... ) == 0x0
 00355   388   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00356   388   NtAllocateVirtualMemory  (-1, 0, 0, 27134, 4096, 64, ... 18022400, 28672, ) == 0x0
 00357   384   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000002"}, ... 96, ) }, ... 96, ) == 0x0
 00358   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00359   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00360   388   NtFreeVirtualMemory  (-1, (0x2c), 0, 16384, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00361   384   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00362   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0k\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0k\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\1\0\0<\1\0\0\204\1\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0e@\0\0\20\0\0@\0\0\0l\1\0\0<\1\0\0\204\1\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\24\1\0\0\0\0\0p@\0m\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0m\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0n\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0k\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0k\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\1\0\0<\1\0\0\204\1\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0e@\0\0\20\0\0@\0\0\0l\1\0\0<\1\0\0\204\1\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\24\1\0\0\0\0\0p@\0m\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0m\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0n\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"}, 900, ) == 0x0
 00363   384   NtClose  (96, ... ) == 0x0
 00364   388   NtAllocateVirtualMemory  (-1, 0, 0, 4220160, 4096, 64, ... 18087936, 4222976, ) == 0x0
 00365   384   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000003"}, ... 96, ) }, ... 96, ) == 0x0
 00366   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00367   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00368   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0q\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0q\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0r\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0s\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0q\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0q\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0r\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0s\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0q\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0q\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0r\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0s\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00369   384   NtClose  (96, ... ) == 0x0
 00370   384   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000004"}, ... 96, ) }, ... 96, ) == 0x0
 00371   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00372   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00373   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0v\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0v\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0w\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0x\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0v\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0v\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0w\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0x\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0v\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0v\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0w\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0x\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00374   384   NtClose  (96, ... ) == 0x0
 00375   384   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000005"}, ... 96, ) }, ... 96, ) == 0x0
 00376   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00377   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00378   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0{\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0{\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0|\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0}\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0{\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0{\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0|\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0}\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0{\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0{\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0|\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0}\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00379   384   NtClose  (96, ... ) == 0x0
 00380   384   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000006"}, ... 96, ) }, ... 96, ) == 0x0
 00381   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00382   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00383   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\200\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\200\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\201\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\202\1\0\0<\1\0\0\204\1\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0`\24\0\0\0\0\0\0\0\0\0\0\260\0\0\0\20\0\0\4\0\0\0\203\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0<\1\0\0\200\1\0\0\200\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\200\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\200\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\201\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\202\1\0\0<\1\0\0\204\1\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0`\24\0\0\0\0\0\0\0\0\0\0\260\0\0\0\20\0\0\4\0\0\0\203\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0<\1\0\0\200\1\0\0\200\0\0\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0<\1\0\0\200\1\0\0\200\0\0\0"}, 900, ) == 0x0
 00384   384   NtClose  (96, ... ) == 0x0
 00385   384   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000007"}, ... 96, ) }, ... 96, ) == 0x0
 00386   388   NtAllocateVirtualMemory  (-1, 1335296, 0, 45056, 4096, 4, ...
 00387   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00388   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00389   384   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 100, ) == 0x0
 00390   384   NtWaitForSingleObject  (100, 0, 0x0, ...
 00386   388   NtAllocateVirtualMemory  ... 1335296, 45056, ) == 0x0
 00391   388   NtSetEventBoostPriority  (100, ...
 00390   384   NtWaitForSingleObject  ... ) == 0x0
 00392   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\211\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\211\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\212\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\213\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\211\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\211\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\212\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\213\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\211\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\211\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\212\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\213\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00393   384   NtClose  (96, ... ) == 0x0
 00394   384   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000008"}, ... 96, ) }, ... 96, ) == 0x0
 00395   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00396   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 00391   388   NtSetEventBoostPriority  ... ) == 0x0
 00396   384   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 00397   384   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\216\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\216\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\1\0\0<\1\0\0\204\1\0\0V\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\16\0\0\0\0\0\0\0\30\0\0\0\10\0\0\0\344\364\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0@\366\22\0\0\0\0\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\21\201\217\1\0\0<\1\0\0\204\1\0\0V\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\220\1\0\0<\1\0\0\204\1\0\0I\0\0\0\0\0\1\0\0\0\0\04\0\0\0`\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\220\1\0\0<\1\0\0\204\1\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0=w\377\377\377\377\0\0\0\0\0\0\0\0\0@\177\0\221\1\0\0<\1\0\0\204\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\221\1\0\0<\1\0\0\204\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\216\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\216\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\1\0\0<\1\0\0\204\1\0\0V\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\16\0\0\0\0\0\0\0\30\0\0\0\10\0\0\0\344\364\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0@\366\22\0\0\0\0\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\21\201\217\1\0\0<\1\0\0\204\1\0\0V\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\220\1\0\0<\1\0\0\204\1\0\0I\0\0\0\0\0\1\0\0\0\0\04\0\0\0`\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\220\1\0\0<\1\0\0\204\1\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0=w\377\377\377\377\0\0\0\0\0\0\0\0\0@\177\0\221\1\0\0<\1\0\0\204\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\221\1\0\0<\1\0\0\204\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0"}, 900, ) }, 900, ) == 0x0
 00398   384   NtClose  (96, ... ) == 0x0
 00399   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 96, ) }, ... 96, ) == 0x0
 00400   388   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00401   388   NtClose  (96, ... ) == 0x0
 00402   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... }, ...
 00403   384   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000009"}, ... }, ...
 00402   388   NtOpenSection  ... 96, ) == 0x0
 00404   388   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00405   388   NtClose  (96, ... ) == 0x0
 00406   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00407   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00408   388   NtQueryValueKey  (96,  (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00409   388   NtClose  (96, ...
 00403   384   NtOpenKey  ... 104, ) == 0x0
 00410   384   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00411   384   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00412   384   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\235\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\235\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\236\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\237\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\1\0\0<\1\0\0\204\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\1\0\0<\1\0\0\204\1\0\0\356\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\355\22\0\241\1\0\0<\1\0\0\204\1\0\0\31\4\0\0\0\0\0\0\0\0\0\0\20\0\0\0\376\377\377\377\10\0\2\0\1\0\0\0\0\2\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\235\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\235\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\236\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\237\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\1\0\0<\1\0\0\204\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\1\0\0<\1\0\0\204\1\0\0\356\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\355\22\0\241\1\0\0<\1\0\0\204\1\0\0\31\4\0\0\0\0\0\0\0\0\0\0\20\0\0\0\376\377\377\377\10\0\2\0\1\0\0\0\0\2\0\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\1\0\0<\1\0\0\204\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\1\0\0<\1\0\0\204\1\0\0\356\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\355\22\0\241\1\0\0<\1\0\0\204\1\0\0\31\4\0\0\0\0\0\0\0\0\0\0\20\0\0\0\376\377\377\377\10\0\2\0\1\0\0\0\0\2\0\0"}, 900, ) == 0x0
 00413   384   NtClose  (104, ... ) == 0x0
 00414   384   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000010"}, ... 104, ) }, ... 104, ) == 0x0
 00415   384   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 00409   388   NtClose  ... ) == 0x0
 00416   388   NtQueryDefaultUILanguage  (1240412, ...
 00417   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00418   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00419   388   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00420   388   NtClose  (-2147482020, ... ) == 0x0
 00421   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00415   384   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 00422   384   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00423   384   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\250\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\250\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\251\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\252\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\250\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\250\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\251\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\252\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\250\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\250\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\204\376\376\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30C\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\251\1\0\0<\1\0\0\200\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\252\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\1\0\0<\1\0\0\200\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00424   384   NtClose  (104, ... ) == 0x0
 00425   384   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000011"}, ... 104, ) }, ... 104, ) == 0x0
 00426   384   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00427   384   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 00428   388   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00429   388   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00430   388   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00431   388   NtClose  (-2147482032, ... ) == 0x0
 00432   388   NtClose  (-2147482020, ... ) == 0x0
 00416   388   NtQueryDefaultUILanguage  ... ) == 0x0
 00433   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... }, ...
 00427   384   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 00434   384   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\263\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\263\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\264\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\264\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\1\0\0<\1\0\0\200\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\265\1\0\0<\1\0\0\200\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\266\1\0\0<\1\0\0\200\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\266\1\0\0<\1\0\0\200\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\261\1\0\0<\1\0\0\204\1\0\0Q\0\0\0\1\0\1\04\0\0\300\0\0\0\0\267\1\0\0<\1\0\0\204\1\0\0\360\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354g\355w\267\1\0\0<\1\0\0\204\1\0\0\360\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\1\0\0<\1\0\0\204\1\0\0O\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\263\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\263\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\264\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0\264\1\0\0<\1\0\0\200\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\1\0\0<\1\0\0\200\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\265\1\0\0<\1\0\0\200\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\266\1\0\0<\1\0\0\200\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\266\1\0\0<\1\0\0\200\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0\261\1\0\0<\1\0\0\204\1\0\0Q\0\0\0\1\0\1\04\0\0\300\0\0\0\0\267\1\0\0<\1\0\0\204\1\0\0\360\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354g\355w\267\1\0\0<\1\0\0\204\1\0\0\360\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\1\0\0<\1\0\0\204\1\0\0O\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) }, 900, ) == 0x0
 00435   384   NtClose  (104, ... ) == 0x0
 00436   384   NtClose  (92, ... ) == 0x0
 00437   384   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 00438   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00433   388   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   388   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00440   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 104, {status=0x0, info=1}, ) }, 1, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00441   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 104, ... 96, ) == 0x0
 00442   388   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1550000), 0x0, 8323072, ) == 0x0
 00443   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444   388   NtQueryDefaultUILanguage  (2013024600, ...
 00445   384   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 108, ) }, ... 108, ) == 0x0
 00446   384   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00447   384   NtNotifyChangeKey  (108, 92, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00448   384   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00449   384   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00450   384   NtQueryValueKey  (108,  (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00451   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00452   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00453   388   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00454   388   NtClose  (-2147482020, ... ) == 0x0
 00455   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00456   388   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00457   384   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 00458   384   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 00459   384   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00460   384   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00461   384   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00462   384   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00463   388   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00464   388   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00465   388   NtClose  (-2147482032, ... ) == 0x0
 00466   388   NtClose  (-2147482020, ... ) == 0x0
 00444   388   NtQueryDefaultUILanguage  ... ) == 0x0
 00467   388   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00468   388   NtQueryInstallUILanguage  (2013024602, ...
 00469   384   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00470   384   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00471   384   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00472   384   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00473   384   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00474   384   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00468   388   NtQueryInstallUILanguage  ... ) == 0x0
 00475   388   NtQueryDefaultLocale  (1, 1238448, ... ) == 0x0
 00476   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   388   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1239304, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1239304, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1h\0\0\0\377\377\377\377\0\0\0\0\20\311\214\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\360\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 1503, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1h\0\0\0\377\377\377\377\0\0\0\0\20\311\214\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\360\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 388, 1503, 0}  (24, {128, 156, new_msg, 0, 1239304, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1h\0\0\0\377\377\377\377\0\0\0\0\20\311\214\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\360\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 1503, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1h\0\0\0\377\377\377\377\0\0\0\0\20\311\214\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\360\22\0\0\0\0\0" )  ) == 0x0
 00478   388   NtClose  (104, ... ) == 0x0
 00479   388   NtClose  (96, ... ) == 0x0
 00480   384   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00481   384   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00482   384   NtClose  (116, ... ) == 0x0
 00483   384   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 00484   384   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00485   384   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00486   388   NtUnmapViewOfSection  (-1, 0x1550000, ... ) == 0x0
 00487   388   NtUnmapViewOfSection  (-1, 0x12f008, ... ) == STATUS_NOT_MAPPED_VIEW
 00488   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00489   388   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00490   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00491   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00492   384   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00493   384   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00494   384   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00495   384   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00496   384   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00497   384   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00498   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237532, ... }, 1237532, ...
 00499   384   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00500   384   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00501   384   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00502   384   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00503   384   NtClose  (116, ... ) == 0x0
 00504   384   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 00505   384   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00506   384   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00507   384   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00508   384   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00509   384   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00510   384   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00511   384   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00512   384   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   384   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00514   384   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00515   384   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00516   384   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00517   384   NtClose  (116, ... ) == 0x0
 00518   384   NtClose  (112, ... ) == 0x0
 00519   384   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 00520   384   NtClose  (80, ... ) == 0x0
 00521   384   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00522   384   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00523   384   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 80, ) }, ... 80, ) == 0x0
 00524   384   NtQueryValueKey  (80,  (80, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00525   384   NtClose  (80, ... ) == 0x0
 00526   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00527   384   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 7, 96, ... 112, {status=0x0, info=1}, ) }, 7, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00528   384   NtLockFile  (112, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 00529   384   NtQueryInformationFile  (112, 1343360, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00530   384   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 22347776, 1052672, ) == 0x0
 00531   384   NtAllocateVirtualMemory  (-1, 22347776, 0, 235, 4096, 4, ... 22347776, 4096, ) == 0x0
 00532   384   NtReadFile  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 00533   384   NtFreeVirtualMemory  (-1, (0x1550000), 1052672, 32768, ... (0x1550000), 1052672, ) == 0x0
 00534   384   NtUnlockFile  (112, {0, 0}, {-1, -1}, 384, ... ) == STATUS_RANGE_NOT_LOCKED
 00535   384   NtClose  (112, ... ) == 0x0
 00498   388   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00536   384   NtOpenProcessToken  (-1, 0x8, ... 112, ) == 0x0
 00537   384   NtQueryInformationToken  (112, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00538   384   NtClose  (112, ... ) == 0x0
 00539   384   NtCreateFile  (0xc0100000, {24, 0, 0x40, 0, 0,  (0xc0100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 0x0, 128, 7, 3, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00540   384   NtLockFile  (112, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 1, ... {status=0x0, info=-2142329745}, ) == 0x0
 00541   384   NtQueryInformationFile  (112, 1343360, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00542   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00543   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00544   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00545   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238124, ... ) }, 1238124, ... ) == 0x0
 00546   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 116, {status=0x0, info=1}, ) }, 3, 33, ... 116, {status=0x0, info=1}, ) == 0x0
 00547   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00548   384   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 22347776, 1052672, ) == 0x0
 00549   384   NtAllocateVirtualMemory  (-1, 22347776, 0, 235, 4096, 4, ... 22347776, 4096, ) == 0x0
 00550   384   NtReadFile  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 00551   384   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "[MCIDRV_VER]\15\12DEVICE=26843vdykn4066\15\12", 37, {231, 0}, 2012046884, ... {status=0x0, info=37}, ) , 37, {231, 0}, 2012046884, ... {status=0x0, info=37}, ) == 0x0
 00552   384   NtSetInformationFile  (112, 16710824, 8, EndOfFile, ...
 00553   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00554   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 96, ... 104, ) == 0x0
 00555   388   NtClose  (96, ... ) == 0x0
 00556   388   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1660000), 0x0, 921600, ) == 0x0
 00557   388   NtClose  (104, ... ) == 0x0
 00558   388   NtUnmapViewOfSection  (-1, 0x1660000, ... ) == 0x0
 00552   384   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 00559   384   NtFreeVirtualMemory  (-1, (0x1550000), 1052672, 32768, ... (0x1550000), 1052672, ) == 0x0
 00560   384   NtUnlockFile  (112, {0, 0}, {-1, -1}, 384, ... ) == STATUS_RANGE_NOT_LOCKED
 00561   384   NtClose  (112, ... ) == 0x0
 00562   384   NtDelayExecution  (0, {-122880000, -1}, ...
 00563   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00564   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 104, ) == 0x0
 00565   388   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00566   388   NtClose  (112, ... ) == 0x0
 00567   388   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00568   388   NtClose  (104, ... ) == 0x0
 00569   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00570   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00571   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00572   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00573   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00574   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00575   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00576   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00577   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00578   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00579   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00580   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00581   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00582   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00583   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00584   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00585   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00586   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00587   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00588   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00589   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00590   388   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1239308, ... ) , 42, 1239308, ... ) == 0x0
 00591   388   NtQueryDefaultUILanguage  (1238024, ...
 00592   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00593   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00594   388   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00595   388   NtClose  (-2147482020, ... ) == 0x0
 00596   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00597   388   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00598   388   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00599   388   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   388   NtClose  (-2147482032, ... ) == 0x0
 00601   388   NtClose  (-2147482020, ... ) == 0x0
 00591   388   NtQueryDefaultUILanguage  ... ) == 0x0
 00602   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236876, ... ) }, 1236876, ... ) == 0x0
 00604   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00605   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 112, ) == 0x0
 00606   388   NtClose  (104, ... ) == 0x0
 00607   388   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1550000), 0x0, 4096, ) == 0x0
 00608   388   NtClose  (112, ... ) == 0x0
 00609   388   NtUnmapViewOfSection  (-1, 0x1550000, ... ) == 0x0
 00610   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236516, ... ) }, 1236516, ... ) == 0x0
 00611   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237216,  (0x80100080, {24, 0, 0x40, 0, 1237216, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00612   388   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 104, ) == 0x0
 00613   388   NtClose  (112, ... ) == 0x0
 00614   388   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1550000), {0, 0}, 4096, ) == 0x0
 00615   388   NtClose  (104, ... ) == 0x0
 00616   388   NtUnmapViewOfSection  (-1, 0x1550000, ... ) == 0x0
 00617   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 104, {status=0x0, info=1}, ) }, 1, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00618   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 104, ... 112, ) == 0x0
 00619   388   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1550000), 0x0, 4096, ) == 0x0
 00620   388   NtQueryInformationFile  (104, 1236836, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00621   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00622   388   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236916, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236916, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1h\0\0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\264\346\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 1504, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1h\0\0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\264\346\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 388, 1504, 0}  (24, {128, 156, new_msg, 0, 1236916, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1h\0\0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\264\346\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 1504, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1h\0\0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\264\346\22\0\0\0\0\0" )  ) == 0x0
 00623   388   NtClose  (104, ... ) == 0x0
 00624   388   NtClose  (112, ... ) == 0x0
 00625   388   NtUnmapViewOfSection  (-1, 0x1550000, ... ) == 0x0
 00626   388   NtUnmapViewOfSection  (-1, 0x12e6b4, ... ) == STATUS_NOT_MAPPED_VIEW
 00627   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00628   388   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00629   388   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00630   388   NtUserGetDC  (0, ... ) == 0x1010053
 00631   388   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00632   388   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00633   388   NtUserSystemParametersInfo  (66, 12, 1239328, 0, ... ) == 0x1
 00634   388   NtOpenProcessToken  (-1, 0x8, ... 112, ) == 0x0
 00635   388   NtAccessCheck  (1326640, 112, 0x1, 1238732, 1238676, 56, 1238760, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00636   388   NtClose  (112, ... ) == 0x0
 00637   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00638   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00639   388   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00640   388   NtClose  (112, ... ) == 0x0
 00641   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 112, ) }, ... 112, ) == 0x0
 00642   388   NtSetInformationObject  (112, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00643   388   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "Control Panel\Desktop"}, ... 104, ) }, ... 104, ) == 0x0
 00644   388   NtQueryValueKey  (104,  (104, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00645   388   NtClose  (104, ... ) == 0x0
 00646   388   NtUserSystemParametersInfo  (41, 500, 1238828, 0, ... ) == 0x1
 00647   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 104, ) }, ... 104, ) == 0x0
 00648   388   NtQueryValueKey  (104,  (104, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00649   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 96, ) }, ... 96, ) == 0x0
 00650   388   NtQueryValueKey  (96,  (96, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00651   388   NtClose  (96, ... ) == 0x0
 00652   388   NtClose  (104, ... ) == 0x0
 00653   388   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00654   388   NtUserSystemParametersInfo  (4130, 0, 1239352, 0, ... ) == 0x1
 00655   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 104, ) }, ... 104, ) == 0x0
 00656   388   NtEnumerateValueKey  (104, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00657   388   NtClose  (104, ... ) == 0x0
 00658   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00659   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc03b
 00660   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc03d
 00661   388   NtUserFindExistingCursorIcon  (1238632, 1238648, 1239216, ... ) == 0x10011
 00662   388   NtUserRegisterClassExWOW  (1239084, 1239164, 1239148, 1239180, 0, 384, 0, ... ) == 0x810dc03f
 00663   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00664   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc041
 00665   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00666   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc043
 00667   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc045
 00668   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00669   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc047
 00670   388   NtUserFindExistingCursorIcon  (1238632, 1238648, 1239216, ... ) == 0x10011
 00671   388   NtUserRegisterClassExWOW  (1239084, 1239164, 1239148, 1239180, 0, 384, 0, ... ) == 0x810dc049
 00672   388   NtUserGetClassInfo  (1905590272, 1239248, 1239200, 1239276, 0, ... ) == 0xc049
 00673   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00674   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc04b
 00675   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00676   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc04d
 00677   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00678   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc04f
 00679   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc051
 00680   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00681   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc053
 00682   388   NtUserFindExistingCursorIcon  (1238632, 1238648, 1239216, ... ) == 0x10011
 00683   388   NtUserRegisterClassExWOW  (1239084, 1239164, 1239148, 1239180, 0, 384, 0, ... ) == 0x810dc055
 00684   388   NtUserRegisterClassExWOW  (1239084, 1239164, 1239148, 1239180, 0, 384, 0, ... ) == 0x810dc057
 00685   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00686   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc059
 00687   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10013
 00688   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc05b
 00689   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00690   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc05d
 00691   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00692   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc05f
 00693   388   NtUserFindExistingCursorIcon  (1238632, 1238648, 1239216, ... ) == 0x10011
 00694   388   NtUserRegisterClassExWOW  (1239084, 1239164, 1239148, 1239180, 0, 384, 0, ... ) == 0x810dc017
 00695   388   NtUserFindExistingCursorIcon  (1238632, 1238648, 1239216, ... ) == 0x10011
 00696   388   NtUserRegisterClassExWOW  (1239084, 1239164, 1239148, 1239180, 0, 384, 0, ... ) == 0x810dc019
 00697   388   NtUserFindExistingCursorIcon  (1238632, 1238648, 1239216, ... ) == 0x10013
 00698   388   NtUserRegisterClassExWOW  (1239084, 1239164, 1239148, 1239180, 0, 384, 0, ... ) == 0x810dc018
 00699   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00700   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc01a
 00701   388   NtUserFindExistingCursorIcon  (1238632, 1238648, 1239216, ... ) == 0x10011
 00702   388   NtUserRegisterClassExWOW  (1239084, 1239164, 1239148, 1239180, 0, 384, 0, ...
 00703   388   NtAllocateVirtualMemory  (-1, 10846208, 0, 4096, 4096, 32, ... 10846208, 4096, ) == 0x0
 00702   388   NtUserRegisterClassExWOW  ... ) == 0x810dc01c
 00704   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00705   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc01e
 00706   388   NtUserFindExistingCursorIcon  (1238632, 1238648, 1239216, ... ) == 0x10011
 00707   388   NtUserRegisterClassExWOW  (1239144, 1239224, 1239208, 1239240, 0, 384, 0, ... ) == 0x810dc01b
 00708   388   NtUserFindExistingCursorIcon  (1238628, 1238644, 1239212, ... ) == 0x10011
 00709   388   NtUserRegisterClassExWOW  (1239140, 1239220, 1239204, 1239236, 0, 384, 0, ... ) == 0x810dc068
 00710   388   NtUserFindExistingCursorIcon  (1238636, 1238652, 1239220, ... ) == 0x10011
 00711   388   NtUserRegisterClassExWOW  (1239088, 1239168, 1239152, 1239184, 0, 384, 0, ... ) == 0x810dc06a
 00712   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 104, ) }, ... 104, ) == 0x0
 00713   388   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00714   388   NtClose  (104, ... ) == 0x0
 00715   388   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 104, ) == 0x0
 00716   388   NtQueryInformationProcess  (104, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00717   388   NtClose  (104, ... ) == 0x0
 00718   388   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00719   388   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00720   388   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00721   388   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "Control Panel\Desktop"}, ... 104, ) }, ... 104, ) == 0x0
 00722   388   NtQueryValueKey  (104,  (104, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723   388   NtClose  (104, ... ) == 0x0
 00724   388   NtUserSystemParametersInfo  (41, 500, 1239988, 0, ... ) == 0x1
 00725   388   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00726   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00727   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00728   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc03b
 00729   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00730   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc03d
 00731   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00732   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00733   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc03f
 00734   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00735   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00736   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc041
 00737   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00738   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00739   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc043
 00740   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00741   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc045
 00742   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00743   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00744   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc047
 00745   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00746   388   NtUserFindExistingCursorIcon  (1239776, 1239792, 1240360, ... ) == 0x10011
 00747   388   NtUserRegisterClassExWOW  (1240228, 1240308, 1240292, 1240324, 0, 384, 0, ... ) == 0x810dc049
 00748   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00749   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00750   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc04b
 00751   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00752   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00753   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc04d
 00754   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00755   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00756   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc04f
 00757   388   NtUserGetClassInfo  (1999896576, 1240400, 1240352, 1240428, 0, ... ) == 0x0
 00758   388   NtUserRegisterClassExWOW  (1240236, 1240316, 1240300, 1240332, 0, 384, 0, ... ) == 0x810dc051
 00759   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00760   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00761   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc053
 00762   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00763   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00764   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc055
 00765   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc057
 00766   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00767   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00768   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc059
 00769   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00770   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10013
 00771   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc05b
 00772   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00773   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00774   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc05d
 00775   388   NtUserGetClassInfo  (1999896576, 1240396, 1240348, 1240424, 0, ... ) == 0x0
 00776   388   NtUserFindExistingCursorIcon  (1239780, 1239796, 1240364, ... ) == 0x10011
 00777   388   NtUserRegisterClassExWOW  (1240232, 1240312, 1240296, 1240328, 0, 384, 0, ... ) == 0x810dc05f
 00778   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc03b
 00779   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc03d
 00780   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc03f
 00781   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc041
 00782   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc043
 00783   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc045
 00784   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc047
 00785   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc049
 00786   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc04b
 00787   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc04d
 00788   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc04f
 00789   388   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0xc051
 00790   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc053
 00791   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc055
 00792   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc059
 00793   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc05b
 00794   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc05d
 00795   388   NtUserGetClassInfo  (1999896576, 1242148, 1242100, 1242176, 0, ... ) == 0xc05f
 00796   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 104, ) }, ... 104, ) == 0x0
 00797   388   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00798   388   NtClose  (104, ... ) == 0x0
 00799   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 104, ) }, ... 104, ) == 0x0
 00800   388   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00801   388   NtClose  (104, ... ) == 0x0
 00802   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00803   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00804   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 104, ) }, ... 104, ) == 0x0
 00805   388   NtQueryValueKey  (104,  (104, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00806   388   NtClose  (104, ... ) == 0x0
 00807   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00808   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00809   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00810   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00811   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 104, ) }, ... 104, ) == 0x0
 00812   388   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00813   388   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00814   388   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00815   388   NtClose  (104, ... ) == 0x0
 00816   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 104, ) }, ... 104, ) == 0x0
 00817   388   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   388   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00819   388   NtClose  (104, ... ) == 0x0
 00820   388   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00821   388   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00822   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00823   388   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00825   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00826   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00827   388   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 00828   388   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "a1c21d0e0d6af099e3b6ed38f9d85d58ced8"}, 0, ... 104, ) }, 0, ... 104, ) == 0x0
 00829   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00830   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1237176, ... ) }, 1237176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00831   388   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1237176, ... ) }, 1237176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00832   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1237176, ... ) }, 1237176, ... ) == 0x0
 00833   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00834   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 120, ) == 0x0
 00835   388   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00836   388   NtClose  (96, ... ) == 0x0
 00837   388   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00838   388   NtClose  (120, ... ) == 0x0
 00839   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 120, ) }, ... 120, ) == 0x0
 00840   388   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00841   388   NtClose  (120, ... ) == 0x0
 00842   388   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 120, ) == 0x0
 00843   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 00844   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 124, ) }, ... 124, ) == 0x0
 00845   388   NtNotifyChangeKey  (124, 96, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00846   388   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00847   388   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 128, ) == 0x0
 00848   388   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 132, ) == 0x0
 00849   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1237176, ... ) }, 1237176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   388   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1237176, ... ) }, 1237176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00852   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1237176, ... ) }, 1237176, ... ) == 0x0
 00853   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 00854   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 140, ) == 0x0
 00855   388   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00856   388   NtClose  (136, ... ) == 0x0
 00857   388   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 00858   388   NtClose  (140, ... ) == 0x0
 00859   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00860   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1236372, ... ) }, 1236372, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00861   388   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1236372, ... ) }, 1236372, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1236372, ... ) }, 1236372, ... ) == 0x0
 00863   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 140, {status=0x0, info=1}, ) }, 5, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 00864   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 140, ... 136, ) == 0x0
 00865   388   NtQuerySection  (136, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00866   388   NtClose  (140, ... ) == 0x0
 00867   388   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 00868   388   NtClose  (136, ... ) == 0x0
 00869   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00870   388   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 22478848, 262144, ) == 0x0
 00871   388   NtAllocateVirtualMemory  (-1, 22478848, 0, 4096, 4096, 4, ... 22478848, 4096, ) == 0x0
 00872   388   NtAllocateVirtualMemory  (-1, 22482944, 0, 8192, 4096, 4, ... 22482944, 8192, ) == 0x0
 00873   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00874   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00875   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 136, ) }, ... 136, ) == 0x0
 00876   388   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00877   388   NtClose  (136, ... ) == 0x0
 00878   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 136, ) }, ... 136, ) == 0x0
 00879   388   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00880   388   NtClose  (136, ... ) == 0x0
 00881   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 136, ) }, ... 136, ) == 0x0
 00882   388   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00883   388   NtClose  (136, ... ) == 0x0
 00884   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   388   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1237308, 0,  (0x1f0003, {24, 52, 0x80, 1237308, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00886   388   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 136, ) }, ... 136, ) == 0x0
 00887   388   NtCreateKey  (0xf003f, {24, 112, 0x40, 0, 0,  (0xf003f, {24, 112, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 00888   388   NtQueryDefaultUILanguage  (1235544, ...
 00889   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00890   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482040, ) == 0x0
 00891   388   NtQueryInformationToken  (-2147482040, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00892   388   NtClose  (-2147482040, ... ) == 0x0
 00893   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0
 00894   388   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   388   NtOpenKey  (0x80000000, {24, -2147482040, 0x640, 0, 0,  (0x80000000, {24, -2147482040, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00896   388   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   388   NtClose  (-2147482044, ... ) == 0x0
 00898   388   NtClose  (-2147482040, ... ) == 0x0
 00888   388   NtQueryDefaultUILanguage  ... ) == 0x0
 00899   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 144, {status=0x0, info=1}, ) }, 1, 96, ... 144, {status=0x0, info=1}, ) == 0x0
 00901   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 144, ... 148, ) == 0x0
 00902   388   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x15b0000), 0x0, 593920, ) == 0x0
 00903   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   388   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00905   388   NtQueryDefaultLocale  (1, 1233580, ... ) == 0x0
 00906   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907   388   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234436, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234436, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\220\0\0\0\377\377\377\377\0\0\0\0P\275b\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 1506, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\220\0\0\0\377\377\377\377\0\0\0\0P\275b\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 388, 1506, 0}  (24, {128, 156, new_msg, 0, 1234436, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\220\0\0\0\377\377\377\377\0\0\0\0P\275b\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 1506, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\331\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\220\0\0\0\377\377\377\377\0\0\0\0P\275b\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" )  ) == 0x0
 00908   388   NtClose  (144, ... ) == 0x0
 00909   388   NtClose  (148, ... ) == 0x0
 00910   388   NtUnmapViewOfSection  (-1, 0x15b0000, ... ) == 0x0
 00911   388   NtUnmapViewOfSection  (-1, 0x12dd04, ... ) == STATUS_NOT_MAPPED_VIEW
 00912   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00913   388   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00915   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00916   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1232120, ... ) }, 1232120, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00918   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00919   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00920   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1232712, ... ) }, 1232712, ... ) == 0x0
 00921   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 148, {status=0x0, info=1}, ) }, 3, 33, ... 148, {status=0x0, info=1}, ) == 0x0
 00922   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00923   388   NtCreateKey  (0x2001f, {24, 112, 0x40, 0, 0,  (0x2001f, {24, 112, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 144, 2, ) }, 0, 0x0, 0, ... 144, 2, ) == 0x0
 00924   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1237196, ... ) }, 1237196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926   388   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1237196, ... ) }, 1237196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1237196, ... ) }, 1237196, ... ) == 0x0
 00928   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 00929   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 152, ... 156, ) == 0x0
 00930   388   NtQuerySection  (156, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00931   388   NtClose  (152, ... ) == 0x0
 00932   388   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 00933   388   NtClose  (156, ... ) == 0x0
 00934   388   NtAllocateVirtualMemory  (-1, 14499840, 0, 8192, 4096, 4, ... 14499840, 8192, ) == 0x0
 00935   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00936   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 00937   388   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00938   388   NtClose  (156, ... ) == 0x0
 00939   388   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 156, ) }, ... 156, ) == 0x0
 00940   388   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941   388   NtClose  (156, ... ) == 0x0
 00942   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 156, ) }, ... 156, ) == 0x0
 00943   388   NtQueryValueKey  (156,  (156, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00944   388   NtQueryValueKey  (156,  (156, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00945   388   NtQueryValueKey  (156,  (156, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00946   388   NtQueryValueKey  (156,  (156, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 00947   388   NtClose  (156, ... ) == 0x0
 00948   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 156, ) }, ... 156, ) == 0x0
 00949   388   NtQueryValueKey  (156,  (156, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00950   388   NtQueryValueKey  (156,  (156, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00951   388   NtQueryValueKey  (156,  (156, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00952   388   NtQueryValueKey  (156,  (156, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00953   388   NtQueryValueKey  (156,  (156, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 00954   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236756, ... ) }, 1236756, ... ) == 0x0
 00955   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 00956   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 152, ... 160, ) == 0x0
 00957   388   NtClose  (152, ... ) == 0x0
 00958   388   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x15b0000), 0x0, 135168, ) == 0x0
 00959   388   NtClose  (160, ... ) == 0x0
 00960   388   NtUnmapViewOfSection  (-1, 0x15b0000, ... ) == 0x0
 00961   388   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 00962   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237644, ... ) }, 1237644, ... ) == 0x0
 00963   388   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238312, ... ) }, 1238312, ... ) == 0x0
 00964   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238168,  (0x80100080, {24, 0, 0x40, 0, 1238168, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 00965   388   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 160, ... 152, ) == 0x0
 00966   388   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x15b0000), {0, 0}, 135168, ) == 0x0
 00967   388   NtQueryDefaultLocale  (1, 1237976, ... ) == 0x0
 00968   388   NtQueryVirtualMemory  (-1, 0x15b0000, Basic, 28, ... {BaseAddress=0x15b0000,AllocationBase=0x15b0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00969   388   NtQueryVirtualMemory  (-1, 0x15b0000, Basic, 28, ... {BaseAddress=0x15b0000,AllocationBase=0x15b0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00970   388   NtReadFile  (160, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (160, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 00971   388   NtQueryInformationFile  (160, 1238220, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00972   388   NtSetInformationFile  (160, 1238220, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00973   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00974   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 00975   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 00976   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 00977   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 00978   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 00979   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 00980   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 00981   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 00982   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 00983   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 00984   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 00985   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 00986   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 00987   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 00988   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 00989   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 00990   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 00991   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 00992   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 00993   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 00994   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 00995   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 00996   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 00997   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 00998   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 00999   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01000   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01001   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01002   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01003   388   NtReadFile  (160, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (160, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01004   388   NtQueryInformationFile  (160, 1238220, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01005   388   NtSetInformationFile  (160, 1238220, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01006   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01007   388   NtReadFile  (160, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (160, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 01008   388   NtUnmapViewOfSection  (-1, 0x15b0000, ... ) == 0x0
 01009   388   NtClose  (152, ... ) == 0x0
 01010   388   NtClose  (160, ... ) == 0x0
 01011   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236700, ... ) }, 1236700, ... ) == 0x0
 01012   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01013   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 160, ... 152, ) == 0x0
 01014   388   NtClose  (160, ... ) == 0x0
 01015   388   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x15b0000), 0x0, 135168, ) == 0x0
 01016   388   NtClose  (152, ... ) == 0x0
 01017   388   NtUnmapViewOfSection  (-1, 0x15b0000, ... ) == 0x0
 01018   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237016, ... ) }, 1237016, ... ) == 0x0
 01019   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01020   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 152, ... 160, ) == 0x0
 01021   388   NtQuerySection  (160, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01022   388   NtClose  (152, ... ) == 0x0
 01023   388   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 01024   388   NtClose  (160, ... ) == 0x0
 01025   388   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01026   388   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01027   388   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01028   388   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01029   388   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01030   388   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01031   388   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01032   388   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01033   388   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01034   388   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01035   388   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01036   388   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01037   388   NtAllocateVirtualMemory  (-1, 1380352, 0, 20480, 4096, 4, ... 1380352, 20480, ) == 0x0
 01038   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01039   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01040   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01041   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01042   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01043   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01044   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01045   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01046   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01047   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01048   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01049   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01050   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01051   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01052   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01053   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01054   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01055   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01056   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01057   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01058   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01059   388   NtQueryDefaultLocale  (1, 1235868, ... ) == 0x0
 01060   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1235968, ... ) }, 1235968, ... ) == 0x0
 01061   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236700,  (0x80100080, {24, 0, 0x40, 0, 1236700, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01062   388   NtQueryVolumeInformationFile  (160, 1236860, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01063   388   NtQueryInformationFile  (160, 1236752, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01064   388   NtQueryInformationFile  (160, 1237044, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01065   388   NtClose  (160, ... ) == 0x0
 01066   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1235460, ... ) }, 1235460, ... ) == 0x0
 01067   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236192,  (0x80100080, {24, 0, 0x40, 0, 1236192, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01068   388   NtQueryVolumeInformationFile  (160, 1236352, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01069   388   NtQueryInformationFile  (160, 1236244, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01070   388   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 160, ... 152, ) == 0x0
 01071   388   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x15b0000), {0, 0}, 135168, ) == 0x0
 01072   388   NtQueryDefaultLocale  (1, 1236332, ... ) == 0x0
 01073   388   NtQueryVirtualMemory  (-1, 0x15b0000, Basic, 28, ... {BaseAddress=0x15b0000,AllocationBase=0x15b0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01074   388   NtQueryVirtualMemory  (-1, 0x15b0000, Basic, 28, ... {BaseAddress=0x15b0000,AllocationBase=0x15b0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01075   388   NtQueryDefaultLocale  (1, 1236332, ... ) == 0x0
 01076   388   NtQueryVirtualMemory  (-1, 0x15b0000, Basic, 28, ... {BaseAddress=0x15b0000,AllocationBase=0x15b0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01077   388   NtQueryVirtualMemory  (-1, 0x15b0000, Basic, 28, ... {BaseAddress=0x15b0000,AllocationBase=0x15b0000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01078   388   NtReadFile  (160, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (160, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01079   388   NtQueryInformationFile  (160, 1236580, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01080   388   NtSetInformationFile  (160, 1236580, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01081   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01082   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01083   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01084   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01085   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01086   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01087   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01088   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01089   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01090   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01091   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01092   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01093   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01094   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01095   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01096   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01097   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01098   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01099   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01100   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01101   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01102   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01103   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01104   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01105   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01106   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01107   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01108   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01109   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01110   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01111   388   NtReadFile  (160, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (160, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01112   388   NtQueryInformationFile  (160, 1236580, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01113   388   NtSetInformationFile  (160, 1236580, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01114   388   NtQueryInformationFile  (160, 1236580, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01115   388   NtSetInformationFile  (160, 1236580, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01116   388   NtReadFile  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (160, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01117   388   NtReadFile  (160, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (160, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01118   388   NtUnmapViewOfSection  (-1, 0x15b0000, ... ) == 0x0
 01119   388   NtClose  (152, ... ) == 0x0
 01120   388   NtClose  (160, ... ) == 0x0
 01121   388   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 160, ) }, ... 160, ) == 0x0
 01122   388   NtQueryValueKey  (160,  (160, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01123   388   NtQueryValueKey  (160,  (160, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01124   388   NtQueryValueKey  (160,  (160, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01125   388   NtQueryValueKey  (160,  (160, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01126   388   NtClose  (160, ... ) == 0x0
 01127   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01128   388   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01129   388   NtOpenProcessToken  (-1, 0x8, ... 160, ) == 0x0
 01130   388   NtQueryInformationToken  (160, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01131   388   NtClose  (160, ... ) == 0x0
 01132   388   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 01133   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 160, {status=0x0, info=0}, ) }, 7, 16, ... 160, {status=0x0, info=0}, ) == 0x0
 01134   388   NtDeviceIoControlFile  (160, 0, 0x0, 0x0, 0x390008,  (160, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\276\243\272>\7z\366\213\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01135   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01136   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01137   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01138   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01139   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01140   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01141   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01142   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 01143   388   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "P\325\2203M%\1\22\253]\327\27s\27t\274T\263\16\374\355\300r\240\311\361\25(\226\256\10\370\207\241\317\210\33]\207\215\236\21\261\254\16\271J\271\27\7:O\235bp\310\365b\263/\346\374\357,\344V\3171\300\222\241\224\300&\252\330oN\235", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "P\325\2203M%\1\22\253]\327\27s\27t\274T\263\16\374\355\300r\240\311\361\25(\226\256\10\370\207\241\317\210\33]\207\215\236\21\261\254\16\271J\271\27\7:O\235bp\310\365b\263/\346\374\357,\344V\3171\300\222\241\224\300&\252\330oN\235", 80, ... ) , 80, ... ) == 0x0
 01144   388   NtClose  (-2147482040, ... ) == 0x0
 01134   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\215\177\223xZ\275m\305r;%\3612\312\371\271\346\345\256N\370\353\4a\250\364\200d\342K\234\251@e1\240\272gt\370g5P\235(5\223\342T\303\266\324\\275\207I\260\226j\233\272\26\324\306\35\30bp/\212\334\356\367j\236\356\233\320\230\260\245U\325\232\353Iy\2\320}\250\24x\34z\314\251\\217\351-\344?\274\336iX\247(J\344E\24oM\212\336pD\364\250\252\333\272]\250\311U\158\376\311\251\4\232\247z"\211\272\336\31J\365\275uiPN|\34\7\323\352\23&s\364\277o1j\3022\340\227\272m\7\322%\26\354r\340b\206s'\201\374l\275\273\335\320\212e\2668hv\306\356\372j\247\263\221\2\326\252\353\243\2247\240\235\351#(\207\372\\207\254\200\34\17\275\213\25\300\354\314\274\21\242\255fq\2601\311\235[\326\3\13\351\256o8\2423:\264$\305\23i\33bB\3058", ) \211\272\336\31J\365\275uiPN|\34\7\323\352\23&s\364\277o1j\3022\340\227\272m\7\322%\26\354r\340b\206s'\201\374l\275\273\335\320\212e\2668hv\306\356\372j\247\263\221\2\326\252\353\243\2247\240\235\351#(\207\372\\207\254\200\34\17\275\213\25\300\354\314\274\21\242\255fq\2601\311\235[\326\3\13\351\256o8\2423:\264$\305\23i\33bB\3058", ) == 0x0
 01145   388   NtClose  (156, ... ) == 0x0
 01146   388   NtDeviceIoControlFile  (160, 0, 0x0, 0x0, 0x390008,  (160, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\265\2\223\3\352\234\354\270(\247G\254d\300\315\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01147   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01148   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01149   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01150   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01151   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01152   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01153   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01154   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 01155   388   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "h\244\367\2,\224o\314\325\204w\200\315\255I\247\201\3{\374\3358x}\235%\201\31\6\332a\230\376\260\32\230\361\6b\2\30\203\16\360\11\263\304\203\312\255%\225\233\363\213\354]\277~K\220\1\37E\220\274\301\233\306\1\342\2443\303=\217\333?\217\311", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "h\244\367\2,\224o\314\325\204w\200\315\255I\247\201\3{\374\3358x}\235%\201\31\6\332a\230\376\260\32\230\361\6b\2\30\203\16\360\11\263\304\203\312\255%\225\233\363\213\354]\277~K\220\1\37E\220\274\301\233\306\1\342\2443\303=\217\333?\217\311", 80, ... ) , 80, ... ) == 0x0
 01156   388   NtClose  (-2147482040, ... ) == 0x0
 01146   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\202Y\306\331S@\15\213|\360R\322{I}-:\300\337I=(4(j:\341\356\234\31qC"\376\304\341s\204\273S\376\226\306\337\177\354\345\321`\265\274\5\300\367\350\251XDr\326jmp\375\265Ea\21,:&Cs\264\36q\0\266\5\277D\246\34\227&\10\321\367\376\259\305\14v}I\370\247\264\212\246\315l$\12\244g@\317\353Y;\31n]\325\25\253\210\33\267R\260\24\36\225\224@\366\177O\302\214\271\264<0\215\212!\312\3140\357\357\205\315J\2462\241\225\254\\334\177\324\371\2700W_\355\34\264\347\224\324T\200\313\254\201\314\23.\177\370\216\204\207*\337Ao\232$1/\31\212\273(A\347\247F\334\306e\5\5\31/\226\2746\344\320\375\346u=\364M\215\344\327\179\252lE\377f\253\206\207os\372\333\302\326\352\346\244\250\365\350\211\27\270x\304\356{N\246\343\214\3520;\225\212", ) \376\304\341s\204\273S\376\226\306\337\177\354\345\321`\265\274\5\300\367\350\251XDr\326jmp\375\265Ea\21,:&Cs\264\36q\0\266\5\277D\246\34\227&\10\321\367\376\259\305\14v}I\370\247\264\212\246\315l$\12\244g@\317\353Y;\31n]\325\25\253\210\33\267R\260\24\36\225\224@\366\177O\302\214\271\264<0\215\212!\312\3140\357\357\205\315J\2462\241\225\254\\334\177\324\371\2700W_\355\34\264\347\224\324T\200\313\254\201\314\23.\177\370\216\204\207*\337Ao\232$1/\31\212\273(A\347\247F\334\306e\5\5\31/\226\2746\344\320\375\346u=\364M\215\344\327\179\252lE\377f\253\206\207os\372\333\302\326\352\346\244\250\365\350\211\27\270x\304\356{N\246\343\214\3520;\225\212", ) == 0x0
 01157   388   NtDeviceIoControlFile  (160, 0, 0x0, 0x0, 0x390008,  (160, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\265\2\223\3\352\234\354\263\211\216zA\202\332\376t\247G\254d\300\315\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01158   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01159   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01160   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01161   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01162   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01163   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01164   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01165   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 01166   388   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "\337.\333\11\251u^\216\241#I`\31\376\304\3730?\17R\345\7n$\372\341\312\243\243`[\341_\334\225x5\212\273\316\16db\377\257\264\35\252\7\314k\272F\374\302\264W\270\2<\240\322\234\5}G[\262I\261\4\204CF\2438'k\335(", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "\337.\333\11\251u^\216\241#I`\31\376\304\3730?\17R\345\7n$\372\341\312\243\243`[\341_\334\225x5\212\273\316\16db\377\257\264\35\252\7\314k\272F\374\302\264W\270\2<\240\322\234\5}G[\262I\261\4\204CF\2438'k\335(", 80, ... ) , 80, ... ) == 0x0
 01167   388   NtClose  (-2147482040, ... ) == 0x0
 01157   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\325\352\332.7A\343\320\354\354E\5q\14\257\316\26\225Zej^\200\225uz\3\237\216\37YGF6\11\363\342\313\353nPcQ\347\316Q\210\315tKw\217\352\256\353\3\374\32\2361\35\333xF\244\371^ \12\305g\225{a\312\333q\244\243\210n\17\247\255\304p_r\0\323\327\350\315F\270\22\325\2636-\345\22\373\261\360+\227\20\379W\371\36{\321\231FD($\200\310\261\261\324~{?#44\314-\204o\0\373\365\11\257\24O\3463\5\231P.b\27\344'\222\373\30\311\274!\201\207\300<7\356f\33\345\341\340\224\3503\311\222\3235j\255\7\1\314\266%\361\14\1L\365\312\233\32\332\322X\304S\330\327\260\300 \370\255\263\3b\314\361\240^\311\221\3119K\314w\23\34\213\341\337\337z\220\357^\273\13@\13\352\347\346@\207`\362\267\213oN}\301\263y\323\7\366\206/\7\232\352\371C", ) , ) == 0x0
 01168   388   NtDeviceIoControlFile  (160, 0, 0x0, 0x0, 0x390008,  (160, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\265\2\223\3\352\234\354\263\211\216zA\202\332\365\325\216zA\202\332\376t\247G\254d\300\315\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01169   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01170   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01171   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01172   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01173   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01174   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01175   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01176   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 01177   388   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "dC\205j\31\266\356\232\275\4\205I.\316 \363@\330\374\304;\237\320\177\321\241\270N\253G \202\214\245\233u\336\12\11\350sP\26q\253M\33\340\377\371yH`\245:\262/\211\14\357\244P\31&\303\260\356\22;}\11\250\215\266\351\343`\34\260\311", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "dC\205j\31\266\356\232\275\4\205I.\316 \363@\330\374\304;\237\320\177\321\241\270N\253G \202\214\245\233u\336\12\11\350sP\26q\253M\33\340\377\371yH`\245:\262/\211\14\357\244P\31&\303\260\356\22;}\11\250\215\266\351\343`\34\260\311", 80, ... ) , 80, ... ) == 0x0
 01178   388   NtClose  (-2147482040, ... ) == 0x0
 01168   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\210\204\264~S\352\233!r\332\31\335\365I\240\355\23\237\252e\331p\11\22\216{\10$\3201\6V\252[b\270\202\205f\230\270\222H\331=~G\3060\200!\365#\2465\214\342\344\254\272\s\202\255\11\324\313!&0\300^)\241[\337\257#\4\365\1=\234}8Y\302\207=\310gt\237\261\301\276\357;\257\242\302\302\256s\230\263\22a\360\257((\255_/\275\263jeT\34\337\276xBd\203\15\267\313PSM\330\23\275\263I\324\246;\244\275\340\222\311\34\16\275\270\21]8G\24\226l_\5\222*\216\3/\340'\360\336i\207\323p\271\244\307}KB\205'\321\256\265\334\1Z \273\213\233F\273\302\343\254i\330Nsc\23I\261\206=3b\332J\215\30q\14\222\352\325\363\26\342\244X#&1IM\12X)\222\0\231\30\264WJIA4G\377\276\355\344\275\363#\270S\332", ) , ) == 0x0
 01179   388   NtDeviceIoControlFile  (160, 0, 0x0, 0x0, 0x390008,  (160, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\265\2\223\3\352\234\354\263\211\216zA\202\332\365\325\216zA\202\332\365\325\216zA\202\332\376t\247G\254d\300\315\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01180   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01181   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01182   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01183   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01184   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01185   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01186   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01187   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 01188   388   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "\304\246\242\336\3065\244\10\206\24:\16\330D\214\360/B\226\272\232\25\33\201\340\1775\0,o\17W\341\13@\221\340\20K\327]'\347i\373\264\236E\225\3118\23\335\341\234[\277\314\31\275\16\242%Y\276_M\342\373\1\262e\13\253\241\372\356\323f", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "\304\246\242\336\3065\244\10\206\24:\16\330D\214\360/B\226\272\232\25\33\201\340\1775\0,o\17W\341\13@\221\340\20K\327]'\347i\373\264\236E\225\3118\23\335\341\234[\277\314\31\275\16\242%Y\276_M\342\373\1\262e\13\253\241\372\356\323f", 80, ... ) , 80, ... ) == 0x0
 01189   388   NtClose  (-2147482040, ... ) == 0x0
 01179   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\3246Zm\6X\265\24\20|\343\34\262\334\322\360t\265&\335J?le\266\313\276G]\232z\10\333J\325\255\323\366\327J\374\204\220\5\302\342V\206\330S\261\252\232\6\211\24\337\254\334\216\231"\334\221\0~\230U\33H\263:\274\177\253\224\247\264\33\346\333\243+\230vc\257\342\254\4k\322h\271iu\25\245\267Z\217\234\202$d\25|\324\244n\4i\260&\364\370B\200\1X\346\27@c/\26Xe=\330\310\15\327\352+9\270\3017(pD\375jG\14\276\261\303\223\23\215\300\25\344GSG\234\343a\27\351\257\35\302\376\4\7\244\271\324\350}\7\235\207W\250)V\312\262\305\243\0Rt\310:i\204?\373zo\331*v\243S}\265)\373\13W\360\37\360\372\275!\362\345H\232Z\335\257\344t\26\1\242\357z\227\313+\310\330p\247\350+\315[Hu\356d\360\365\26\331\313Q\375\277U\375\212\221\257\242", ) \334\221\0~\230U\33H\263:\274\177\253\224\247\264\33\346\333\243+\230vc\257\342\254\4k\322h\271iu\25\245\267Z\217\234\202$d\25|\324\244n\4i\260&\364\370B\200\1X\346\27@c/\26Xe=\330\310\15\327\352+9\270\3017(pD\375jG\14\276\261\303\223\23\215\300\25\344GSG\234\343a\27\351\257\35\302\376\4\7\244\271\324\350}\7\235\207W\250)V\312\262\305\243\0Rt\310:i\204?\373zo\331*v\243S}\265)\373\13W\360\37\360\372\275!\362\345H\232Z\335\257\344t\26\1\242\357z\227\313+\310\330p\247\350+\315[Hu\356d\360\365\26\331\313Q\375\277U\375\212\221\257\242", ) == 0x0
 01190   388   NtDeviceIoControlFile  (160, 0, 0x0, 0x0, 0x390008,  (160, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\265\2\223\3\352\234\354\263\211\216zA\202\332\365\325\216zA\202\332\365\325\216zA\202\332\365\325\216zA\202\332\376t\247G\254d\300\315\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01191   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01192   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01193   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01194   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01195   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01196   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01197   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01198   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 01199   388   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "\230\267\216\260\244\320\12\221d\206Q\332\205\370r\13\224\213\326r\272c\212\7'cg\361\337\3\4\322]\234\241B\23\26"\344f\333\10\250\3G|\246\210\317J\274\231\333\33\222\243N\3\251<\21`\327\341\274\10\210O|\370\5\211\2\215R\354p\5\303", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "\230\267\216\260\244\320\12\221d\206Q\332\205\370r\13\224\213\326r\272c\212\7'cg\361\337\3\4\322]\234\241B\23\26"\344f\333\10\250\3G|\246\210\317J\274\231\333\33\222\243N\3\251<\21`\327\341\274\10\210O|\370\5\211\2\215R\354p\5\303", 80, ... ) \344f\333\10\250\3G|\246\210\317J\274\231\333\33\222\243N\3\251<\21`\327\341\274\10\210O|\370\5\211\2\215R\354p\5\303", 80, ... ) == 0x0
 01200   388   NtClose  (-2147482040, ... ) == 0x0
 01190   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "PE\274\244\265\342\347\335\201\205f\42\362p5\30\333\242qICl\212\210\265\340\\324\361\232?'\205\252C\230\263@\23\367_\374\330i\26\334\315\230Us4p\266\253\302ZqS\232\347\266\217)R\12\310|f\20\68So\14\210\2360z\221E\305\275\205\373z\27\350x\241\374\237<\223_\245\36 \243\352tpO\217\213cGg\263\2071\247\6\226\16\212\213-\12\6\30`cO\331\255\264G\217\336#r\365I\331\23\263-\247\23%8\206\7\302):D>\177\202\371\242\2445\275\25\17\11D\241\273\327\336\35\221\326\373\311\354\376\30418\337\6)zd^\13\277\330\351(\4\264\225\307YR\244\334\310iQ\271\372\273\273J\2175\310\267\264\335:/\332\202\335\241\314O\343\354\226\360\307\16\354[\315\227\346A\215'\366\355\245,|\351\211\36|B\217p\207\207`\36n\365\263\33sC$V\22\325\", ) , ) == 0x0
 01201   388   NtDeviceIoControlFile  (160, 0, 0x0, 0x0, 0x390008,  (160, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\265\2\223\3\352\234\354\263\211\216zA\202\332\365\325\216zA\202\332\365\325\216zA\202\332\365\325\216zA\202\332\365\325\216zA\202\332\376t\247G\254d\300\315\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01202   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01203   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01204   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01205   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01206   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01207   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01208   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01209   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 01210   388   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "a\364b\231I\266(\233\222\307O\3\315\375\27\340\337 \266/pU\35\323\243\265\272\306N\350\320\0\30\355JIg\23H\324e\242\334|\312Dq\250f^n\367a\277\230\323{y \25t\231.\234:'\34\222\315\220\363\232\260\177\337\27\334<\340T", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "a\364b\231I\266(\233\222\307O\3\315\375\27\340\337 \266/pU\35\323\243\265\272\306N\350\320\0\30\355JIg\23H\324e\242\334|\312Dq\250f^n\367a\277\230\323{y \25t\231.\234:'\34\222\315\220\363\232\260\177\337\27\334<\340T", 80, ... ) , 80, ... ) == 0x0
 01211   388   NtClose  (-2147482040, ... ) == 0x0
 01201   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\377,\35\230\344\26\353&\36P\352\265J#)\316\371\206f\324W\\23\23\322\320\323\205dN\376N\251\265~\301\305\3eo\354DS\6\257\352\274\360\262Sbu>\2647f\253\376\231\304U\12\2g\375\316\357\2\222\362:\\274\342\262\226\263\313\220\366F\244\220H\300\212\323\221\320\32\213\367\225 s\202\23\220\244\201>u\325X\320id\334-p$\232[\346Gr@i\35\242-\342\364F\310Y\225u\262\312T\252\360\2\215\316 >\315X\2448\346\323\347\6\267\10\372m\365H\23"\341\247\324MK\303iR\202\27,\10=y\33\322XM4|\312\310\222\16\343\302\26\267NC\10EF\27tj\207\307\322/#\230\234gGW`\350\324^\25\2\4C\11\323&m(0\234\205F\202C\300\300\25\207\300\275E\242*\30CK\4\336d\236}\5q\271v\2275\247\370\20>\10e^\373\213d\15)\27\242", ) \341\247\324MK\303iR\202\27,\10=y\33\322XM4|\312\310\222\16\343\302\26\267NC\10EF\27tj\207\307\322/#\230\234gGW`\350\324^\25\2\4C\11\323&m(0\234\205F\202C\300\300\25\207\300\275E\242*\30CK\4\336d\236}\5q\271v\2275\247\370\20>\10e^\373\213d\15)\27\242", ) == 0x0
 01212   388   NtDeviceIoControlFile  (160, 0, 0x0, 0x0, 0x390008,  (160, 0, 0x0, 0x0, 0x390008, "lP!\304\34g\377\265\2\223\3\352\234\354\263\211\216zA\202\332\365\325\216zA\202\332\365\325\216zA\202\332\365\325\216zA\202\332\365\325\216zA\202\332\365\325\216zA\202\332\376t\247G\254d\300\315\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01213   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01214   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01215   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01216   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01217   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01218   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01219   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01220   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482040, 2, ) }, 0, 0x0, 0, ... -2147482040, 2, ) == 0x0
 01221   388   NtSetValueKey  (-2147482040,  (-2147482040, "Seed", 0, 3, "\345'\305\20u\12x\224\311|3\12\30G8\267\205\326\2\356\3306I\240\356\375k]\261\324\340{\221[\354\24\317\322\253\326\374R\3\204S\273\271k\1\313g\347n\352\245<<\305\307\30R:\215\330\236j\21\260\345\244\32\257\377\304\216\373JL\245\202", 80, ... ) , 0, 3,  (-2147482040, "Seed", 0, 3, "\345'\305\20u\12x\224\311|3\12\30G8\267\205\326\2\356\3306I\240\356\375k]\261\324\340{\221[\354\24\317\322\253\326\374R\3\204S\273\271k\1\313g\347n\352\245<<\305\307\30R:\215\330\236j\21\260\345\244\32\257\377\304\216\373JL\245\202", 80, ... ) , 80, ... ) == 0x0
 01222   388   NtClose  (-2147482040, ... ) == 0x0
 01212   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\265\316\232\330\356\305u\343\310\313\355\241\22\36\2633l?\360\341?S\332:\353\212M\254\264\233\221\27\23\241\334\3155\202\310^\31\22]\2723\222d\26\2421)KsI\20\37\236\270\275w\251\314\236(\31\200GC\272K3{(bs\4\336\332\323_R\\265\37\217\3060\26\2\240s\314\227u\240\324\332\300\21;t\220.\236\31\20\30\255~8\315\200A,\332\310\334\101wL\214\34091\277\372\333\331+>\302\237\210\225+8\261\370\332C\364\245\316\262\262\12\344=T\302\345r\371\370\222Ar\304[\25\232\25|\2220\260\223K\324w\272\362\200\271\3069D\\350 KK\260`\5\15t@\177\27k*.\270\23\376\262\334\300\3{-P1\334\302\255\356\14yc6\3764@\275%\202qMj\311\3608\34o\5\330\352\362\223\252\215\330\260w\6\217\257\236\22\35\337\212h\300ET\311\266\36\362{\370F", ) , ) == 0x0
 01223   388   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 156, {status=0x0, info=1}, ) }, 3, 33, ... 156, {status=0x0, info=1}, ) == 0x0
 01224   388   NtQueryVolumeInformationFile  (156, 1237948, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01225   388   NtClose  (12, ... ) == 0x0
 01226   388   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237168,  (0x80100080, {24, 0, 0x40, 0, 1237168, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 01228   388   NtQueryInformationFile  (12, 1238104, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01229   388   NtQueryInformationFile  (12, 1238076, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01230   388   NtQueryInformationFile  (12, 1238028, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01231   388   NtAllocateVirtualMemory  (-1, 1404928, 0, 8192, 4096, 4, ... 1404928, 8192, ) == 0x0
 01232   388   NtQueryInformationFile  (12, 1401160, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01233   388   NtQueryInformationFile  (12, 1236572, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01234   388   NtQueryInformationFile  (12, 1236416, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01235   388   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1236424,  (0x40110080, {24, 0, 0x40, 0, 1236424, "\??\C:\WINDOWS\System32\algs.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01236   388   NtClose  (-2147482040, ... ) == 0x0
 01235   388   NtCreateFile  ... 152, {status=0x0, info=2}, ) == 0x0
 01237   388   NtQueryVolumeInformationFile  (152, 1235796, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01238   388   NtQueryInformationFile  (152, 1235756, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01239   388   NtQueryVolumeInformationFile  (12, 1235796, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01240   388   NtQueryVolumeInformationFile  (12, 1235480, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01241   388   NtSetInformationFile  (152, 1235584, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01242   388   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 164, ) == 0x0
 01243   388   NtMapViewOfSection  (164, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x15b0000), {0, 0}, 94208, ) == 0x0
 01244   388   NtClose  (164, ... ) == 0x0
 01245   388   NtWriteFile  (152, 0, 0, 0,  (152, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]c\221?P\0\0\0\0PE\0\0L\1\7\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\314\240R\0\0\20\0\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0S\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\377D\300G\0\0\0\0\0\0\0\0\0\240R\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.BSS\0\0\0\0\0`\1\0\0\20\0\0P\251\0\0\0\4\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01246   388   NtWriteFile  (152, 0, 0, 0,  (152, 0, 0, 0, "\37\14\23WC@%VR\230\36`\10\1\11Z\22EP-F\362\305lRn\246\254S\11\220\247\264\363\235\231=\314^\270\351\233+\213\23M\0\01V\15'\0R8\20\10>QFX\13\27\22\36\352\235\27`\273\355B\177H\347T\350\366\221\304q\351wJ\2\251&Q\13`\235\11\17\0\23S\35H\22\17LvX\27\32&\350.\35\301\2737W\276\306\224o\255\25\304\3519\207\14\25"\7\33\0\342ER7\26\24\4NY\342\3M\32\_3\274\2420\242\350e\252\356\267s\303\303\221\254h#W\244\333\265\230\352\22L\0!D>\337`\30\32\342\6\37,'b\274\342"\31\353\317Vo\327h\307\260\25\340s\306\352\245\317\330\334\253\352@\16,=Z,5 \210\0_\249O\13'V\351n\310\350\333\365\3170\2\273R\377\214i\227n\220\350\274\351\206\270\252\342\\76;\15\16\23\266\3\6\0T^7[(D\37`L;<\250\366\245uI8\11\273h\27\233\33\30+\330\236, r\0\341\22\32E.\0\20/^\34\25\2-4\344I\177 .Z!rU\26\366h\37r\22Zp\16\336\34\322\312\315\354\273\12\250\216\17\24iR[\322W\2 \26&\247X\333\234#\21,w\202_\276nX5P\220\364#AXw\2\211\3753\2047P\271\244#\240\212u\10\355\371\337\300\221\17\325\263\215\3648\362/#`\177\202 \16gD7\330s3#\330\351w\202)\246\270\272={\331/\244\36\250\223\21m S\273\201d`$\302\36\254vr\310F\235\376\4\277}\375uk\260B\6\367F\241\373\4^e\215>n\260\356\336\361F@\357\4\31\2108\222j\241\235\227\305\341\33\270~\21L\250\272\272\214\32lO\234\322\327\340\322\201.\200\215\364", 30720, 0x0, 0, ... {status=0x0, info=30720}, ) \7\33\0\342ER7\26\24\4NY\342\3M\32\_3\274\2420\242\350e\252\356\267s\303\303\221\254h#W\244\333\265\230\352\22L\0!D>\337`\30\32\342\6\37,'b\274\342 (152, 0, 0, 0, "\37\14\23WC@%VR\230\36`\10\1\11Z\22EP-F\362\305lRn\246\254S\11\220\247\264\363\235\231=\314^\270\351\233+\213\23M\0\01V\15'\0R8\20\10>QFX\13\27\22\36\352\235\27`\273\355B\177H\347T\350\366\221\304q\351wJ\2\251&Q\13`\235\11\17\0\23S\35H\22\17LvX\27\32&\350.\35\301\2737W\276\306\224o\255\25\304\3519\207\14\25"\7\33\0\342ER7\26\24\4NY\342\3M\32\_3\274\2420\242\350e\252\356\267s\303\303\221\254h#W\244\333\265\230\352\22L\0!D>\337`\30\32\342\6\37,'b\274\342"\31\353\317Vo\327h\307\260\25\340s\306\352\245\317\330\334\253\352@\16,=Z,5 \210\0_\249O\13'V\351n\310\350\333\365\3170\2\273R\377\214i\227n\220\350\274\351\206\270\252\342\\76;\15\16\23\266\3\6\0T^7[(D\37`L;<\250\366\245uI8\11\273h\27\233\33\30+\330\236, r\0\341\22\32E.\0\20/^\34\25\2-4\344I\177 .Z!rU\26\366h\37r\22Zp\16\336\34\322\312\315\354\273\12\250\216\17\24iR[\322W\2 \26&\247X\333\234#\21,w\202_\276nX5P\220\364#AXw\2\211\3753\2047P\271\244#\240\212u\10\355\371\337\300\221\17\325\263\215\3648\362/#`\177\202 \16gD7\330s3#\330\351w\202)\246\270\272={\331/\244\36\250\223\21m S\273\201d`$\302\36\254vr\310F\235\376\4\277}\375uk\260B\6\367F\241\373\4^e\215>n\260\356\336\361F@\357\4\31\2108\222j\241\235\227\305\341\33\270~\21L\250\272\272\214\32lO\234\322\327\340\322\201.\200\215\364", 30720, 0x0, 0, ... {status=0x0, info=30720}, ) , 30720, 0x0, 0, ... {status=0x0, info=30720}, ) == 0x0
 01247   388   NtUnmapViewOfSection  (-1, 0x15b0000, ... ) == 0x0
 01248   388   NtSetInformationFile  (152, 1238028, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01249   388   NtClose  (12, ... ) == 0x0
 01250   388   NtClose  (152, ... ) == 0x0
 01251   388   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 7, 2113568, ... 152, {status=0x0, info=1}, ) }, 7, 2113568, ... 152, {status=0x0, info=1}, ) == 0x0
 01252   388   NtSetInformationFile  (152, 1238228, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01253   388   NtClose  (152, ... ) == 0x0
 01254   388   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 7, 2113568, ... 152, {status=0x0, info=1}, ) }, 7, 2113568, ... 152, {status=0x0, info=1}, ) == 0x0
 01255   388   NtSetInformationFile  (152, 1238228, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01256   388   NtClose  (152, ... ) == 0x0
 01257   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237932,  (0x80100080, {24, 0, 0x40, 0, 1237932, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01258   388   NtQueryInformationFile  (152, 1237984, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01259   388   NtClose  (152, ... ) == 0x0
 01260   388   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1237932,  (0x40100080, {24, 0, 0x40, 0, 1237932, "\??\C:\WINDOWS\System32\algs.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01261   388   NtSetInformationFile  (152, 1237984, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01262   388   NtClose  (152, ... ) == 0x0
 01263   388   NtOpenFile  (0x10080, {24, 156, 0x40, 0, 0,  (0x10080, {24, 156, 0x40, 0, 0, "ycdr.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01264   388   NtCreateFile  (0x40100080, {24, 156, 0x40, 0, 1238180,  (0x40100080, {24, 156, 0x40, 0, 1238180, "ycdr.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 152, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 152, {status=0x0, info=2}, ) == 0x0
 01265   388   NtWriteFile  (152, 0, 0, 0,  (152, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del ycdr.bat\15\12", 120, 0x0, 0, ... {status=0x0, info=120}, ) , 120, 0x0, 0, ... {status=0x0, info=120}, ) == 0x0
 01266   388   NtClose  (152, ... ) == 0x0
 01267   388   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01268   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1231520, ... ) }, 1231520, ... ) == 0x0
 01269   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01270   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 152, ... 12, ) == 0x0
 01271   388   NtClose  (152, ... ) == 0x0
 01272   388   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x15b0000), 0x0, 262144, ) == 0x0
 01273   388   NtClose  (12, ... ) == 0x0
 01274   388   NtUnmapViewOfSection  (-1, 0x15b0000, ... ) == 0x0
 01275   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01276   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01277   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01278   388   NtAllocateVirtualMemory  (-1, 1413120, 0, 16384, 4096, 4, ... 1413120, 16384, ) == 0x0
 01279   388   NtUserRegisterClassExWOW  (1233604, 1233684, 1233668, 1233700, 0, 384, 0, ... ) == 0x810dc038
 01280   388   NtUserGetAtomName  (49208, 1232368, ... ) == 0x15
 01281   388   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01282   388   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01283   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229892, ... ) }, 1229892, ... ) == 0x0
 01284   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01285   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 152, ) == 0x0
 01286   388   NtClose  (12, ... ) == 0x0
 01287   388   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x15b0000), 0x0, 204800, ) == 0x0
 01288   388   NtClose  (152, ... ) == 0x0
 01289   388   NtUnmapViewOfSection  (-1, 0x15b0000, ... ) == 0x0
 01290   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230208, ... ) }, 1230208, ... ) == 0x0
 01291   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01292   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 152, ... 12, ) == 0x0
 01293   388   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01294   388   NtClose  (152, ... ) == 0x0
 01295   388   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01296   388   NtClose  (12, ... ) == 0x0
 01297   388   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01298   388   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01299   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01300   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01301   388   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01302   388   NtClose  (12, ... ) == 0x0
 01303   388   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01304   388   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 152, ) }, ... 152, ) == 0x0
 01305   388   NtQueryValueKey  (152,  (152, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01306   388   NtClose  (152, ... ) == 0x0
 01307   388   NtClose  (12, ... ) == 0x0
 01308   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01309   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 01310   388   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01311   388   NtClose  (12, ... ) == 0x0
 01312   388   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 01313   388   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 152, ) }, ... 152, ) == 0x0
 01314   388   NtQueryValueKey  (152,  (152, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01315   388   NtClose  (152, ... ) == 0x0
 01316   388   NtClose  (12, ... ) == 0x0
 01317   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1229708, ... ) }, 1229708, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01318   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "UxTheme.dll"}, 1229708, ... ) }, 1229708, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01319   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1229708, ... ) }, 1229708, ... ) == 0x0
 01320   388   NtUserGetProcessWindowStation  (... ) == 0x28
 01321   388   NtUserGetObjectInformation  (40, 2, 0, 0, 1232004, ... ) == 0x0
 01322   388   NtUserGetObjectInformation  (40, 2, 1363688, 16, 1232004, ... ) == 0x1
 01323   388   NtUserGetGUIThreadInfo  (388, 1231960, ... ) == 0x1
 01324   388   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1231780, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1231780, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 01325   388   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 388, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 316, 388, 1508, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 388, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01326   388   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 388, 1509, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 316, 388, 1509, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 388, 1509, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01327   388   NtUserCallNoParam  (29, ...
 01328   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229252, ... ) }, 1229252, ... ) == 0x0
 01327   388   NtUserCallNoParam  ... ) == 0x0
 01329   388   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01330   388   NtGdiHfontCreate  (1231332, 356, 0, 0, 1372768, ... ) == 0x120a03e6
 01331   388   NtGdiHfontCreate  (1231332, 356, 0, 0, 1372760, ... ) == 0x60a03e2
 01332   388   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 388, 1510, 0} "\0\0\0\0\0\0\0\0\230\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 316, 388, 1510, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 388, 1510, 0} "\0\0\0\0\0\0\0\0\230\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01333   388   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x15b0000), {0, 0}, 331776, ) == 0x0
 01334   388   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01335   388   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01336   388   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01337   388   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01338   388   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01339   388   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01340   388   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01341   388   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01342   388   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01343   388   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01344   388   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01345   388   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01346   388   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01347   388   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01348   388   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01349   388   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01350   388   NtUserGetWindowDC  (0, ... ) == 0x1010050
 01351   388   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x281003e0
 01352   388   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01353   388   NtUserCallNoParam  (29, ...
 01354   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1228696, ... ) }, 1228696, ... ) == 0x0
 01353   388   NtUserCallNoParam  ... ) == 0x0
 01355   388   NtUserCallNoParam  (29, ...
 01356   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1228692, ... ) }, 1228692, ... ) == 0x0
 01355   388   NtUserCallNoParam  ... ) == 0x0
 01357   388   NtUserMessageCall  (0x70036, WM_NCCREATE, 0x0, 0x12cd9c, 0, 670, 0, ... ) == 0x1
 01358   388   NtUserMessageCall  (0x70036, WM_NCCALCSIZE, 0x0, 0x12cdc4, 0, 670, 0, ... ) == 0x0
 01359   388   NtUserSetProp  (458806, 43288, -1, ... ) == 0x1
 01281   388   NtUserCreateWindowEx  ... ) == 0x70036
 01360   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01361   388   NtQueryValueKey  (164,  (164, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01362   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 168, ) }, ... 168, ) == 0x0
 01363   388   NtQueryValueKey  (168,  (168, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01364   388   NtClose  (168, ... ) == 0x0
 01365   388   NtClose  (164, ... ) == 0x0
 01366   388   NtAllocateVirtualMemory  (-1, 1429504, 0, 24576, 4096, 4, ... 1429504, 24576, ) == 0x0
 01367   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01368   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01369   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 164, ) }, ... 164, ) == 0x0
 01370   388   NtQueryValueKey  (164,  (164, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371   388   NtClose  (164, ... ) == 0x0
 01372   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01373   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 01374   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0
 01375   388   NtQuerySystemTime  (... {-555342764, 29877608}, ) == 0x0
 01376   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01377   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01379   388   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01380   388   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01381   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01382   388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 180, ) == 0x0
 01383   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 184, ) }, ... 184, ) == 0x0
 01384   388   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "ActiveComputerName"}, ... 188, ) }, ... 188, ) == 0x0
 01385   388   NtQueryValueKey  (188,  (188, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (188, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (188, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01386   388   NtClose  (188, ... ) == 0x0
 01387   388   NtClose  (184, ... ) == 0x0
 01388   388   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 184, ) == 0x0
 01389   388   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 188, ) == 0x0
 01390   388   NtDuplicateObject  (-1, 184, -1, 0x0, 0, 2, ... 192, ) == 0x0
 01391   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01392   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 196, ) == 0x0
 01393   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01394   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01395   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232132,  (0xc0100080, {24, 0, 0x40, 0, 1232132, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 200, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 200, {status=0x0, info=1}, ) == 0x0
 01396   388   NtSetInformationFile  (200, 1232188, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01397   388   NtSetInformationFile  (200, 1232180, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01398   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01399   388   NtWriteFile  (200, 177, 0, 0,  (200, 177, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01400   388   NtReadFile  (200, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (200, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\22#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01401   388   NtFsControlFile  (200, 177, 0x0, 0x0, 0x11c017,  (200, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\22#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (200, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\22#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01402   388   NtClose  (196, ... ) == 0x0
 01403   388   NtClose  (200, ... ) == 0x0
 01404   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1232176, ... ) }, 1232176, ... ) == 0x0
 01405   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01406   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01407   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "ycdr.bat"}, 1231996, ... ) }, 1231996, ... ) == 0x0
 01408   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01409   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01410   388   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1372784, 0,  (0x1f0003, {24, 52, 0x80, 1372784, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 200, ) }, 0, 2147483647, ... 200, ) == STATUS_OBJECT_NAME_EXISTS
 01411   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 01412   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 01413   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01414   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 196, ) }, ... 196, ) == 0x0
 01415   388   NtQueryValueKey  (196,  (196, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   388   NtClose  (196, ... ) == 0x0
 01417   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 01418   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 01419   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01420   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 196, ) }, ... 196, ) == 0x0
 01421   388   NtQueryValueKey  (196,  (196, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01422   388   NtClose  (196, ... ) == 0x0
 01423   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 01424   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 01425   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 196, ) }, ... 196, ) == 0x0
 01427   388   NtQueryValueKey  (196,  (196, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428   388   NtClose  (196, ... ) == 0x0
 01429   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 01430   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 01431   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 196, ) }, ... 196, ) == 0x0
 01433   388   NtQueryValueKey  (196,  (196, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434   388   NtClose  (196, ... ) == 0x0
 01435   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 196, ) }, ... 196, ) == 0x0
 01436   388   NtEnumerateKey  (196, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (196, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 01437   388   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 204, ) }, ... 204, ) == 0x0
 01438   388   NtQueryValueKey  (204,  (204, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   388   NtClose  (204, ... ) == 0x0
 01440   388   NtEnumerateKey  (196, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (196, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 01441   388   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 204, ) }, ... 204, ) == 0x0
 01442   388   NtQueryValueKey  (204,  (204, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   388   NtClose  (204, ... ) == 0x0
 01444   388   NtEnumerateKey  (196, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (196, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 01445   388   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 204, ) }, ... 204, ) == 0x0
 01446   388   NtQueryValueKey  (204,  (204, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447   388   NtClose  (204, ... ) == 0x0
 01448   388   NtEnumerateKey  (196, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (196, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 01449   388   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 204, ) }, ... 204, ) == 0x0
 01450   388   NtQueryValueKey  (204,  (204, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451   388   NtClose  (204, ... ) == 0x0
 01452   388   NtEnumerateKey  (196, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01453   388   NtClose  (196, ... ) == 0x0
 01454   388   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   388   NtOpenProcessToken  (-1, 0x8, ... 196, ) == 0x0
 01456   388   NtQueryInformationToken  (196, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01457   388   NtClose  (196, ... ) == 0x0
 01458   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01459   388   NtCreateKey  (0x2000000, {24, 112, 0x40, 0, 0,  (0x2000000, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 196, 2, ) }, 0, 0x0, 0, ... 196, 2, ) == 0x0
 01460   388   NtOpenKey  (0x2000000, {24, 196, 0x40, 0, 0, ""}, ... 204, ) == 0x0
 01461   388   NtCreateKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "SessionInfo\0000000000009227"}, 0, 0x0, 1, ... 208, 2, ) }, 0, 0x0, 1, ... 208, 2, ) == 0x0
 01462   388   NtClose  (204, ... ) == 0x0
 01463   388   NtOpenKey  (0x20019, {24, 208, 0x40, 0, 0,  (0x20019, {24, 208, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   388   NtClose  (208, ... ) == 0x0
 01465   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01466   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01467   388   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01468   388   NtClose  (208, ... ) == 0x0
 01469   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 208, ) }, ... 208, ) == 0x0
 01470   388   NtSetInformationObject  (210, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01471   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01472   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 204, ) }, ... 204, ) == 0x0
 01474   388   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01475   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01476   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01477   388   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01478   388   NtClose  (212, ... ) == 0x0
 01479   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   388   NtQueryValueKey  (206,  (206, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   388   NtClose  (206, ... ) == 0x0
 01482   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01483   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 204, ) }, ... 204, ) == 0x0
 01485   388   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01486   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01487   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01488   388   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01489   388   NtClose  (212, ... ) == 0x0
 01490   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491   388   NtQueryValueKey  (206,  (206, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492   388   NtClose  (206, ... ) == 0x0
 01493   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01494   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01495   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 204, ) }, ... 204, ) == 0x0
 01496   388   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 01497   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01498   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01499   388   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01500   388   NtClose  (212, ... ) == 0x0
 01501   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502   388   NtQueryValueKey  (206,  (206, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (206, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01503   388   NtClose  (206, ... ) == 0x0
 01504   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 01506   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01507   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 204, ) }, ... 204, ) == 0x0
 01508   388   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01509   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01510   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01511   388   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01512   388   NtClose  (212, ... ) == 0x0
 01513   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514   388   NtQueryValueKey  (206, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (206, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01515   388   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01516   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01517   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01518   388   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01519   388   NtClose  (212, ... ) == 0x0
 01520   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01521   388   NtQueryValueKey  (206,  (206, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01522   388   NtClose  (206, ... ) == 0x0
 01523   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 01524   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 01525   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 204, ) }, ... 204, ) == 0x0
 01527   388   NtQueryValueKey  (204,  (204, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01528   388   NtClose  (204, ... ) == 0x0
 01529   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "appHelp.dll"}, ... 204, ) }, ... 204, ) == 0x0
 01530   388   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01531   388   NtClose  (204, ... ) == 0x0
 01532   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 204, ) }, ... 204, ) == 0x0
 01533   388   NtQueryValueKey  (204,  (204, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   388   NtClose  (204, ... ) == 0x0
 01535   388   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 204, ) }, ... 204, ) == 0x0
 01536   388   NtQueryValueKey  (204, " (204, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (204, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 01537   388   NtClose  (204, ... ) == 0x0
 01538   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 204, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 204, {status=0x0, info=1}, ) == 0x0
 01539   388   NtQueryVolumeInformationFile  (204, 1232316, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01540   388   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 212, ) }, ... 212, ) == 0x0
 01541   388   NtWaitForSingleObject  (212, 0, {-1000000, -1}, ... ) == 0x0
 01542   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 216, ) }, ... 216, ) == 0x0
 01543   388   NtMapViewOfSection  (216, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1610000), {0, 0}, 57344, ) == 0x0
 01544   388   NtQueryInformationFile  (204, 1232280, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01545   388   NtQueryInformationFile  (204, 1232320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01546   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01547   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 01548   388   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01549   388   NtClose  (220, ... ) == 0x0
 01550   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551   388   NtReleaseMutant  (212, ... 0x0, ) == 0x0
 01552   388   NtClose  (204, ... ) == 0x0
 01553   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 204, ) }, ... 204, ) == 0x0
 01554   388   NtQueryValueKey  (204,  (204, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01555   388   NtClose  (204, ... ) == 0x0
 01556   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1230068, ... ) }, 1230068, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01558   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "CLBCATQ.DLL"}, 1230068, ... ) }, 1230068, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01559   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1230068, ... ) }, 1230068, ... ) == 0x0
 01560   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01561   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 220, ) == 0x0
 01562   388   NtQuerySection  (220, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01563   388   NtClose  (204, ... ) == 0x0
 01564   388   NtMapViewOfSection  (220, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 01565   388   NtClose  (220, ... ) == 0x0
 01566   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1229264, ... ) }, 1229264, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "COMRes.dll"}, 1229264, ... ) }, 1229264, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1229264, ... ) }, 1229264, ... ) == 0x0
 01570   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 220, {status=0x0, info=1}, ) }, 5, 96, ... 220, {status=0x0, info=1}, ) == 0x0
 01571   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 220, ... 204, ) == 0x0
 01572   388   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01573   388   NtClose  (220, ... ) == 0x0
 01574   388   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 01575   388   NtClose  (204, ... ) == 0x0
 01576   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 204, ) }, ... 204, ) == 0x0
 01577   388   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01578   388   NtClose  (204, ... ) == 0x0
 01579   388   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01580   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 204, ) }, ... 204, ) == 0x0
 01582   388   NtQueryValueKey  (204,  (204, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583   388   NtQueryValueKey  (204,  (204, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584   388   NtClose  (204, ... ) == 0x0
 01585   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1230096, ... ) }, 1230096, ... ) == 0x0
 01586   388   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01587   388   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01588   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 204, ) }, ... 204, ) == 0x0
 01589   388   NtQueryValueKey  (204,  (204, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01590   388   NtClose  (204, ... ) == 0x0
 01591   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 204, ) }, ... 204, ) == 0x0
 01592   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 220, ) == 0x0
 01593   388   NtNotifyChangeKey  (204, 220, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01594   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 224, ) }, ... 224, ) == 0x0
 01595   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 228, ) == 0x0
 01596   388   NtNotifyChangeKey  (224, 228, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01597   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 232, ) == 0x0
 01598   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 236, ) }, ... 236, ) == 0x0
 01599   388   NtSetInformationObject  (236, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01600   388   NtNotifyChangeKey  (236, 232, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01601   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 240, ) }, ... 240, ) == 0x0
 01602   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 244, ) == 0x0
 01603   388   NtNotifyChangeKey  (240, 244, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01604   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 248, ) == 0x0
 01605   388   NtNotifyChangeKey  (236, 248, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01606   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 252, ) }, ... 252, ) == 0x0
 01607   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 256, ) == 0x0
 01608   388   NtNotifyChangeKey  (252, 256, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01609   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 260, ) }, ... 260, ) == 0x0
 01610   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 264, ) == 0x0
 01611   388   NtNotifyChangeKey  (260, 264, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01612   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 268, ) }, ... 268, ) == 0x0
 01613   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 272, ) == 0x0
 01614   388   NtNotifyChangeKey  (268, 272, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01615   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 276, ) }, ... 276, ) == 0x0
 01616   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01617   388   NtNotifyChangeKey  (276, 280, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01618   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 284, ) }, ... 284, ) == 0x0
 01619   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 288, ) == 0x0
 01620   388   NtNotifyChangeKey  (284, 288, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01621   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 292, ) == 0x0
 01622   388   NtNotifyChangeKey  (236, 292, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01623   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 296, ) }, ... 296, ) == 0x0
 01624   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 300, ) == 0x0
 01625   388   NtNotifyChangeKey  (296, 300, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01626   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 304, ) }, ... 304, ) == 0x0
 01627   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 308, ) == 0x0
 01628   388   NtNotifyChangeKey  (304, 308, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01629   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 312, ) }, ... 312, ) == 0x0
 01630   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 316, ) == 0x0
 01631   388   NtNotifyChangeKey  (312, 316, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01632   388   NtAllocateVirtualMemory  (-1, 1454080, 0, 4096, 4096, 4, ... 1454080, 4096, ) == 0x0
 01633   388   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01634   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 320, ) }, ... 320, ) == 0x0
 01635   388   NtQueryValueKey  (320,  (320, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (320, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01636   388   NtClose  (320, ... ) == 0x0
 01637   388   NtAllocateVirtualMemory  (-1, 14508032, 0, 4096, 4096, 4, ... 14508032, 4096, ) == 0x0
 01638   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01639   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01640   388   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 320, ) }, ... 320, ) == 0x0
 01641   388   NtMapViewOfSection  (320, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1620000), {0, 0}, 24576, ) == 0x0
 01642   388   NtAllocateVirtualMemory  (-1, 14512128, 0, 8192, 4096, 4, ... 14512128, 8192, ) == 0x0
 01643   388   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01644   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 324, ) }, ... 324, ) == 0x0
 01645   388   NtQueryValueKey  (324,  (324, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (324, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01646   388   NtClose  (324, ... ) == 0x0
 01647   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01648   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01649   388   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 23265280, 65536, ) == 0x0
 01650   388   NtAllocateVirtualMemory  (-1, 23265280, 0, 4096, 4096, 4, ... 23265280, 4096, ) == 0x0
 01651   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01652   388   NtOpenKey  (0x20019, {24, 210, 0x40, 0, 0,  (0x20019, {24, 210, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01653   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 324, ) }, ... 324, ) == 0x0
 01654   388   NtQueryKey  (326, Name, 384, ... {Name= (326, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01655   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01656   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01657   388   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01658   388   NtClose  (328, ... ) == 0x0
 01659   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01660   388   NtOpenKey  (0x1, {24, 326, 0x40, 0, 0,  (0x1, {24, 326, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01661   388   NtClose  (326, ... ) == 0x0
 01662   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01663   388   NtOpenKey  (0x20019, {24, 210, 0x40, 0, 0,  (0x20019, {24, 210, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01664   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 324, ) }, ... 324, ) == 0x0
 01665   388   NtQueryKey  (326, Name, 384, ... {Name= (326, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01666   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01667   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01668   388   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01669   388   NtClose  (328, ... ) == 0x0
 01670   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01671   388   NtOpenKey  (0x2000000, {24, 326, 0x40, 0, 0,  (0x2000000, {24, 326, 0x40, 0, 0, "InprocServer32"}, ... 328, ) }, ... 328, ) == 0x0
 01672   388   NtAllocateVirtualMemory  (-1, 1458176, 0, 4096, 4096, 4, ... 1458176, 4096, ) == 0x0
 01673   388   NtQueryKey  (330, Name, 392, ... {Name= (330, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01674   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01675   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01676   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01677   388   NtClose  (332, ... ) == 0x0
 01678   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01679   388   NtQueryValueKey  (330,  (330, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01680   388   NtClose  (330, ... ) == 0x0
 01681   388   NtQueryKey  (326, Name, 384, ... {Name= (326, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01682   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01683   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01684   388   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01685   388   NtClose  (328, ... ) == 0x0
 01686   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01687   388   NtOpenKey  (0x2000000, {24, 326, 0x40, 0, 0,  (0x2000000, {24, 326, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01688   388   NtQueryKey  (326, Name, 384, ... {Name= (326, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01689   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01690   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01691   388   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01692   388   NtClose  (328, ... ) == 0x0
 01693   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01694   388   NtOpenKey  (0x2000000, {24, 326, 0x40, 0, 0,  (0x2000000, {24, 326, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01695   388   NtQueryKey  (326, Name, 384, ... {Name= (326, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01696   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01697   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01698   388   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01699   388   NtClose  (328, ... ) == 0x0
 01700   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01701   388   NtOpenKey  (0x2000000, {24, 326, 0x40, 0, 0,  (0x2000000, {24, 326, 0x40, 0, 0, "InprocServer32"}, ... 328, ) }, ... 328, ) == 0x0
 01702   388   NtQueryKey  (330, Name, 392, ... {Name= (330, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01703   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01704   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01705   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01706   388   NtClose  (332, ... ) == 0x0
 01707   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01708   388   NtQueryValueKey  (330, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (330, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01709   388   NtClose  (330, ... ) == 0x0
 01710   388   NtQueryKey  (326, Name, 384, ... {Name= (326, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01711   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01712   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01713   388   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01714   388   NtClose  (328, ... ) == 0x0
 01715   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01716   388   NtOpenKey  (0x2000000, {24, 326, 0x40, 0, 0,  (0x2000000, {24, 326, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01717   388   NtQueryKey  (326, Name, 384, ... {Name= (326, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01718   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01719   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01720   388   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01721   388   NtClose  (328, ... ) == 0x0
 01722   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01723   388   NtOpenKey  (0x2000000, {24, 326, 0x40, 0, 0,  (0x2000000, {24, 326, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01724   388   NtQueryKey  (326, Name, 384, ... {Name= (326, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01725   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01726   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01727   388   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01728   388   NtClose  (328, ... ) == 0x0
 01729   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01730   388   NtOpenKey  (0x2000000, {24, 326, 0x40, 0, 0,  (0x2000000, {24, 326, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01731   388   NtQueryKey  (326, Name, 384, ... {Name= (326, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 01732   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01733   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01734   388   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01735   388   NtClose  (328, ... ) == 0x0
 01736   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01737   388   NtOpenKey  (0x2000000, {24, 326, 0x40, 0, 0,  (0x2000000, {24, 326, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01738   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01739   388   NtOpenKey  (0x20019, {24, 210, 0x40, 0, 0,  (0x20019, {24, 210, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01740   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 328, ) }, ... 328, ) == 0x0
 01741   388   NtQueryKey  (330, Name, 392, ... {Name= (330, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01742   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01743   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01744   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01745   388   NtClose  (332, ... ) == 0x0
 01746   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01747   388   NtQueryValueKey  (330,  (330, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01748   388   NtClose  (330, ... ) == 0x0
 01749   388   NtClose  (326, ... ) == 0x0
 01750   388   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 324, ) == 0x0
 01751   388   NtQueryInformationProcess  (324, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01752   388   NtClose  (324, ... ) == 0x0
 01753   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01754   388   NtOpenKey  (0x20019, {24, 210, 0x40, 0, 0,  (0x20019, {24, 210, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01755   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 324, ) }, ... 324, ) == 0x0
 01756   388   NtClose  (326, ... ) == 0x0
 01757   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 01758   388   NtOpenKey  (0x20019, {24, 210, 0x40, 0, 0,  (0x20019, {24, 210, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01759   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 324, ) }, ... 324, ) == 0x0
 01760   388   NtQueryKey  (326, Name, 384, ... {Name= (326, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01761   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01762   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01763   388   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01764   388   NtClose  (328, ... ) == 0x0
 01765   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766   388   NtOpenKey  (0x2000000, {24, 326, 0x40, 0, 0,  (0x2000000, {24, 326, 0x40, 0, 0, "InprocServer32"}, ... 328, ) }, ... 328, ) == 0x0
 01767   388   NtQueryKey  (330, Name, 392, ... {Name= (330, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01768   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01769   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01770   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01771   388   NtClose  (332, ... ) == 0x0
 01772   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01773   388   NtQueryValueKey  (330,  (330, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (330, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 01774   388   NtClose  (330, ... ) == 0x0
 01775   388   NtClose  (326, ... ) == 0x0
 01776   388   NtAllocateVirtualMemory  (-1, 1462272, 0, 8192, 4096, 4, ... 1462272, 8192, ) == 0x0
 01777   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01778   388   NtOpenKey  (0x20019, {24, 210, 0x40, 0, 0,  (0x20019, {24, 210, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01779   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 324, ) }, ... 324, ) == 0x0
 01780   388   NtQueryKey  (326, Name, 384, ... {Name= (326, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 01781   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01782   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01783   388   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01784   388   NtClose  (328, ... ) == 0x0
 01785   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01786   388   NtOpenKey  (0x1, {24, 326, 0x40, 0, 0,  (0x1, {24, 326, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01787   388   NtClose  (326, ... ) == 0x0
 01788   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1226488, ... ) }, 1226488, ... ) == 0x0
 01789   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 01790   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 324, ... 328, ) == 0x0
 01791   388   NtClose  (324, ... ) == 0x0
 01792   388   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1640000), 0x0, 1339392, ) == 0x0
 01793   388   NtClose  (328, ... ) == 0x0
 01794   388   NtUnmapViewOfSection  (-1, 0x1640000, ... ) == 0x0
 01795   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1226804, ... ) }, 1226804, ... ) == 0x0
 01796   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 01797   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 324, ) == 0x0
 01798   388   NtQuerySection  (324, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01799   388   NtClose  (328, ... ) == 0x0
 01800   388   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 01801   388   NtClose  (324, ... ) == 0x0
 01802   388   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 01803   388   NtQueryDefaultUILanguage  (1225168, ...
 01804   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01805   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482040, ) == 0x0
 01806   388   NtQueryInformationToken  (-2147482040, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01807   388   NtClose  (-2147482040, ... ) == 0x0
 01808   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0
 01809   388   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01810   388   NtOpenKey  (0x80000000, {24, -2147482040, 0x640, 0, 0,  (0x80000000, {24, -2147482040, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 01811   388   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01812   388   NtClose  (-2147482044, ... ) == 0x0
 01813   388   NtClose  (-2147482040, ... ) == 0x0
 01803   388   NtQueryDefaultUILanguage  ... ) == 0x0
 01814   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01815   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 324, {status=0x0, info=1}, ) }, 1, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 01816   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 324, ... 328, ) == 0x0
 01817   388   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1640000), 0x0, 1339392, ) == 0x0
 01818   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01819   388   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 01820   388   NtQueryDefaultLocale  (1, 1223204, ... ) == 0x0
 01821   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01822   388   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1224060, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1224060, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\1\0\0\377\377\377\377\0\0\0\0\10\340o\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0|\264\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 1511, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\1\0\0\377\377\377\377\0\0\0\0\10\340o\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0|\264\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 388, 1511, 0}  (24, {128, 156, new_msg, 0, 1224060, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\1\0\0\377\377\377\377\0\0\0\0\10\340o\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0|\264\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 1511, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\260\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\1\0\0\377\377\377\377\0\0\0\0\10\340o\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0|\264\22\0\0\0\0\0" )  ) == 0x0
 01823   388   NtClose  (324, ... ) == 0x0
 01824   388   NtClose  (328, ... ) == 0x0
 01825   388   NtUnmapViewOfSection  (-1, 0x1640000, ... ) == 0x0
 01826   388   NtUnmapViewOfSection  (-1, 0x12b47c, ... ) == STATUS_NOT_MAPPED_VIEW
 01827   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01828   388   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01829   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01830   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01831   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1221744, ... ) }, 1221744, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01833   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01834   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01835   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1222336, ... ) }, 1222336, ... ) == 0x0
 01836   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 328, {status=0x0, info=1}, ) }, 3, 33, ... 328, {status=0x0, info=1}, ) == 0x0
 01837   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01838   388   NtUserFindExistingCursorIcon  (1226288, 1226304, 1226872, ... ) == 0x10011
 01839   388   NtUserRegisterClassExWOW  (1226740, 1226820, 1226804, 1226836, 0, 384, 0, ... ) == 0x810d0000
 01840   388   NtUserGetClassInfo  (1905590272, 1226904, 1226856, 1226932, 0, ... ) == 0xc05f
 01841   388   NtGdiCreateHalftonePalette  (0, ... ) == 0x100803e5
 01842   388   NtGdiDoPalette  (268960741, 0, 256, 1225996, 2, 0, ... ) == 0x100
 01843   388   NtGdiDeleteObjectApp  (268960741, ... ) == 0x1
 01844   388   NtGdiCreateCompatibleDC  (0, ... ) == 0x110103e5
 01845   388   NtGdiCreatePaletteInternal  (1225992, 256, ... ) == 0x110803e3
 01846   388   NtGdiDeleteObjectApp  (285279205, ... ) == 0x1
 01847   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 01848   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01849   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 324, ) }, ... 324, ) == 0x0
 01850   388   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 01851   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01852   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01853   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01854   388   NtClose  (332, ... ) == 0x0
 01855   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01856   388   NtQueryValueKey  (326, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (326, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01857   388   NtClose  (326, ... ) == 0x0
 01858   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01859   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01860   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 324, ) }, ... 324, ) == 0x0
 01861   388   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01862   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01863   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01864   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01865   388   NtClose  (332, ... ) == 0x0
 01866   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01867   388   NtQueryValueKey  (326, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (326, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01868   388   NtClose  (326, ... ) == 0x0
 01869   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01870   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01871   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 324, ) }, ... 324, ) == 0x0
 01872   388   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01873   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01874   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01875   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01876   388   NtClose  (332, ... ) == 0x0
 01877   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01878   388   NtQueryValueKey  (326, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (326, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01879   388   NtClose  (326, ... ) == 0x0
 01880   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01881   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01882   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 324, ) }, ... 324, ) == 0x0
 01883   388   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01884   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01885   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01886   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01887   388   NtClose  (332, ... ) == 0x0
 01888   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01889   388   NtQueryValueKey  (326, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (326, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01890   388   NtClose  (326, ... ) == 0x0
 01891   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01892   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01893   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 324, ) }, ... 324, ) == 0x0
 01894   388   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01895   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01896   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01897   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01898   388   NtClose  (332, ... ) == 0x0
 01899   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01900   388   NtQueryValueKey  (326, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (326, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01901   388   NtClose  (326, ... ) == 0x0
 01902   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01903   388   NtAllocateVirtualMemory  (-1, 1470464, 0, 12288, 4096, 4, ... 1470464, 12288, ) == 0x0
 01904   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 01905   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01906   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 324, ) }, ... 324, ) == 0x0
 01907   388   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 01908   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01909   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01910   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01911   388   NtClose  (332, ... ) == 0x0
 01912   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01913   388   NtQueryValueKey  (326,  (326, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01914   388   NtClose  (326, ... ) == 0x0
 01915   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01916   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01917   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 324, ) }, ... 324, ) == 0x0
 01918   388   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 01919   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01920   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01921   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01922   388   NtClose  (332, ... ) == 0x0
 01923   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01924   388   NtQueryValueKey  (326,  (326, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01925   388   NtClose  (326, ... ) == 0x0
 01926   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01927   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01928   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 324, ) }, ... 324, ) == 0x0
 01929   388   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 01930   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01931   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01932   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01933   388   NtClose  (332, ... ) == 0x0
 01934   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935   388   NtQueryValueKey  (326,  (326, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01936   388   NtClose  (326, ... ) == 0x0
 01937   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01938   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01939   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 324, ) }, ... 324, ) == 0x0
 01940   388   NtQueryKey  (326, Name, 392, ... {Name= (326, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 01941   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01942   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01943   388   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01944   388   NtClose  (332, ... ) == 0x0
 01945   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01946   388   NtQueryValueKey  (326,  (326, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01947   388   NtClose  (326, ... ) == 0x0
 01948   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 324, ) }, ... 324, ) == 0x0
 01949   388   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 01950   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01951   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01952   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 332, ) }, ... 332, ) == 0x0
 01953   388   NtQueryKey  (334, Name, 392, ... {Name= (334, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01954   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01955   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 336, ) == 0x0
 01956   388   NtQueryInformationToken  (336, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01957   388   NtClose  (336, ... ) == 0x0
 01958   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01959   388   NtQueryValueKey  (334, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (334, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 01960   388   NtQueryKey  (334, Name, 392, ... {Name= (334, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01961   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01962   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 336, ) == 0x0
 01963   388   NtQueryInformationToken  (336, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01964   388   NtClose  (336, ... ) == 0x0
 01965   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01966   388   NtQueryValueKey  (334,  (334, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01967   388   NtClose  (334, ... ) == 0x0
 01968   388   NtEnumerateValueKey  (324, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01969   388   NtClose  (324, ... ) == 0x0
 01970   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01971   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01972   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ycdr.bat"}, 1231448, ... ) }, 1231448, ... ) == 0x0
 01973   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01974   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01975   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 324, ) }, ... 324, ) == 0x0
 01976   388   NtQueryValueKey  (324,  (324, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (324, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (324, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 01977   388   NtClose  (324, ... ) == 0x0
 01978   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01979   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01980   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ycdr.bat"}, 1232476, ... ) }, 1232476, ... ) == 0x0
 01981   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01982   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01983   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 324, ) }, ... 324, ) == 0x0
 01984   388   NtQueryValueKey  (324,  (324, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01985   388   NtQueryValueKey  (324,  (324, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (324, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01986   388   NtClose  (324, ... ) == 0x0
 01987   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01988   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 324, ) }, ... 324, ) == 0x0
 01989   388   NtQueryValueKey  (324,  (324, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01990   388   NtClose  (324, ... ) == 0x0
 01991   388   NtQueryDefaultLocale  (1, 1232764, ... ) == 0x0
 01992   388   NtQueryDefaultLocale  (1, 1232764, ... ) == 0x0
 01993   388   NtQueryDefaultLocale  (1, 1232764, ... ) == 0x0
 01994   388   NtQueryDefaultLocale  (1, 1232764, ... ) == 0x0
 01995   388   NtQueryDefaultLocale  (1, 1232764, ... ) == 0x0
 01996   388   NtQueryDefaultLocale  (1, 1232764, ... ) == 0x0
 01997   388   NtQueryDefaultLocale  (1, 1232764, ... ) == 0x0
 01998   388   NtQueryDefaultLocale  (1, 1232764, ... ) == 0x0
 01999   388   NtQueryDefaultLocale  (1, 1232764, ... ) == 0x0
 02000   388   NtQueryDefaultLocale  (1, 1232764, ... ) == 0x0
 02001   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 324, ) }, ... 324, ) == 0x0
 02002   388   NtEnumerateKey  (324, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (324, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02003   388   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 332, ) }, ... 332, ) == 0x0
 02004   388   NtQueryValueKey  (332,  (332, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (332, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02005   388   NtQueryValueKey  (332,  (332, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (332, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02006   388   NtClose  (332, ... ) == 0x0
 02007   388   NtEnumerateKey  (324, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02008   388   NtClose  (324, ... ) == 0x0
 02009   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02010   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02011   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02012   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02013   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02014   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02015   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02016   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02017   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02018   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02019   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02020   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02021   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02022   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02023   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02024   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02025   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02026   388   NtClose  (324, ... ) == 0x0
 02027   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02028   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02029   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02030   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02031   388   NtClose  (324, ... ) == 0x0
 02032   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02033   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02034   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02035   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02036   388   NtClose  (324, ... ) == 0x0
 02037   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02038   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02039   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02040   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02041   388   NtClose  (324, ... ) == 0x0
 02042   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02043   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02044   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02045   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02046   388   NtClose  (324, ... ) == 0x0
 02047   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02048   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02049   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02050   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02051   388   NtClose  (324, ... ) == 0x0
 02052   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02053   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02054   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02055   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02056   388   NtClose  (324, ... ) == 0x0
 02057   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02058   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02059   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02060   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02061   388   NtClose  (324, ... ) == 0x0
 02062   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02063   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02064   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02065   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02066   388   NtClose  (324, ... ) == 0x0
 02067   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02068   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02069   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02070   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02071   388   NtClose  (324, ... ) == 0x0
 02072   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02073   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02074   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02075   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02076   388   NtClose  (324, ... ) == 0x0
 02077   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02079   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02080   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02081   388   NtClose  (324, ... ) == 0x0
 02082   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02083   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02084   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02085   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02086   388   NtClose  (324, ... ) == 0x0
 02087   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02089   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02090   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02091   388   NtClose  (324, ... ) == 0x0
 02092   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02093   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02094   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02095   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02096   388   NtClose  (324, ... ) == 0x0
 02097   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02098   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 324, ) }, ... 324, ) == 0x0
 02099   388   NtQueryValueKey  (324,  (324, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (324, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (324, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02100   388   NtClose  (324, ... ) == 0x0
 02101   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02102   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 02103   388   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02104   388   NtClose  (324, ... ) == 0x0
 02105   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02106   388   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02107   388   NtOpenProcessToken  (-1, 0xa, ... 324, ) == 0x0
 02108   388   NtDuplicateToken  (324, 0xc, {24, 0, 0x0, 0, 1233284, 0x0}, 0, 2, ... 332, ) == 0x0
 02109   388   NtClose  (324, ... ) == 0x0
 02110   388   NtAccessCheck  (1471824, 332, 0x1, 1233412, 1233356, 56, 1233440, ... (0x1), ) == 0x0
 02111   388   NtClose  (332, ... ) == 0x0
 02112   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 332, ) }, ... 332, ) == 0x0
 02113   388   NtQueryValueKey  (332,  (332, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (332, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02114   388   NtClose  (332, ... ) == 0x0
 02115   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233300,  (0x80100080, {24, 0, 0x40, 0, 1233300, "\??\u:\work\ycdr.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02116   388   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 324, ) }, ... 324, ) == 0x0
 02117   388   NtQuerySymbolicLinkObject  (324, ...  (324, ... "\Device\WinDfs\U:0000000000009227", 66, ) , 66, ) == 0x0
 02118   388   NtClose  (324, ... ) == 0x0
 02119   388   NtQueryInformationFile  (332, 1231744, 528, Name, ... {status=0x0, info=68}, ) == 0x0
 02120   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02121   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02122   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\ycdr.bat"}, 1230424, ... ) }, 1230424, ... ) == 0x0
 02123   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 324, {status=0x0, info=1}, ) }, 3, 16417, ... 324, {status=0x0, info=1}, ) == 0x0
 02124   388   NtQueryDirectoryFile  (324, 0, 0, 0, 1229784, 616, BothDirectory, 1,  (324, 0, 0, 0, 1229784, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 02125   388   NtClose  (324, ... ) == 0x0
 02126   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 324, {status=0x0, info=1}, ) }, 3, 16417, ... 324, {status=0x0, info=1}, ) == 0x0
 02127   388   NtQueryDirectoryFile  (324, 0, 0, 0, 1229784, 616, BothDirectory, 1,  (324, 0, 0, 0, 1229784, 616, BothDirectory, 1, "ycdr.bat", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02128   388   NtClose  (324, ... ) == 0x0
 02129   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02130   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02131   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02132   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 1231156, ... ) }, 1231156, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02133   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "WINTRUST.dll"}, 1231156, ... ) }, 1231156, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02134   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 1231156, ... ) }, 1231156, ... ) == 0x0
 02135   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02136   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 336, ) == 0x0
 02137   388   NtQuerySection  (336, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02138   388   NtClose  (324, ... ) == 0x0
 02139   388   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 02140   388   NtClose  (336, ... ) == 0x0
 02141   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 336, ) }, ... 336, ) == 0x0
 02142   388   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 02143   388   NtClose  (336, ... ) == 0x0
 02144   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02145   388   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 23330816, 262144, ) == 0x0
 02146   388   NtAllocateVirtualMemory  (-1, 23330816, 0, 4096, 4096, 4, ... 23330816, 4096, ) == 0x0
 02147   388   NtAllocateVirtualMemory  (-1, 23334912, 0, 8192, 4096, 4, ... 23334912, 8192, ) == 0x0
 02148   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02149   388   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23592960, 1048576, ) == 0x0
 02150   388   NtAllocateVirtualMemory  (-1, 23592960, 0, 1048576, 4096, 4, ... 23592960, 1048576, ) == 0x0
 02151   388   NtCreateMutant  (0x1f0001, 0x0, 0, ... 336, ) == 0x0
 02152   388   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 324, ) == 0x0
 02153   388   NtCreateMutant  (0x1f0001, 0x0, 0, ... 340, ) == 0x0
 02154   388   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 344, ) == 0x0
 02155   388   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 348, ) == 0x0
 02156   388   NtSetEvent  (348, ... 0x0, ) == 0x0
 02157   388   NtSetInformationFile  (332, 1233184, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02158   388   NtReadFile  (332, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (332, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "@e", ) , ) == 0x0
 02159   388   NtWaitForSingleObject  (336, 0, 0x0, ... ) == 0x0
 02160   388   NtClearEvent  (324, ... ) == 0x0
 02161   388   NtReleaseMutant  (336, ... 0x0, ) == 0x0
 02162   388   NtWaitForSingleObject  (336, 0, 0x0, ... ) == 0x0
 02163   388   NtSetEvent  (324, ... 0x0, ) == 0x0
 02164   388   NtReleaseMutant  (336, ... 0x0, ) == 0x0
 02165   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 352, ) }, ... 352, ) == 0x0
 02166   388   NtQueryValueKey  (352,  (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02167   388   NtQueryValueKey  (352,  (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0
 02168   388   NtClose  (352, ... ) == 0x0
 02169   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 352, ) }, ... 352, ) == 0x0
 02170   388   NtQueryValueKey  (352,  (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02171   388   NtQueryValueKey  (352,  (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02172   388   NtClose  (352, ... ) == 0x0
 02173   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 352, ) }, ... 352, ) == 0x0
 02174   388   NtQueryValueKey  (352,  (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02175   388   NtQueryValueKey  (352,  (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0
 02176   388   NtClose  (352, ... ) == 0x0
 02177   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 352, ) }, ... 352, ) == 0x0
 02178   388   NtQueryValueKey  (352,  (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02179   388   NtQueryValueKey  (352,  (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0
 02180   388   NtClose  (352, ... ) == 0x0
 02181   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 352, ) }, ... 352, ) == 0x0
 02182   388   NtQueryValueKey  (352,  (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02183   388   NtQueryValueKey  (352,  (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0
 02184   388   NtClose  (352, ... ) == 0x0
 02185   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 352, ) }, ... 352, ) == 0x0
 02186   388   NtQueryValueKey  (352,  (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02187   388   NtQueryValueKey  (352,  (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0
 02188   388   NtClose  (352, ... ) == 0x0
 02189   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02190   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 352, ) }, ... 352, ) == 0x0
 02191   388   NtQueryValueKey  (352,  (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02192   388   NtQueryValueKey  (352,  (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0
 02193   388   NtClose  (352, ... ) == 0x0
 02194   388   NtWaitForMultipleObjects  (2, (336, 324, ), 0, 0, 0x0, ... ) == 0x0
 02195   388   NtReleaseMutant  (336, ... 0x0, ) == 0x0
 02196   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02197   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02198   388   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02199   388   NtClose  (352, ... ) == 0x0
 02200   388   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 352, ) }, ... 352, ) == 0x0
 02201   388   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   388   NtClose  (352, ... ) == 0x0
 02203   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 352, ) }, ... 352, ) == 0x0
 02204   388   NtQueryValueKey  (352,  (352, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02205   388   NtQueryValueKey  (352,  (352, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02206   388   NtQueryValueKey  (352,  (352, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02207   388   NtQueryValueKey  (352,  (352, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02208   388   NtClose  (352, ... ) == 0x0
 02209   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 352, ) }, ... 352, ) == 0x0
 02210   388   NtQueryValueKey  (352,  (352, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02211   388   NtQueryValueKey  (352,  (352, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02212   388   NtQueryValueKey  (352,  (352, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02213   388   NtQueryValueKey  (352,  (352, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02214   388   NtQueryValueKey  (352,  (352, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02215   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1230472, ... ) }, 1230472, ... ) == 0x0
 02216   388   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 356, ) }, ... 356, ) == 0x0
 02217   388   NtQueryValueKey  (356,  (356, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (356, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02218   388   NtQueryValueKey  (356,  (356, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (356, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02219   388   NtQueryValueKey  (356,  (356, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (356, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02220   388   NtQueryValueKey  (356,  (356, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (356, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02221   388   NtClose  (356, ... ) == 0x0
 02222   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02223   388   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02224   388   NtOpenProcessToken  (-1, 0x8, ... 356, ) == 0x0
 02225   388   NtQueryInformationToken  (356, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 02226   388   NtClose  (356, ... ) == 0x0
 02227   388   NtClose  (352, ... ) == 0x0
 02228   388   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02229   388   NtOpenProcessToken  (-1, 0x8, ... 352, ) == 0x0
 02230   388   NtQueryInformationToken  (352, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02231   388   NtClose  (352, ... ) == 0x0
 02232   388   NtOpenKey  (0x2000000, {24, 236, 0x40, 0, 0,  (0x2000000, {24, 236, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 352, ) }, ... 352, ) == 0x0
 02233   388   NtCreateKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 356, 2, ) }, 0, 0x0, 0, ... 356, 2, ) == 0x0
 02234   388   NtClose  (352, ... ) == 0x0
 02235   388   NtQueryValueKey  (356,  (356, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0
 02236   388   NtClose  (356, ... ) == 0x0
 02237   388   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02238   388   NtOpenProcessToken  (-1, 0x8, ... 356, ) == 0x0
 02239   388   NtQueryInformationToken  (356, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02240   388   NtClose  (356, ... ) == 0x0
 02241   388   NtOpenKey  (0x2000000, {24, 236, 0x40, 0, 0,  (0x2000000, {24, 236, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 356, ) }, ... 356, ) == 0x0
 02242   388   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 352, ) }, ... 352, ) == 0x0
 02243   388   NtClose  (356, ... ) == 0x0
 02244   388   NtQueryValueKey  (352,  (352, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0
 02245   388   NtClose  (352, ... ) == 0x0
 02246   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02247   388   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02248   388   NtOpenProcessToken  (-1, 0x8, ... 352, ) == 0x0
 02249   388   NtQueryInformationToken  (352, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02250   388   NtClose  (352, ... ) == 0x0
 02251   388   NtOpenKey  (0x2000000, {24, 236, 0x40, 0, 0,  (0x2000000, {24, 236, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 352, ) }, ... 352, ) == 0x0
 02252   388   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02253   388   NtClose  (352, ... ) == 0x0
 02254   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02255   388   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 332, ... 352, ) == 0x0
 02256   388   NtMapViewOfSection  (352, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1780000), {0, 0}, 4096, ) == 0x0
 02257   388   NtClose  (352, ... ) == 0x0
 02258   388   NtQueryInformationFile  (332, 1232688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02259   388   NtUnmapViewOfSection  (-1, 0x1780000, ... ) == 0x0
 02260   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 352, ) }, ... 352, ) == 0x0
 02261   388   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "EncodingType 0"}, ... 356, ) }, ... 356, ) == 0x0
 02262   388   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 360, ) }, ... 360, ) == 0x0
 02263   388   NtEnumerateKey  (360, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (360, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02264   388   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 364, ) }, ... 364, ) == 0x0
 02265   388   NtQueryKey  (364, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02266   388   NtEnumerateValueKey  (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02267   388   NtEnumerateValueKey  (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02268   388   NtClose  (364, ... ) == 0x0
 02269   388   NtEnumerateKey  (360, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02270   388   NtClose  (360, ... ) == 0x0
 02271   388   NtClose  (356, ... ) == 0x0
 02272   388   NtClose  (352, ... ) == 0x0
 02273   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 352, ) }, ... 352, ) == 0x0
 02274   388   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "EncodingType 0"}, ... 356, ) }, ... 356, ) == 0x0
 02275   388   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 360, ) }, ... 360, ) == 0x0
 02276   388   NtEnumerateKey  (360, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (360, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02277   388   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 364, ) }, ... 364, ) == 0x0
 02278   388   NtQueryKey  (364, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02279   388   NtEnumerateValueKey  (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02280   388   NtEnumerateValueKey  (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02281   388   NtClose  (364, ... ) == 0x0
 02282   388   NtEnumerateKey  (360, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (360, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02283   388   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 364, ) }, ... 364, ) == 0x0
 02284   388   NtQueryKey  (364, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02285   388   NtEnumerateValueKey  (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02286   388   NtEnumerateValueKey  (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02287   388   NtClose  (364, ... ) == 0x0
 02288   388   NtEnumerateKey  (360, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (360, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02289   388   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 364, ) }, ... 364, ) == 0x0
 02290   388   NtQueryKey  (364, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02291   388   NtEnumerateValueKey  (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02292   388   NtEnumerateValueKey  (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02293   388   NtClose  (364, ... ) == 0x0
 02294   388   NtEnumerateKey  (360, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (360, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02295   388   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 364, ) }, ... 364, ) == 0x0
 02296   388   NtQueryKey  (364, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02297   388   NtEnumerateValueKey  (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02298   388   NtEnumerateValueKey  (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02299   388   NtClose  (364, ... ) == 0x0
 02300   388   NtEnumerateKey  (360, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02301   388   NtClose  (360, ... ) == 0x0
 02302   388   NtClose  (356, ... ) == 0x0
 02303   388   NtClose  (352, ... ) == 0x0
 02304   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 352, ) }, ... 352, ) == 0x0
 02305   388   NtEnumerateKey  (352, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (352, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02306   388   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "EncodingType 0"}, ... 356, ) }, ... 356, ) == 0x0
 02307   388   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 360, ) }, ... 360, ) == 0x0
 02308   388   NtEnumerateKey  (360, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (360, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02309   388   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 364, ) }, ... 364, ) == 0x0
 02310   388   NtQueryKey  (364, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02311   388   NtEnumerateValueKey  (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (364, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02312   388   NtEnumerateValueKey  (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (364, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02313   388   NtClose  (364, ... ) == 0x0
 02314   388   NtEnumerateKey  (360, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02315   388   NtClose  (360, ... ) == 0x0
 02316   388   NtClose  (356, ... ) == 0x0
 02317   388   NtEnumerateKey  (352, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (352, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02318   388   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "EncodingType 1"}, ... 356, ) }, ... 356, ) == 0x0
 02319   388   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02320   388   NtClose  (356, ... ) == 0x0
 02321   388   NtEnumerateKey  (352, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02322   388   NtClose  (352, ... ) == 0x0
 02323   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1230216, ... ) }, 1230216, ... ) == 0x0
 02324   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 352, {status=0x0, info=1}, ) }, 5, 96, ... 352, {status=0x0, info=1}, ) == 0x0
 02325   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 352, ... 356, ) == 0x0
 02326   388   NtClose  (352, ... ) == 0x0
 02327   388   NtMapViewOfSection  (356, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1780000), 0x0, 16384, ) == 0x0
 02328   388   NtClose  (356, ... ) == 0x0
 02329   388   NtUnmapViewOfSection  (-1, 0x1780000, ... ) == 0x0
 02330   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1230532, ... ) }, 1230532, ... ) == 0x0
 02331   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 356, {status=0x0, info=1}, ) }, 5, 96, ... 356, {status=0x0, info=1}, ) == 0x0
 02332   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 356, ... 352, ) == 0x0
 02333   388   NtQuerySection  (352, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02334   388   NtClose  (356, ... ) == 0x0
 02335   388   NtMapViewOfSection  (352, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x70eb0000), 0x0, 28672, ) == 0x0
 02336   388   NtClose  (352, ... ) == 0x0
 02337   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPT32.dll"}, 1229792, ... ) }, 1229792, ... ) == 0x0
 02338   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 02339   388   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24772608, 1048576, ) == 0x0
 02340   388   NtAllocateVirtualMemory  (-1, 25812992, 0, 8192, 4096, 4, ... 25812992, 8192, ) == 0x0
 02341   388   NtProtectVirtualMemory  (-1, (0x189e000), 4096, 260, ... (0x189e000), 4096, 4, ) == 0x0
 02342   388   NtCreateThread  (0x1f03ff, 0x0, -1, 1231740, 1232456, 1, ... 356, {316, 960}, ) == 0x0
 02343   388   NtQueryInformationThread  (356, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=316,Tid=960,}, 0x0, ) == 0x0
 02344   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\0d\1\0\0<\1\0\0\300\3\0\0" ... {28, 56, reply, 0, 316, 388, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0d\1\0\0<\1\0\0\300\3\0\0" )  ... {28, 56, reply, 0, 316, 388, 1512, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\0d\1\0\0<\1\0\0\300\3\0\0" ... {28, 56, reply, 0, 316, 388, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0d\1\0\0<\1\0\0\300\3\0\0" )  ) == 0x0
 02345   388   NtResumeThread  (356, ... 1, ) == 0x0
 02346   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 360, ) }, ... 360, ) == 0x0
 02347   388   NtEnumerateKey  (360, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (360, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02348   388   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "EncodingType 0"}, ... }, ...
 02349   960   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02350   960   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02351   960   NtTestAlert  (... ) == 0x0
 02352   960   NtContinue  (25820464, 1, ...
 02353   960   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02354   960   NtWaitForMultipleObjects  (1, (352, ), 1, 0, {-150000000, -1}, ...
 02348   388   NtOpenKey  ... 364, ) == 0x0
 02355   388   NtOpenKey  (0x20019, {24, 364, 0x40, 0, 0,  (0x20019, {24, 364, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 368, ) }, ... 368, ) == 0x0
 02356   388   NtEnumerateKey  (368, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (368, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02357   388   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 372, ) }, ... 372, ) == 0x0
 02358   388   NtQueryKey  (372, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02359   388   NtEnumerateValueKey  (372, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (372, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (372, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02360   388   NtEnumerateValueKey  (372, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (372, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (372, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02361   388   NtClose  (372, ... ) == 0x0
 02362   388   NtEnumerateKey  (368, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (368, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02363   388   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 372, ) }, ... 372, ) == 0x0
 02364   388   NtQueryKey  (372, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02365   388   NtEnumerateValueKey  (372, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (372, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (372, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02366   388   NtEnumerateValueKey  (372, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (372, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (372, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02367   388   NtClose  (372, ... ) == 0x0
 02368   388   NtEnumerateKey  (368, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (368, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02369   388   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 372, ) }, ... 372, ) == 0x0
 02370   388   NtQueryKey  (372, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02371   388   NtEnumerateValueKey  (372, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (372, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (372, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02372   388   NtEnumerateValueKey  (372, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (372, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (372, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02373   388   NtClose  (372, ... ) == 0x0
 02374   388   NtEnumerateKey  (368, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (368, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02375   388   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 372, ) }, ... 372, ) == 0x0
 02376   388   NtQueryKey  (372, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02377   388   NtEnumerateValueKey  (372, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (372, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (372, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02378   388   NtEnumerateValueKey  (372, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (372, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (372, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02379   388   NtClose  (372, ... ) == 0x0
 02380   388   NtEnumerateKey  (368, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02381   388   NtClose  (368, ... ) == 0x0
 02382   388   NtClose  (364, ... ) == 0x0
 02383   388   NtEnumerateKey  (360, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (360, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 02384   388   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "EncodingType 1"}, ... 364, ) }, ... 364, ) == 0x0
 02385   388   NtOpenKey  (0x20019, {24, 364, 0x40, 0, 0,  (0x20019, {24, 364, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02386   388   NtClose  (364, ... ) == 0x0
 02387   388   NtEnumerateKey  (360, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02388   388   NtClose  (360, ... ) == 0x0
 02389   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSISIP.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02390   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSISIP.DLL"}, 1230524, ... ) }, 1230524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02391   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "MSISIP.DLL"}, 1230524, ... ) }, 1230524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02392   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 1230524, ... ) }, 1230524, ... ) == 0x0
 02393   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 02394   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 02395   388   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02396   388   NtClose  (360, ... ) == 0x0
 02397   388   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x605f0000), 0x0, 53248, ) == 0x0
 02398   388   NtClose  (364, ... ) == 0x0
 02399   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02400   388   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 24641536, 65536, ) == 0x0
 02401   388   NtAllocateVirtualMemory  (-1, 24641536, 0, 4096, 4096, 4, ... 24641536, 4096, ) == 0x0
 02402   388   NtAllocateVirtualMemory  (-1, 24645632, 0, 8192, 4096, 4, ... 24645632, 8192, ) == 0x0
 02403   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1230112, ... ) }, 1230112, ... ) == 0x0
 02404   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02405   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 364, ... 360, ) == 0x0
 02406   388   NtClose  (364, ... ) == 0x0
 02407   388   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x18a0000), 0x0, 262144, ) == 0x0
 02408   388   NtClose  (360, ... ) == 0x0
 02409   388   NtUnmapViewOfSection  (-1, 0x18a0000, ... ) == 0x0
 02410   388   NtAllocateLocallyUniqueId  (... {66159, 0}, ) == 0x0
 02411   388   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02412   388   NtOpenProcessToken  (-1, 0x20008, ... 360, ) == 0x0
 02413   388   NtQueryInformationToken  (360, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 02414   388   NtClose  (360, ... ) == 0x0
 02415   388   NtCreateSection  (0xf0007, {24, 52, 0x80, 1231432, 0,  (0xf0007, {24, 52, 0x80, 1231432, 0, "DfSharedHeap1026F"}, {4194304, 0}, 4, 67108864, 0, ... 360, ) }, {4194304, 0}, 4, 67108864, 0, ... 360, ) == 0x0
 02416   388   NtMapViewOfSection  (360, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x18a0000), {0, 0}, 4194304, ) == 0x0
 02417   388   NtAllocateVirtualMemory  (-1, 25821184, 0, 16376, 4096, 4, ... 25821184, 16384, ) == 0x0
 02418   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228948,  (0x80100080, {24, 0, 0x40, 0, 1228948, "\??\UNC\missouri\binaries\work\ycdr.bat"}, 0x0, 128, 3, 1, 2144, 0, 0, ... 364, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 2144, 0, 0, ... 364, {status=0x0, info=1}, ) == 0x0
 02419   388   NtReadFile  (364, 0, 0, 1231652, 512, {0, 0}, 0, ... {status=0x0, info=120},  (364, 0, 0, 1231652, 512, {0, 0}, 0, ... {status=0x0, info=120}, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del ycdr.bat\15\12", ) , ) == 0x0
 02420   388   NtClose  (364, ... ) == 0x0
 02421   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1230216, ... ) }, 1230216, ... ) == 0x0
 02422   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02423   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 364, ... 368, ) == 0x0
 02424   388   NtClose  (364, ... ) == 0x0
 02425   388   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1ca0000), 0x0, 69632, ) == 0x0
 02426   388   NtClose  (368, ... ) == 0x0
 02427   388   NtUnmapViewOfSection  (-1, 0x1ca0000, ... ) == 0x0
 02428   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1230532, ... ) }, 1230532, ... ) == 0x0
 02429   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 02430   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 364, ) == 0x0
 02431   388   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02432   388   NtClose  (368, ... ) == 0x0
 02433   388   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74ea0000), 0x0, 65536, ) == 0x0
 02434   388   NtClose  (364, ... ) == 0x0
 02435   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 364, ) }, ... 364, ) == 0x0
 02436   388   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02437   388   NtClose  (364, ... ) == 0x0
 02438   388   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02439   388   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02440   388   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02441   388   NtProtectVirtualMemory  (-1, (0x74eaa000), 672, 4, ... (0x74eaa000), 4096, 2, ) == 0x0
 02442   388   NtProtectVirtualMemory  (-1, (0x74eaa000), 4096, 2, ... (0x74eaa000), 4096, 4, ) == 0x0
 02443   388   NtFlushInstructionCache  (-1, 1961533440, 672, ... ) == 0x0
 02444   388   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02445   388   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02446   388   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02447   388   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02448   388   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02449   388   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02450   388   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02451   388   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02452   388   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02453   388   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02454   388   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02455   388   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02456   388   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02457   388   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02458   388   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02459   388   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02460   388   NtOpenProcessToken  (-1, 0x8, ... 364, ) == 0x0
 02461   388   NtQueryInformationToken  (364, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02462   388   NtClose  (364, ... ) == 0x0
 02463   388   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02464   388   NtReleaseMutant  (16, ...
 02465   388   NtContinue  (-131039096, 0, ...
 02464   388   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02466   388   NtQueryDefaultLocale  (1, 1229212, ... ) == 0x0
 02467   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227204, ... ) }, 1227204, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02468   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227520, ... ) }, 1227520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02469   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02470   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02471   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02472   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02473   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02474   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02475   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02476   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02477   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02478   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1227204, ... ) }, 1227204, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02479   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1227520, ... ) }, 1227520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02480   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02481   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02482   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "wshEN.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02483   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02484   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02485   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02486   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02487   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02488   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02489   388   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 02490   388   NtReleaseMutant  (16, ...
 02491   388   NtContinue  (-131039096, 0, ...
 02490   388   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 02492   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227204, ... ) }, 1227204, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02493   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227520, ... ) }, 1227520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02494   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02495   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02496   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02497   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02498   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02499   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02500   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02501   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02502   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1227512, ... ) }, 1227512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02503   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02504   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 02505   388   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02506   388   NtClose  (364, ... ) == 0x0
 02507   388   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 364, ) }, ... 364, ) == 0x0
 02508   388   NtOpenKey  (0x20019, {24, 364, 0x40, 0, 0,  (0x20019, {24, 364, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 368, ) }, ... 368, ) == 0x0
 02509   388   NtClose  (364, ... ) == 0x0
 02510   388   NtQueryValueKey  (368,  (368, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02511   388   NtQueryValueKey  (368,  (368, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (368, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02512   388   NtClose  (368, ... ) == 0x0
 02513   388   NtClose  (332, ... ) == 0x0
 02514   388   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 30015488, 4096, ) == 0x0
 02515   388   NtAllocateVirtualMemory  (-1, 30015488, 0, 4096, 4096, 4, ... 30015488, 4096, ) == 0x0
 02516   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 332, ) }, ... 332, ) == 0x0
 02517   388   NtQueryValueKey  (332,  (332, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02518   388   NtClose  (332, ... ) == 0x0
 02519   388   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02520   388   NtOpenThreadToken  (-2, 0x2000a, 1, ... ) == STATUS_NO_TOKEN
 02521   388   NtOpenProcessToken  (-1, 0x2000a, ... 332, ) == 0x0
 02522   388   NtQueryInformationToken  (332, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02523   388   NtQueryInformationToken  (332, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02524   388   NtClose  (332, ... ) == 0x0
 02525   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02526   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 02527   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 02528   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02529   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 332, ) }, ... 332, ) == 0x0
 02530   388   NtQueryValueKey  (332,  (332, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02531   388   NtClose  (332, ... ) == 0x0
 02532   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 02533   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 02534   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02535   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 332, ) }, ... 332, ) == 0x0
 02536   388   NtQueryValueKey  (332,  (332, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02537   388   NtClose  (332, ... ) == 0x0
 02538   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 02539   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02540   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 332, ) }, ... 332, ) == 0x0
 02541   388   NtQueryKey  (334, Name, 392, ... {Name= (334, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02542   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02543   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02544   388   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02545   388   NtClose  (368, ... ) == 0x0
 02546   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02547   388   NtQueryValueKey  (334, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (334, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02548   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1229820, ... ) }, 1229820, ... ) == 0x0
 02549   388   NtClose  (334, ... ) == 0x0
 02550   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02551   388   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 332, {status=0x0, info=1}, ) }, 3, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 02552   388   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 368, ) }, ... 368, ) == 0x0
 02553   388   NtQuerySymbolicLinkObject  (368, ...  (368, ... "\Device\WinDfs\U:0000000000009227", 66, ) , 66, ) == 0x0
 02554   388   NtClose  (368, ... ) == 0x0
 02555   388   NtQueryVolumeInformationFile  (332, 1233172, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02556   388   NtClose  (332, ... ) == 0x0
 02557   388   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 02558   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 332, ) }, ... 332, ) == 0x0
 02559   388   NtOpenKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 368, ) }, ... 368, ) == 0x0
 02560   388   NtQueryValueKey  (368,  (368, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02561   388   NtQueryValueKey  (368,  (368, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02562   388   NtClose  (368, ... ) == 0x0
 02563   388   NtOpenKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 368, ) }, ... 368, ) == 0x0
 02564   388   NtQueryValueKey  (368,  (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02565   388   NtQueryValueKey  (368,  (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02566   388   NtQueryValueKey  (368,  (368, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02567   388   NtQueryValueKey  (368,  (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02568   388   NtQueryValueKey  (368,  (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02569   388   NtClose  (368, ... ) == 0x0
 02570   388   NtOpenKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 368, ) }, ... 368, ) == 0x0
 02571   388   NtQueryValueKey  (368,  (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02572   388   NtQueryValueKey  (368,  (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02573   388   NtQueryValueKey  (368,  (368, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02574   388   NtQueryValueKey  (368,  (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02575   388   NtQueryValueKey  (368,  (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02576   388   NtClose  (368, ... ) == 0x0
 02577   388   NtOpenKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 368, ) }, ... 368, ) == 0x0
 02578   388   NtQueryValueKey  (368,  (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02579   388   NtQueryValueKey  (368,  (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02580   388   NtQueryValueKey  (368,  (368, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02581   388   NtQueryValueKey  (368,  (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02582   388   NtQueryValueKey  (368,  (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02583   388   NtClose  (368, ... ) == 0x0
 02584   388   NtOpenKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 368, ) }, ... 368, ) == 0x0
 02585   388   NtQueryValueKey  (368,  (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02586   388   NtQueryValueKey  (368,  (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02587   388   NtQueryValueKey  (368,  (368, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02588   388   NtQueryValueKey  (368,  (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02589   388   NtQueryValueKey  (368,  (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 02590   388   NtClose  (368, ... ) == 0x0
 02591   388   NtClose  (332, ... ) == 0x0
 02592   388   NtQueryDefaultLocale  (1, 1232724, ... ) == 0x0
 02593   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1230736, ... ) }, 1230736, ... ) == 0x0
 02594   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 332, {status=0x0, info=1}, ) }, 5, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 02595   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 332, ... 368, ) == 0x0
 02596   388   NtClose  (332, ... ) == 0x0
 02597   388   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1cb0000), 0x0, 12288, ) == 0x0
 02598   388   NtClose  (368, ... ) == 0x0
 02599   388   NtUnmapViewOfSection  (-1, 0x1cb0000, ... ) == 0x0
 02600   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231052, ... ) }, 1231052, ... ) == 0x0
 02601   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 02602   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 332, ) == 0x0
 02603   388   NtQuerySection  (332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02604   388   NtClose  (368, ... ) == 0x0
 02605   388   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 02606   388   NtClose  (332, ... ) == 0x0
 02607   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 332, ) }, ... 332, ) == 0x0
 02608   388   NtQueryValueKey  (332,  (332, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02609   388   NtClose  (332, ... ) == 0x0
 02610   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1230736, ... ) }, 1230736, ... ) == 0x0
 02611   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 332, {status=0x0, info=1}, ) }, 5, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 02612   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 332, ... 368, ) == 0x0
 02613   388   NtClose  (332, ... ) == 0x0
 02614   388   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1cb0000), 0x0, 40960, ) == 0x0
 02615   388   NtClose  (368, ... ) == 0x0
 02616   388   NtUnmapViewOfSection  (-1, 0x1cb0000, ... ) == 0x0
 02617   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231052, ... ) }, 1231052, ... ) == 0x0
 02618   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 02619   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 332, ) == 0x0
 02620   388   NtQuerySection  (332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02621   388   NtClose  (368, ... ) == 0x0
 02622   388   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 02623   388   NtClose  (332, ... ) == 0x0
 02624   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02625   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1230240, ... ) }, 1230240, ... ) == 0x0
 02626   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 332, {status=0x0, info=1}, ) }, 5, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 02627   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 332, ... 368, ) == 0x0
 02628   388   NtQuerySection  (368, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02629   388   NtClose  (332, ... ) == 0x0
 02630   388   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 02631   388   NtClose  (368, ... ) == 0x0
 02632   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02633   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1230240, ... ) }, 1230240, ... ) == 0x0
 02634   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 02635   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 332, ) == 0x0
 02636   388   NtQuerySection  (332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02637   388   NtClose  (368, ... ) == 0x0
 02638   388   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 02639   388   NtClose  (332, ... ) == 0x0
 02640   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02641   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1229436, ... ) }, 1229436, ... ) == 0x0
 02642   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 332, {status=0x0, info=1}, ) }, 5, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 02643   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 332, ... 368, ) == 0x0
 02644   388   NtQuerySection  (368, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02645   388   NtClose  (332, ... ) == 0x0
 02646   388   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 02647   388   NtClose  (368, ... ) == 0x0
 02648   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02649   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1229436, ... ) }, 1229436, ... ) == 0x0
 02650   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 02651   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 332, ) == 0x0
 02652   388   NtQuerySection  (332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02653   388   NtClose  (368, ... ) == 0x0
 02654   388   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 02655   388   NtClose  (332, ... ) == 0x0
 02656   388   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 332, ) }, ... 332, ) == 0x0
 02657   388   NtQueryValueKey  (332,  (332, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02658   388   NtAllocateVirtualMemory  (-1, 14520320, 0, 4096, 4096, 4, ... 14520320, 4096, ) == 0x0
 02659   388   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 368, ) == 0x0
 02660   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1230736, ... ) }, 1230736, ... ) == 0x0
 02661   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02662   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 364, ... 372, ) == 0x0
 02663   388   NtClose  (364, ... ) == 0x0
 02664   388   NtMapViewOfSection  (372, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1cb0000), 0x0, 24576, ) == 0x0
 02665   388   NtClose  (372, ... ) == 0x0
 02666   388   NtUnmapViewOfSection  (-1, 0x1cb0000, ... ) == 0x0
 02667   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231052, ... ) }, 1231052, ... ) == 0x0
 02668   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 372, {status=0x0, info=1}, ) }, 5, 96, ... 372, {status=0x0, info=1}, ) == 0x0
 02669   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 372, ... 364, ) == 0x0
 02670   388   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02671   388   NtClose  (372, ... ) == 0x0
 02672   388   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 02673   388   NtClose  (364, ... ) == 0x0
 02674   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 364, ) }, ... 364, ) == 0x0
 02675   388   NtQueryValueKey  (364,  (364, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 02676   388   NtClose  (364, ... ) == 0x0
 02677   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02678   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "system32\hgfs1.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02679   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02680   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1230728, ... ) }, 1230728, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02681   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1230728, ... ) }, 1230728, ... ) == 0x0
 02682   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02683   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 364, ... 372, ) == 0x0
 02684   388   NtClose  (364, ... ) == 0x0
 02685   388   NtMapViewOfSection  (372, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1cb0000), 0x0, 122880, ) == 0x0
 02686   388   NtClose  (372, ... ) == 0x0
 02687   388   NtUnmapViewOfSection  (-1, 0x1cb0000, ... ) == 0x0
 02688   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231044, ... ) }, 1231044, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02689   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231044, ... ) }, 1231044, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02690   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231044, ... ) }, 1231044, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02691   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231044, ... ) }, 1231044, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02692   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231044, ... ) }, 1231044, ... ) == 0x0
 02693   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 372, {status=0x0, info=1}, ) }, 5, 96, ... 372, {status=0x0, info=1}, ) == 0x0
 02694   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 372, ... 364, ) == 0x0
 02695   388   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02696   388   NtClose  (372, ... ) == 0x0
 02697   388   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1cb0000), 0x0, 131072, ) == STATUS_IMAGE_NOT_AT_BASE
 02698   388   NtProtectVirtualMemory  (-1, (0x1cb1000), 81920, 4, ... (0x1cb1000), 81920, 32, ) == 0x0
 02699   388   NtProtectVirtualMemory  (-1, (0x1cc5000), 12288, 4, ... (0x1cc5000), 12288, 2, ) == 0x0
 02700   388   NtProtectVirtualMemory  (-1, (0x1cce000), 8192, 4, ... (0x1cce000), 8192, 2, ) == 0x0
 02701   388   NtMapViewOfSection  (364, -1, (0x1cb0000), 0, 0, 0x0, 131072, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 02702   388   NtProtectVirtualMemory  (-1, (0x1cb1000), 81920, 16, ... (0x1cb1000), 81920, 4, ) == 0x0
 02703   388   NtProtectVirtualMemory  (-1, (0x1cc5000), 12288, 2, ... (0x1cc5000), 12288, 4, ) == 0x0
 02704   388   NtProtectVirtualMemory  (-1, (0x1cce000), 8192, 2, ... (0x1cce000), 8192, 8, ) == 0x0
 02705   388   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 02706   388   NtClose  (364, ... ) == 0x0
 02707   388   NtProtectVirtualMemory  (-1, (0x1cc5000), 416, 4, ... (0x1cc5000), 4096, 2, ) == 0x0
 02708   388   NtProtectVirtualMemory  (-1, (0x1cc5000), 4096, 2, ... (0x1cc5000), 4096, 4, ) == 0x0
 02709   388   NtFlushInstructionCache  (-1, 30167040, 416, ... ) == 0x0
 02710   388   NtProtectVirtualMemory  (-1, (0x1cc5000), 416, 4, ... (0x1cc5000), 4096, 2, ) == 0x0
 02711   388   NtProtectVirtualMemory  (-1, (0x1cc5000), 4096, 2, ... (0x1cc5000), 4096, 4, ) == 0x0
 02712   388   NtFlushInstructionCache  (-1, 30167040, 416, ... ) == 0x0
 02713   388   NtProtectVirtualMemory  (-1, (0x1cc5000), 416, 4, ... (0x1cc5000), 4096, 2, ) == 0x0
 02714   388   NtProtectVirtualMemory  (-1, (0x1cc5000), 4096, 2, ... (0x1cc5000), 4096, 4, ) == 0x0
 02715   388   NtFlushInstructionCache  (-1, 30167040, 416, ... ) == 0x0
 02716   388   NtProtectVirtualMemory  (-1, (0x1cc5000), 416, 4, ... (0x1cc5000), 4096, 2, ) == 0x0
 02717   388   NtProtectVirtualMemory  (-1, (0x1cc5000), 4096, 2, ... (0x1cc5000), 4096, 4, ) == 0x0
 02718   388   NtFlushInstructionCache  (-1, 30167040, 416, ... ) == 0x0
 02719   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02720   388   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 30212096, 65536, ) == 0x0
 02721   388   NtAllocateVirtualMemory  (-1, 30212096, 0, 4096, 4096, 4, ... 30212096, 4096, ) == 0x0
 02722   388   NtAllocateVirtualMemory  (-1, 30216192, 0, 8192, 4096, 4, ... 30216192, 8192, ) == 0x0
 02723   388   NtAllocateVirtualMemory  (-1, 30224384, 0, 4096, 4096, 4, ... 30224384, 4096, ) == 0x0
 02724   388   NtQueryPerformanceCounter  (... {103391834, 0}, {3579545, 0}, ) == 0x0
 02725   388   NtRaiseException  (1230536, 1229796, 1, ...
 02726   388   NtContinue  (1228592, 0, ...
 02727   388   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 364, ) }, ... 364, ) == 0x0
 02728   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02729   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02730   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02731   388   NtRaiseException  (1220512, 1219772, 1, ...
 02732   388   NtContinue  (1218568, 0, ...
 02733   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02734   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02735   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02736   388   NtRaiseException  (1222272, 1221532, 1, ...
 02737   388   NtContinue  (1220328, 0, ...
 02738   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02739   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02740   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02741   388   NtRaiseException  (1222276, 1221536, 1, ...
 02742   388   NtContinue  (1220332, 0, ...
 02743   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02744   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02745   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02746   388   NtRaiseException  (1222272, 1221532, 1, ...
 02747   388   NtContinue  (1220328, 0, ...
 02748   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02749   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02750   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02751   388   NtRaiseException  (1222276, 1221536, 1, ...
 02752   388   NtContinue  (1220332, 0, ...
 02753   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02754   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02755   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02756   388   NtRaiseException  (1222272, 1221532, 1, ...
 02757   388   NtContinue  (1220328, 0, ...
 02758   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02759   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02760   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02761   388   NtRaiseException  (1222276, 1221536, 1, ...
 02762   388   NtContinue  (1220332, 0, ...
 02763   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02764   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02765   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02766   388   NtRaiseException  (1222272, 1221532, 1, ...
 02767   388   NtContinue  (1220328, 0, ...
 02768   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02769   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02770   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02771   388   NtRaiseException  (1222276, 1221536, 1, ...
 02772   388   NtContinue  (1220332, 0, ...
 02773   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02774   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02775   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02776   388   NtRaiseException  (1222272, 1221532, 1, ...
 02777   388   NtContinue  (1220328, 0, ...
 02778   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02779   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02780   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02781   388   NtRaiseException  (1222276, 1221536, 1, ...
 02782   388   NtContinue  (1220332, 0, ...
 02783   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02784   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02785   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02786   388   NtRaiseException  (1222272, 1221532, 1, ...
 02787   388   NtContinue  (1220328, 0, ...
 02788   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02789   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02790   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02791   388   NtRaiseException  (1222276, 1221536, 1, ...
 02792   388   NtContinue  (1220332, 0, ...
 02793   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02794   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02795   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02796   388   NtRaiseException  (1222272, 1221532, 1, ...
 02797   388   NtContinue  (1220328, 0, ...
 02798   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02799   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02800   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02801   388   NtRaiseException  (1222276, 1221536, 1, ...
 02802   388   NtContinue  (1220332, 0, ...
 02803   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02804   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02805   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02806   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1230704, ... ) }, 1230704, ... ) == 0x0
 02807   388   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 372, ) == 0x0
 02808   388   NtQueryInformationProcess  (372, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02809   388   NtClose  (372, ... ) == 0x0
 02810   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1230704, ... ) }, 1230704, ... ) == 0x0
 02811   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02812   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 372, ) == 0x0
 02813   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02814   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02815   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1229752,  (0xc0100080, {24, 0, 0x40, 0, 1229752, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 02816   388   NtSetInformationFile  (376, 1229808, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02817   388   NtSetInformationFile  (376, 1229800, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02818   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02819   388   NtWriteFile  (376, 177, 0, 0,  (376, 177, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02820   388   NtReadFile  (376, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\23#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02821   388   NtFsControlFile  (376, 177, 0x0, 0x0, 0x11c017,  (376, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\23#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (376, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\23#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02822   388   NtClose  (372, ... ) == 0x0
 02823   388   NtClose  (376, ... ) == 0x0
 02824   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02825   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 02826   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02827   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02828   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1229752,  (0xc0100080, {24, 0, 0x40, 0, 1229752, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 372, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 372, {status=0x0, info=1}, ) == 0x0
 02829   388   NtSetInformationFile  (372, 1229808, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02830   388   NtSetInformationFile  (372, 1229800, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02831   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02832   388   NtWriteFile  (372, 177, 0, 0,  (372, 177, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02833   388   NtReadFile  (372, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (372, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\24#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02834   388   NtFsControlFile  (372, 177, 0x0, 0x0, 0x11c017,  (372, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\24#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (372, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\24#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02835   388   NtClose  (376, ... ) == 0x0
 02836   388   NtClose  (372, ... ) == 0x0
 02837   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 372, ) }, ... 372, ) == 0x0
 02838   388   NtQueryKey  (372, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 02839   388   NtQuerySecurityObject  (372, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02840   388   NtQuerySecurityObject  (372, 15, 0, ... ) == STATUS_ACCESS_DENIED
 02841   388   NtQueryValueKey  (372,  (372, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (372, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 02842   388   NtClose  (372, ... ) == 0x0
 02843   388   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 372, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 372, {status=0x0, info=1}, ) == 0x0
 02844   388   NtFsControlFile  (372, 0, 0x0, 0x0, 0x600bc,  (372, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (372, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02845   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02846   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 02847   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02848   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02849   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231192,  (0xc0100080, {24, 0, 0x40, 0, 1231192, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 380, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 380, {status=0x0, info=1}, ) == 0x0
 02850   388   NtSetInformationFile  (380, 1231248, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02851   388   NtSetInformationFile  (380, 1231240, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02852   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02853   388   NtWriteFile  (380, 177, 0, 0,  (380, 177, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02854   388   NtReadFile  (380, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (380, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\25#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02855   388   NtFsControlFile  (380, 177, 0x0, 0x0, 0x11c017,  (380, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\300\317\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\25#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (380, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\300\317\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\25#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02856   388   NtClose  (376, ... ) == 0x0
 02857   388   NtClose  (380, ... ) == 0x0
 02858   388   NtWaitForSingleObject  (368, 0, {-70000000, -1}, ... ) == 0x0
 02859   388   NtReleaseSemaphore  (368, 1, ... 0x0, ) == 0x0
 02860   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1230704, ... ) }, 1230704, ... ) == 0x0
 02861   388   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 380, ) }, ... 380, ) == 0x0
 02862   388   NtWaitForSingleObject  (380, 0, {-1800000000, -1}, ... ) == 0x0
 02863   388   NtClose  (380, ... ) == 0x0
 02864   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02865   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 02866   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02867   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02868   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231228,  (0xc0100080, {24, 0, 0x40, 0, 1231228, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 02869   388   NtSetInformationFile  (376, 1231284, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02870   388   NtSetInformationFile  (376, 1231276, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02871   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02872   388   NtWriteFile  (376, 177, 0, 0,  (376, 177, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02873   388   NtReadFile  (376, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\245!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02874   388   NtFsControlFile  (376, 177, 0x0, 0x0, 0x11c017,  (376, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\245!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (376, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\245!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02875   388   NtFsControlFile  (376, 177, 0x0, 0x0, 0x11c017,  (376, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\224&=\31\Q\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\224&=\31\Q\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (376, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\224&=\31\Q\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\224&=\31\Q\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02876   388   NtFsControlFile  (376, 177, 0x0, 0x0, 0x11c017,  (376, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\225&=\31\Q\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\225&=\31\Q\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\225&=\31\Q\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\225&=\31\Q\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02877   388   NtFsControlFile  (376, 177, 0x0, 0x0, 0x11c017,  (376, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\224&=\31\Q\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (376, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\224&=\31\Q\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02878   388   NtFsControlFile  (376, 177, 0x0, 0x0, 0x11c017,  (376, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\225&=\31\Q\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\225&=\31\Q\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02879   388   NtClose  (380, ... ) == 0x0
 02880   388   NtClose  (376, ... ) == 0x0
 02881   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1230696, ... ) }, 1230696, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02882   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "system32\hgfs1.dll"}, 1230696, ... ) }, 1230696, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02883   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1230696, ... ) }, 1230696, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02884   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1230696, ... ) }, 1230696, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02885   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1230696, ... ) }, 1230696, ... ) == 0x0
 02886   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 376, ) }, ... 376, ) == 0x0
 02887   388   NtQueryValueKey  (376,  (376, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 02888   388   NtClose  (376, ... ) == 0x0
 02889   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 376, ) }, ... 376, ) == 0x0
 02890   388   NtQueryValueKey  (376,  (376, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 02891   388   NtClose  (376, ... ) == 0x0
 02892   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 376, ) }, ... 376, ) == 0x0
 02893   388   NtQueryValueKey  (376,  (376, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02894   388   NtClose  (376, ... ) == 0x0
 02895   388   NtRaiseException  (1221196, 1220456, 1, ...
 02896   388   NtContinue  (1219252, 0, ...
 02897   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02898   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02899   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02900   388   NtRaiseException  (1221192, 1220452, 1, ...
 02901   388   NtContinue  (1219248, 0, ...
 02902   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02903   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02904   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02905   388   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1231860, 0,  (0x1f0001, {24, 52, 0x80, 1231860, 0, "HGFSMUTEX"}, 1, ... 376, ) }, 1, ... 376, ) == 0x0
 02906   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shfolder.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02907   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\shfolder.dll"}, 1228880, ... ) }, 1228880, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02908   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "shfolder.dll"}, 1228880, ... ) }, 1228880, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02909   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 1228880, ... ) }, 1228880, ... ) == 0x0
 02910   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 5, 96, ... 380, {status=0x0, info=1}, ) }, 5, 96, ... 380, {status=0x0, info=1}, ) == 0x0
 02911   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 380, ... 384, ) == 0x0
 02912   388   NtQuerySection  (384, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02913   388   NtClose  (380, ... ) == 0x0
 02914   388   NtMapViewOfSection  (384, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76780000), 0x0, 32768, ) == 0x0
 02915   388   NtClose  (384, ... ) == 0x0
 02916   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02917   388   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1372784, 0,  (0x1f0003, {24, 52, 0x80, 1372784, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 384, ) }, 0, 2147483647, ... 384, ) == STATUS_OBJECT_NAME_EXISTS
 02918   388   NtReleaseSemaphore  (384, 1, ... 0, ) == 0x0
 02919   388   NtWaitForSingleObject  (384, 0, {0, 0}, ... ) == 0x0
 02920   388   NtCreateKey  (0x2000000, {24, 112, 0x40, 0, 0,  (0x2000000, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 380, 2, ) }, 0, 0x0, 0, ... 380, 2, ) == 0x0
 02921   388   NtQueryValueKey  (380,  (380, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (380, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) }, 104, ) == 0x0
 02922   388   NtClose  (380, ... ) == 0x0
 02923   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data"}, 1229412, ... ) }, 1229412, ... ) == 0x0
 02924   388   NtCreateKey  (0x2000000, {24, 112, 0x40, 0, 0,  (0x2000000, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 380, 2, ) }, 0, 0x0, 0, ... 380, 2, ) == 0x0
 02925   388   NtSetValueKey  (380,  (380, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 0, 1,  (380, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 134, ... ) == 0x0
 02926   388   NtClose  (380, ... ) == 0x0
 02927   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02928   388   NtQueryDirectoryFile  (380, 0, 0, 0, 1229552, 616, BothDirectory, 1,  (380, 0, 0, 0, 1229552, 616, BothDirectory, 1, "VMware", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 02929   388   NtUnmapViewOfSection  (-1, 0x76780000, ... ) == 0x0
 02930   388   NtRaiseException  (1220832, 1220092, 1, ...
 02931   388   NtContinue  (1218888, 0, ...
 02932   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02933   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02934   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02935   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1231860, 1231436,  (0xc0100080, {24, 0, 0x40, 1231860, 1231436, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\VMware\hgfs.dat"}, 0x0, 128, 0, 3, 96, 0, 0, ... 388, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 388, {status=0x0, info=1}, ) == 0x0
 02936   388   NtRaiseException  (1220832, 1220092, 1, ...
 02937   388   NtContinue  (1218888, 0, ...
 02938   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02939   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02940   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02941   388   NtCreateSection  (0xf0007, {24, 52, 0x80, 1231860, 0,  (0xf0007, {24, 52, 0x80, 1231860, 0, "HGFSMEMORY"}, {27876, 0}, 4, 134217728, 388, ... 392, ) }, {27876, 0}, 4, 134217728, 388, ... 392, ) == 0x0
 02942   388   NtMapViewOfSection  (392, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1ce0000), {0, 0}, 28672, ) == 0x0
 02943   388   NtReleaseMutant  (376, ... 0x0, ) == 0x0
 02944   388   NtRaiseException  (1222248, 1221508, 1, ...
 02945   388   NtContinue  (1220304, 0, ...
 02946   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02947   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02948   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02949   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1232904, 1232492,  (0xc0100080, {24, 0, 0x40, 1232904, 1232492, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 396, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 396, {status=0x0, info=0}, ) == 0x0
 02950   388   NtDeviceIoControlFile  (396, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (396, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 02951   388   NtClose  (396, ... ) == 0x0
 02952   388   NtRaiseException  (1222228, 1221488, 1, ...
 02953   388   NtContinue  (1220284, 0, ...
 02954   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02955   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02956   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02957   388   NtRaiseException  (1222248, 1221508, 1, ...
 02958   388   NtContinue  (1220304, 0, ...
 02959   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 02960   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02961   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 02962   388   NtAllocateVirtualMemory  (-1, 1482752, 0, 20480, 4096, 4, ... 1482752, 20480, ) == 0x0
 02963   388   NtAllocateVirtualMemory  (-1, 1503232, 0, 20480, 4096, 4, ... 1503232, 20480, ) == 0x0
 02964   388   NtWaitForSingleObject  (368, 0, {-70000000, -1}, ... ) == 0x0
 02965   388   NtReleaseSemaphore  (368, 1, ... 0x0, ) == 0x0
 02966   388   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 396, ) }, ... 396, ) == 0x0
 02967   388   NtWaitForSingleObject  (396, 0, {-1800000000, -1}, ... ) == 0x0
 02968   388   NtClose  (396, ... ) == 0x0
 02969   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02970   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 02971   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02972   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02973   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231168,  (0xc0100080, {24, 0, 0x40, 0, 1231168, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 400, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 400, {status=0x0, info=1}, ) == 0x0
 02974   388   NtSetInformationFile  (400, 1231224, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02975   388   NtSetInformationFile  (400, 1231216, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02976   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02977   388   NtWriteFile  (400, 177, 0, 0,  (400, 177, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02978   388   NtReadFile  (400, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (400, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\246!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02979   388   NtFsControlFile  (400, 177, 0x0, 0x0, 0x11c017,  (400, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\246!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (400, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\246!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02980   388   NtFsControlFile  (400, 177, 0x0, 0x0, 0x11c017,  (400, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\226&=\31\Q\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\226&=\31\Q\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (400, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\226&=\31\Q\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\226&=\31\Q\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02981   388   NtFsControlFile  (400, 177, 0x0, 0x0, 0x11c017,  (400, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\227&=\31\Q\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\227&=\31\Q\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (400, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\227&=\31\Q\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\227&=\31\Q\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02982   388   NtFsControlFile  (400, 177, 0x0, 0x0, 0x11c017,  (400, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\226&=\31\Q\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (400, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\226&=\31\Q\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02983   388   NtFsControlFile  (400, 177, 0x0, 0x0, 0x11c017,  (400, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\227&=\31\Q\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (400, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\227&=\31\Q\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02984   388   NtClose  (396, ... ) == 0x0
 02985   388   NtClose  (400, ... ) == 0x0
 02986   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02987   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 400, ) == 0x0
 02988   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02989   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02990   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231260,  (0xc0100080, {24, 0, 0x40, 0, 1231260, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 02991   388   NtSetInformationFile  (396, 1231316, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02992   388   NtSetInformationFile  (396, 1231308, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02993   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02994   388   NtWriteFile  (396, 177, 0, 0,  (396, 177, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02995   388   NtReadFile  (396, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (396, 177, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\206&\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02996   388   NtFsControlFile  (396, 177, 0x0, 0x0, 0x11c017,  (396, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\206&\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (396, 177, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\206&\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02997   388   NtClose  (400, ... ) == 0x0
 02998   388   NtClose  (396, ... ) == 0x0
 02999   388   NtCreateKey  (0x2000000, {24, 112, 0x40, 0, 0,  (0x2000000, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 396, 2, ) }, 0, 0x0, 0, ... 396, 2, ) == 0x0
 03000   388   NtSetValueKey  (396,  (396, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (396, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03001   388   NtClose  (396, ... ) == 0x0
 03002   388   NtOpenKey  (0x2000000, {24, 112, 0x40, 0, 0,  (0x2000000, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 396, ) }, ... 396, ) == 0x0
 03003   388   NtQueryValueKey  (396,  (396, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03004   388   NtClose  (396, ... ) == 0x0
 03005   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03006   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03007   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03008   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03009   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03010   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03011   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03012   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03013   388   NtCreateKey  (0x2000000, {24, 112, 0x40, 0, 0,  (0x2000000, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 396, 2, ) }, 0, 0x0, 0, ... 396, 2, ) == 0x0
 03014   388   NtSetValueKey  (396,  (396, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (396, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03015   388   NtClose  (396, ... ) == 0x0
 03016   388   NtOpenKey  (0x2000000, {24, 112, 0x40, 0, 0,  (0x2000000, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 396, ) }, ... 396, ) == 0x0
 03017   388   NtQueryValueKey  (396,  (396, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03018   388   NtClose  (396, ... ) == 0x0
 03019   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03020   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03021   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03022   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03023   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03024   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03025   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03026   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03027   388   NtWaitForSingleObject  (368, 0, {-70000000, -1}, ... ) == 0x0
 03028   388   NtReleaseSemaphore  (368, 1, ... 0x0, ) == 0x0
 03029   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03030   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 03031   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03032   388   NtClose  (396, ... ) == 0x0
 03033   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 396, ) }, ... 396, ) == 0x0
 03034   388   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "Network"}, ... 400, ) }, ... 400, ) == 0x0
 03035   388   NtClose  (396, ... ) == 0x0
 03036   388   NtQueryKey  (400, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (400, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 03037   388   NtQuerySecurityObject  (400, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03038   388   NtQuerySecurityObject  (400, 15, 0, ... ) == STATUS_ACCESS_DENIED
 03039   388   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 03040   388   NtEnumerateKey  (400, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (400, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 03041   388   NtOpenKey  (0x2001f, {24, 400, 0x40, 0, 0,  (0x2001f, {24, 400, 0x40, 0, 0, "f"}, ... 396, ) }, ... 396, ) == 0x0
 03042   388   NtQueryValueKey  (396,  (396, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03043   388   NtQueryValueKey  (396,  (396, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03044   388   NtQueryValueKey  (396,  (396, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03045   388   NtQueryValueKey  (396,  (396, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03046   388   NtQueryValueKey  (396,  (396, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03047   388   NtQueryValueKey  (396,  (396, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03048   388   NtQueryValueKey  (396,  (396, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03049   388   NtClose  (396, ... ) == 0x0
 03050   388   NtEnumerateKey  (400, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (400, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 03051   388   NtOpenKey  (0x2001f, {24, 400, 0x40, 0, 0,  (0x2001f, {24, 400, 0x40, 0, 0, "u"}, ... 396, ) }, ... 396, ) == 0x0
 03052   388   NtQueryValueKey  (396,  (396, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03053   388   NtQueryValueKey  (396,  (396, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03054   388   NtQueryValueKey  (396,  (396, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03055   388   NtQueryValueKey  (396,  (396, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03056   388   NtQueryValueKey  (396,  (396, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03057   388   NtQueryValueKey  (396,  (396, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03058   388   NtQueryValueKey  (396,  (396, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03059   388   NtClose  (396, ... ) == 0x0
 03060   388   NtClose  (400, ... ) == 0x0
 03061   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03062   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03063   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03064   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03065   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03066   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03067   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 400, ) }, ... 400, ) == 0x0
 03068   388   NtQueryKey  (402, Name, 392, ... {Name= (402, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 03069   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03070   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 03071   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03072   388   NtClose  (396, ... ) == 0x0
 03073   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03074   388   NtEnumerateKey  (402, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (402, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 03075   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03076   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03077   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 396, ) }, ... 396, ) == 0x0
 03078   388   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 03079   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03080   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03081   388   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03082   388   NtClose  (404, ... ) == 0x0
 03083   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03084   388   NtQueryValueKey  (398,  (398, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (398, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03085   388   NtClose  (398, ... ) == 0x0
 03086   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03087   388   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 396, {status=0x0, info=1}, ) }, 3, 96, ... 396, {status=0x0, info=1}, ) == 0x0
 03088   388   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 404, ) }, ... 404, ) == 0x0
 03089   388   NtQuerySymbolicLinkObject  (404, ...  (404, ... "\Device\WinDfs\U:0000000000009227", 66, ) , 66, ) == 0x0
 03090   388   NtClose  (404, ... ) == 0x0
 03091   388   NtQueryVolumeInformationFile  (396, 1232580, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03092   388   NtClose  (396, ... ) == 0x0
 03093   388   NtEnumerateKey  (402, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03094   388   NtClose  (402, ... ) == 0x0
 03095   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 400, {status=0x0, info=1}, ) }, 3, 16417, ... 400, {status=0x0, info=1}, ) == 0x0
 03096   388   NtQueryDirectoryFile  (400, 0, 0, 0, 1231372, 616, BothDirectory, 1,  (400, 0, 0, 0, 1231372, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03097   388   NtClose  (400, ... ) == 0x0
 03098   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03099   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03100   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 400, ) }, ... 400, ) == 0x0
 03101   388   NtQueryKey  (402, Name, 384, ... {Name= (402, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03102   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03103   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 03104   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03105   388   NtClose  (396, ... ) == 0x0
 03106   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03107   388   NtOpenKey  (0x1, {24, 402, 0x40, 0, 0,  (0x1, {24, 402, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03108   388   NtQueryKey  (402, Name, 384, ... {Name= (402, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03109   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03110   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 03111   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03112   388   NtClose  (396, ... ) == 0x0
 03113   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03114   388   NtOpenKey  (0x2000000, {24, 402, 0x40, 0, 0, ""}, ... 396, ) == 0x0
 03115   388   NtClose  (402, ... ) == 0x0
 03116   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03117   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03118   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03119   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 400, ) }, ... 400, ) == 0x0
 03120   388   NtQueryValueKey  (400,  (400, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03121   388   NtClose  (400, ... ) == 0x0
 03122   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03123   388   NtOpenKey  (0x2000000, {24, 196, 0x40, 0, 0, ""}, ... 400, ) == 0x0
 03124   388   NtQueryValueKey  (400,  (400, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (400, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03125   388   NtQueryValueKey  (400,  (400, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (400, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03126   388   NtClose  (400, ... ) == 0x0
 03127   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03128   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03129   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03130   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 400, ) }, ... 400, ) == 0x0
 03131   388   NtQueryValueKey  (400,  (400, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03132   388   NtClose  (400, ... ) == 0x0
 03133   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03134   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03135   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03136   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 400, ) }, ... 400, ) == 0x0
 03137   388   NtQueryValueKey  (400,  (400, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03138   388   NtClose  (400, ... ) == 0x0
 03139   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03140   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03141   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03142   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 400, ) }, ... 400, ) == 0x0
 03143   388   NtQueryValueKey  (400,  (400, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03144   388   NtClose  (400, ... ) == 0x0
 03145   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03146   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03147   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03148   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 400, ) }, ... 400, ) == 0x0
 03149   388   NtQueryValueKey  (400,  (400, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03150   388   NtClose  (400, ... ) == 0x0
 03151   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03152   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03153   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03154   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03155   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03156   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 400, ) }, ... 400, ) == 0x0
 03157   388   NtQueryValueKey  (400,  (400, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03158   388   NtClose  (400, ... ) == 0x0
 03159   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03160   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03161   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03162   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 400, ) }, ... 400, ) == 0x0
 03163   388   NtQueryValueKey  (400,  (400, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03164   388   NtClose  (400, ... ) == 0x0
 03165   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03166   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03167   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03168   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 400, ) }, ... 400, ) == 0x0
 03169   388   NtQueryValueKey  (400,  (400, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03170   388   NtClose  (400, ... ) == 0x0
 03171   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03172   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03173   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03174   388   NtOpenKey  (0x2000000, {24, 196, 0x40, 0, 0,  (0x2000000, {24, 196, 0x40, 0, 0, "Advanced"}, ... 400, ) }, ... 400, ) == 0x0
 03175   388   NtQueryValueKey  (400,  (400, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 03176   388   NtQueryValueKey  (400,  (400, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03177   388   NtQueryValueKey  (400,  (400, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03178   388   NtQueryValueKey  (400,  (400, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03179   388   NtQueryValueKey  (400,  (400, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03180   388   NtQueryValueKey  (400,  (400, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03181   388   NtQueryValueKey  (400,  (400, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03182   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03183   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03184   388   NtQueryValueKey  (400,  (400, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03185   388   NtQueryValueKey  (400,  (400, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03186   388   NtQueryValueKey  (400,  (400, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03187   388   NtQueryValueKey  (400,  (400, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03188   388   NtQueryValueKey  (400,  (400, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03189   388   NtClose  (400, ... ) == 0x0
 03190   388   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1372784, 0,  (0x1f0003, {24, 52, 0x80, 1372784, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 400, ) }, 0, 2147483647, ... 400, ) == STATUS_OBJECT_NAME_EXISTS
 03191   388   NtReleaseSemaphore  (400, 1, ... 0, ) == 0x0
 03192   388   NtWaitForSingleObject  (400, 0, {0, 0}, ... ) == 0x0
 03193   388   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03194   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03195   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03196   388   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03197   388   NtClose  (404, ... ) == 0x0
 03198   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03199   388   NtOpenKey  (0x1, {24, 398, 0x40, 0, 0,  (0x1, {24, 398, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03200   388   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03201   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03202   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03203   388   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03204   388   NtClose  (404, ... ) == 0x0
 03205   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03206   388   NtQueryValueKey  (398,  (398, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03207   388   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03208   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03209   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03210   388   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03211   388   NtClose  (404, ... ) == 0x0
 03212   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03213   388   NtQueryValueKey  (398,  (398, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03214   388   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03215   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03216   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 404, ) == 0x0
 03217   388   NtQueryInformationToken  (404, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03218   388   NtClose  (404, ... ) == 0x0
 03219   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03220   388   NtOpenKey  (0x1, {24, 398, 0x40, 0, 0,  (0x1, {24, 398, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03221   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03222   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03223   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 404, ) }, ... 404, ) == 0x0
 03224   388   NtQueryKey  (406, Name, 384, ... {Name= (406, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 03225   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03226   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03227   388   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03228   388   NtClose  (408, ... ) == 0x0
 03229   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03230   388   NtOpenKey  (0x1, {24, 406, 0x40, 0, 0,  (0x1, {24, 406, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03231   388   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03232   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03233   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03234   388   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03235   388   NtClose  (408, ... ) == 0x0
 03236   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03237   388   NtQueryValueKey  (398,  (398, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03238   388   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03239   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03240   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03241   388   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03242   388   NtClose  (408, ... ) == 0x0
 03243   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03244   388   NtQueryValueKey  (398,  (398, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (398, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03245   388   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03246   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03247   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03248   388   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03249   388   NtClose  (408, ... ) == 0x0
 03250   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03251   388   NtQueryValueKey  (398,  (398, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03252   388   NtClose  (398, ... ) == 0x0
 03253   388   NtClose  (406, ... ) == 0x0
 03254   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\work\"}, 3, 16417, ... 404, {status=0x0, info=1}, ) }, 3, 16417, ... 404, {status=0x0, info=1}, ) == 0x0
 03255   388   NtQueryDirectoryFile  (404, 0, 0, 0, 1231300, 616, BothDirectory, 1,  (404, 0, 0, 0, 1231300, 616, BothDirectory, 1, "ycdr.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03256   388   NtClose  (404, ... ) == 0x0
 03257   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03258   388   NtOpenKey  (0x2000000, {24, 196, 0x40, 0, 0,  (0x2000000, {24, 196, 0x40, 0, 0, "FileExts"}, ... 404, ) }, ... 404, ) == 0x0
 03259   388   NtOpenKey  (0x2000000, {24, 404, 0x40, 0, 0,  (0x2000000, {24, 404, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03260   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03261   388   NtOpenKey  (0x2000000, {24, 404, 0x40, 0, 0,  (0x2000000, {24, 404, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03262   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03263   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03264   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 396, ) }, ... 396, ) == 0x0
 03265   388   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03266   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03267   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03268   388   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03269   388   NtClose  (408, ... ) == 0x0
 03270   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03271   388   NtQueryValueKey  (398, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (398, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03272   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03273   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03274   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 408, ) }, ... 408, ) == 0x0
 03275   388   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03276   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03277   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03278   388   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03279   388   NtClose  (412, ... ) == 0x0
 03280   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03281   388   NtOpenKey  (0x1, {24, 410, 0x40, 0, 0,  (0x1, {24, 410, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03282   388   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03283   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03284   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03285   388   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03286   388   NtClose  (412, ... ) == 0x0
 03287   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03288   388   NtOpenKey  (0x2000000, {24, 410, 0x40, 0, 0, ""}, ... 412, ) == 0x0
 03289   388   NtClose  (410, ... ) == 0x0
 03290   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03291   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03292   388   NtReleaseSemaphore  (400, 1, ... 0, ) == 0x0
 03293   388   NtWaitForSingleObject  (400, 0, {0, 0}, ... ) == 0x0
 03294   388   NtQueryKey  (414, Name, 384, ... {Name= (414, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03295   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03296   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03297   388   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03298   388   NtClose  (408, ... ) == 0x0
 03299   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03300   388   NtOpenKey  (0x1, {24, 414, 0x40, 0, 0,  (0x1, {24, 414, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03301   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03302   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03303   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03304   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03305   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03306   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 408, ) }, ... 408, ) == 0x0
 03307   388   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03308   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03309   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03310   388   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03311   388   NtClose  (416, ... ) == 0x0
 03312   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03313   388   NtQueryValueKey  (410,  (410, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03314   388   NtClose  (410, ... ) == 0x0
 03315   388   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03316   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03317   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03318   388   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03319   388   NtClose  (408, ... ) == 0x0
 03320   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03321   388   NtQueryValueKey  (414,  (414, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03322   388   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03323   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03324   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03325   388   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03326   388   NtClose  (408, ... ) == 0x0
 03327   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03328   388   NtQueryValueKey  (414,  (414, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03329   388   NtQueryKey  (414, Name, 384, ... {Name= (414, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03330   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03331   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03332   388   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03333   388   NtClose  (408, ... ) == 0x0
 03334   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03335   388   NtOpenKey  (0x1, {24, 414, 0x40, 0, 0,  (0x1, {24, 414, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03336   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03337   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03338   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 408, ) }, ... 408, ) == 0x0
 03339   388   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03340   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03341   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03342   388   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03343   388   NtClose  (416, ... ) == 0x0
 03344   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03345   388   NtOpenKey  (0x1, {24, 410, 0x40, 0, 0,  (0x1, {24, 410, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03346   388   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03347   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03348   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03349   388   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03350   388   NtClose  (416, ... ) == 0x0
 03351   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03352   388   NtQueryValueKey  (414,  (414, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03353   388   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03354   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03355   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03356   388   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03357   388   NtClose  (416, ... ) == 0x0
 03358   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03359   388   NtQueryValueKey  (414,  (414, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03360   388   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03361   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03362   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03363   388   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03364   388   NtClose  (416, ... ) == 0x0
 03365   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03366   388   NtQueryValueKey  (414,  (414, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03367   388   NtClose  (398, ... ) == 0x0
 03368   388   NtClose  (414, ... ) == 0x0
 03369   388   NtClose  (410, ... ) == 0x0
 03370   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03371   388   NtOpenKey  (0x2000000, {24, 404, 0x40, 0, 0,  (0x2000000, {24, 404, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03372   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03373   388   NtOpenKey  (0x2000000, {24, 404, 0x40, 0, 0,  (0x2000000, {24, 404, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03374   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03375   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03376   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 408, ) }, ... 408, ) == 0x0
 03377   388   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03378   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03379   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03380   388   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03381   388   NtClose  (412, ... ) == 0x0
 03382   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03383   388   NtQueryValueKey  (410, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (410, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03384   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03385   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03386   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 412, ) }, ... 412, ) == 0x0
 03387   388   NtQueryKey  (414, Name, 384, ... {Name= (414, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03388   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03389   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 03390   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03391   388   NtClose  (396, ... ) == 0x0
 03392   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03393   388   NtOpenKey  (0x1, {24, 414, 0x40, 0, 0,  (0x1, {24, 414, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03394   388   NtQueryKey  (414, Name, 384, ... {Name= (414, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03395   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03396   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 03397   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03398   388   NtClose  (396, ... ) == 0x0
 03399   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03400   388   NtOpenKey  (0x2000000, {24, 414, 0x40, 0, 0, ""}, ... 396, ) == 0x0
 03401   388   NtClose  (414, ... ) == 0x0
 03402   388   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03403   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03404   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03405   388   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03406   388   NtClose  (412, ... ) == 0x0
 03407   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03408   388   NtOpenKey  (0x1, {24, 398, 0x40, 0, 0,  (0x1, {24, 398, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03409   388   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 03410   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03411   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 03412   388   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03413   388   NtClose  (412, ... ) == 0x0
 03414   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03415   388   NtOpenKey  (0x1, {24, 410, 0x40, 0, 0,  (0x1, {24, 410, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03416   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03417   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03418   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03419   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03420   388   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03421   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 412, ) }, ... 412, ) == 0x0
 03422   388   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03423   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03424   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03425   388   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03426   388   NtClose  (416, ... ) == 0x0
 03427   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03428   388   NtQueryValueKey  (414,  (414, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03429   388   NtClose  (414, ... ) == 0x0
 03430   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03431   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03432   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 412, ) }, ... 412, ) == 0x0
 03433   388   NtQueryKey  (414, Name, 384, ... {Name= (414, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03434   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03435   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03436   388   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03437   388   NtClose  (416, ... ) == 0x0
 03438   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03439   388   NtOpenKey  (0x1, {24, 414, 0x40, 0, 0,  (0x1, {24, 414, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03440   388   NtClose  (410, ... ) == 0x0
 03441   388   NtClose  (398, ... ) == 0x0
 03442   388   NtClose  (414, ... ) == 0x0
 03443   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03444   388   NtOpenKey  (0x2000000, {24, 404, 0x40, 0, 0,  (0x2000000, {24, 404, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03445   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03446   388   NtOpenKey  (0x2000000, {24, 404, 0x40, 0, 0,  (0x2000000, {24, 404, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03447   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03448   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03449   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 412, ) }, ... 412, ) == 0x0
 03450   388   NtQueryKey  (414, Name, 392, ... {Name= (414, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03451   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03452   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 03453   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03454   388   NtClose  (396, ... ) == 0x0
 03455   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03456   388   NtQueryValueKey  (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (414, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03457   388   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03458   388   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03459   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 396, ) }, ... 396, ) == 0x0
 03460   388   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03461   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03462   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03463   388   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03464   388   NtClose  (408, ... ) == 0x0
 03465   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03466   388   NtOpenKey  (0x1, {24, 398, 0x40, 0, 0,  (0x1, {24, 398, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03467   388   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03468   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03469   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03470   388   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03471   388   NtClose  (408, ... ) == 0x0
 03472   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03473   388   NtOpenKey  (0x2000000, {24, 398, 0x40, 0, 0, ""}, ... 408, ) == 0x0
 03474   388   NtClose  (398, ... ) == 0x0
 03475   388   NtQueryKey  (410, Name, 384, ... {Name= (410, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03476   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03477   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 03478   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03479   388   NtClose  (396, ... ) == 0x0
 03480   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03481   388   NtOpenKey  (0x2000000, {24, 410, 0x40, 0, 0,  (0x2000000, {24, 410, 0x40, 0, 0, "shell\open"}, ... 396, ) }, ... 396, ) == 0x0
 03482   388   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03483   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03484   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03485   388   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03486   388   NtClose  (416, ... ) == 0x0
 03487   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03488   388   NtOpenKey  (0x1, {24, 398, 0x40, 0, 0,  (0x1, {24, 398, 0x40, 0, 0, "command"}, ... 416, ) }, ... 416, ) == 0x0
 03489   388   NtQueryKey  (418, Name, 392, ... {Name= (418, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03490   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03491   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 420, ) == 0x0
 03492   388   NtQueryInformationToken  (420, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03493   388   NtClose  (420, ... ) == 0x0
 03494   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03495   388   NtQueryValueKey  (418, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (418, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03496   388   NtClose  (418, ... ) == 0x0
 03497   388   NtOpenKey  (0x2000000, {24, 112, 0x40, 0, 0,  (0x2000000, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03498   388   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03499   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03500   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03501   388   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03502   388   NtClose  (416, ... ) == 0x0
 03503   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03504   388   NtOpenKey  (0x1, {24, 398, 0x40, 0, 0,  (0x1, {24, 398, 0x40, 0, 0, "command"}, ... 416, ) }, ... 416, ) == 0x0
 03505   388   NtQueryKey  (418, Name, 392, ... {Name= (418, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03506   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03507   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 420, ) == 0x0
 03508   388   NtQueryInformationToken  (420, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03509   388   NtClose  (420, ... ) == 0x0
 03510   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03511   388   NtQueryValueKey  (418,  (418, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03512   388   NtClose  (418, ... ) == 0x0
 03513   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\ycdr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03514   388   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 03515   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03516   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03517   388   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03518   388   NtClose  (416, ... ) == 0x0
 03519   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03520   388   NtOpenKey  (0x1, {24, 398, 0x40, 0, 0,  (0x1, {24, 398, 0x40, 0, 0, "command"}, ... 416, ) }, ... 416, ) == 0x0
 03521   388   NtQueryKey  (418, Name, 392, ... {Name= (418, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03522   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03523   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 420, ) == 0x0
 03524   388   NtQueryInformationToken  (420, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03525   388   NtClose  (420, ... ) == 0x0
 03526   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03527   388   NtQueryValueKey  (418, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (418, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03528   388   NtClose  (418, ... ) == 0x0
 03529   388   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03530   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03531   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03532   388   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03533   388   NtClose  (416, ... ) == 0x0
 03534   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03535   388   NtOpenKey  (0x1, {24, 398, 0x40, 0, 0,  (0x1, {24, 398, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03536   388   NtUserGetForegroundWindow  (... ) == 0x20060
 03537   388   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 03538   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03539   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 416, ) == 0x0
 03540   388   NtQueryInformationToken  (416, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03541   388   NtClose  (416, ... ) == 0x0
 03542   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03543   388   NtOpenKey  (0x1, {24, 398, 0x40, 0, 0,  (0x1, {24, 398, 0x40, 0, 0, "command"}, ... 416, ) }, ... 416, ) == 0x0
 03544   388   NtQueryKey  (418, Name, 392, ... {Name= (418, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 03545   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03546   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 420, ) == 0x0
 03547   388   NtQueryInformationToken  (420, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03548   388   NtClose  (420, ... ) == 0x0
 03549   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03550   388   NtQueryValueKey  (418, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (418, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 03551   388   NtClose  (418, ... ) == 0x0
 03552   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03553   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03554   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03555   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 416, ) }, ... 416, ) == 0x0
 03556   388   NtQueryValueKey  (416,  (416, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03557   388   NtClose  (416, ... ) == 0x0
 03558   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03559   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03560   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03561   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 416, ) }, ... 416, ) == 0x0
 03562   388   NtQueryValueKey  (416,  (416, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03563   388   NtClose  (416, ... ) == 0x0
 03564   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\ycdr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03565   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03566   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\ycdr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03567   388   NtReleaseSemaphore  (200, 1, ... 0, ) == 0x0
 03568   388   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x0
 03569   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03570   388   NtOpenKey  (0x1, {24, 112, 0x40, 0, 0,  (0x1, {24, 112, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 416, ) }, ... 416, ) == 0x0
 03571   388   NtQueryValueKey  (416,  (416, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03572   388   NtClose  (416, ... ) == 0x0
 03573   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\ycdr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03574   388   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03575   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ycdr.bat"}, 1227776, ... ) }, 1227776, ... ) == 0x0
 03576   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ycdr.bat"}, 1228468, ... ) }, 1228468, ... ) == 0x0
 03577   388   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\ycdr.bat"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 03578   388   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 416, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 03579   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 420, ) }, ... 420, ) == 0x0
 03580   388   NtQueryValueKey  (420,  (420, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03581   388   NtClose  (420, ... ) == 0x0
 03582   388   NtQueryVolumeInformationFile  (416, 1227776, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03583   388   NtWaitForSingleObject  (212, 0, {-1000000, -1}, ... ) == 0x0
 03584   388   NtReleaseMutant  (212, ... 0x0, ) == 0x0
 03585   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1225760, ... ) }, 1225760, ... ) == 0x0
 03586   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 03587   388   NtQueryInformationFile  (420, 1226364, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03588   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 420, ... 424, ) == 0x0
 03589   388   NtMapViewOfSection  (424, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1d50000), 0x0, 1028096, ) == 0x0
 03590   388   NtQueryInformationFile  (420, 1226460, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03591   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03592   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03593   388   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 03594   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 428, {status=0x0, info=1}, ) }, 3, 16417, ... 428, {status=0x0, info=1}, ) == 0x0
 03595   388   NtQueryDirectoryFile  (428, 0, 0, 0, 1224024, 616, BothDirectory, 1,  (428, 0, 0, 0, 1224024, 616, BothDirectory, 1, "ycdr.bat", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03596   388   NtClose  (428, ... ) == 0x0
 03597   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03598   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03599   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ycdr.bat"}, 1223412, ... ) }, 1223412, ... ) == 0x0
 03600   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 428, {status=0x0, info=1}, ) }, 3, 16417, ... 428, {status=0x0, info=1}, ) == 0x0
 03601   388   NtQueryDirectoryFile  (428, 0, 0, 0, 1222772, 616, BothDirectory, 1,  (428, 0, 0, 0, 1222772, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03602   388   NtClose  (428, ... ) == 0x0
 03603   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 428, {status=0x0, info=1}, ) }, 3, 16417, ... 428, {status=0x0, info=1}, ) == 0x0
 03604   388   NtQueryDirectoryFile  (428, 0, 0, 0, 1222772, 616, BothDirectory, 1,  (428, 0, 0, 0, 1222772, 616, BothDirectory, 1, "ycdr.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03605   388   NtClose  (428, ... ) == 0x0
 03606   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03607   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03608   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03609   388   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 428, {status=0x0, info=1}, ) }, 3, 96, ... 428, {status=0x0, info=1}, ) == 0x0
 03610   388   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 432, ) }, ... 432, ) == 0x0
 03611   388   NtQuerySymbolicLinkObject  (432, ...  (432, ... "\Device\WinDfs\U:0000000000009227", 66, ) , 66, ) == 0x0
 03612   388   NtClose  (432, ... ) == 0x0
 03613   388   NtQueryVolumeInformationFile  (428, 1224164, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03614   388   NtClose  (428, ... ) == 0x0
 03615   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03616   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03617   388   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03618   388   NtClose  (428, ... ) == 0x0
 03619   388   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03620   388   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ycdr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03621   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03622   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03623   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ycdr.bat"}, 1225692, ... ) }, 1225692, ... ) == 0x0
 03624   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 428, {status=0x0, info=1}, ) }, 3, 16417, ... 428, {status=0x0, info=1}, ) == 0x0
 03625   388   NtQueryDirectoryFile  (428, 0, 0, 0, 1225052, 616, BothDirectory, 1,  (428, 0, 0, 0, 1225052, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03626   388   NtClose  (428, ... ) == 0x0
 03627   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 428, {status=0x0, info=1}, ) }, 3, 16417, ... 428, {status=0x0, info=1}, ) == 0x0
 03628   388   NtQueryDirectoryFile  (428, 0, 0, 0, 1225052, 616, BothDirectory, 1,  (428, 0, 0, 0, 1225052, 616, BothDirectory, 1, "ycdr.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03629   388   NtClose  (428, ... ) == 0x0
 03630   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03631   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03632   388   NtWaitForSingleObject  (212, 0, {-1000000, -1}, ... ) == 0x0
 03633   388   NtQueryVolumeInformationFile  (416, 1226336, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03634   388   NtQueryInformationFile  (416, 1226316, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03635   388   NtQueryInformationFile  (416, 1226356, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03636   388   NtReleaseMutant  (212, ... 0x0, ) == 0x0
 03637   388   NtUnmapViewOfSection  (-1, 0x1d50000, ... ) == 0x0
 03638   388   NtClose  (424, ... ) == 0x0
 03639   388   NtClose  (420, ... ) == 0x0
 03640   388   NtClose  (416, ... ) == 0x0
 03641   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1227752, ... ) }, 1227752, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03642   388   NtQueryAttributesFile  ({24, 156, 0x40, 0, 0,  ({24, 156, 0x40, 0, 0, "cmd.exe"}, 1227752, ... ) }, 1227752, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03643   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1227752, ... ) }, 1227752, ... ) == 0x0
 03644   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1228468, ... ) }, 1228468, ... ) == 0x0
 03645   388   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 03646   388   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 416, ... 420, ) == 0x0
 03647   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03648   388   NtQuerySection  (420, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03649   388   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03650   388   NtCreateProcessEx  (1230404, 2035711, 0, -1, 0, 420, 0, 0, 0, ... ) == 0x0
 03651   388   NtSetInformationProcess  (424, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03652   388   NtQueryInformationProcess  (424, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=964,ParentPid=316,}, 0x0, ) == 0x0
 03653   388   NtReadVirtualMemory  (424, 0x7ffdf008, 4, ...  (424, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 03654   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03655   388   NtReadVirtualMemory  (424, 0x4ad00000, 4096, ...  (424, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03656   388   NtReadVirtualMemory  (424, 0x4ad3b000, 256, ...  (424, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 03657   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03658   388   NtQueryInformationProcess  (424, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=964,ParentPid=316,}, 0x0, ) == 0x0
 03659   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1228468, ... ) }, 1228468, ... ) == 0x0
 03660   388   NtAllocateVirtualMemory  (-1, 0, 0, 1640, 4096, 4, ... 30343168, 4096, ) == 0x0
 03661   388   NtAllocateVirtualMemory  (424, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03662   388   NtWriteVirtualMemory  (424, 0x10000,  (424, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03663   388   NtAllocateVirtualMemory  (424, 0, 0, 1640, 4096, 4, ... 131072, 4096, ) == 0x0
 03664   388   NtWriteVirtualMemory  (424, 0x20000,  (424, 0x20000, "\0\20\0\0h\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\08\0:\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\14\6\0\0\36\0 \0D\6\0\0\0\0\2\0d\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1640, ... 0x0, ) , 1640, ... 0x0, ) == 0x0
 03665   388   NtWriteVirtualMemory  (424, 0x7ffdf010,  (424, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03666   388   NtWriteVirtualMemory  (424, 0x7ffdf1e8,  (424, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03667   388   NtFreeVirtualMemory  (-1, (0x1cf0000), 0, 32768, ... (0x1cf0000), 4096, ) == 0x0
 03668   388   NtAllocateVirtualMemory  (424, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03669   388   NtAllocateVirtualMemory  (424, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 03670   388   NtCreateThread  (0x1f03ff, 0x0, 424, 1228668, 1229388, 1, ... 428, {964, 968}, ) == 0x0
 03671   388   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1230500, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1230500, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\250\1\0\0\254\1\0\0\304\3\0\0\310\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\00\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 388, 1514, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\250\1\0\0\254\1\0\0\304\3\0\0\310\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\00\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 316, 388, 1514, 0}  (24, {168, 196, new_msg, 0, 0, 1230500, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\250\1\0\0\254\1\0\0\304\3\0\0\310\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\00\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 388, 1514, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\250\1\0\0\254\1\0\0\304\3\0\0\310\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\00\311\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03672   388   NtResumeThread  (428, ... 1, ) == 0x0
 03673   388   NtClose  (416, ... ) == 0x0
 03674   388   NtClose  (420, ... ) == 0x0
 03675   388   NtClose  (398, ... ) == 0x0
 03676   388   NtClose  (414, ... ) == 0x0
 03677   388   NtClose  (410, ... ) == 0x0
 03678   388   NtClose  (424, ... ) == 0x0
 03679   388   NtClose  (428, ... ) == 0x0
 03680   388   NtGdiDeleteObjectApp  (285737955, ... ) == 0x1
 03681   388   NtUserGetClassInfo  (1989935104, 1232708, 1232660, 1232736, 0, ... ) == 0x0
 03682   388   NtUserGetClassInfo  (1989935104, 1232708, 1232660, 1232736, 0, ... ) == 0x0
 03683   388   NtUserGetClassInfo  (1989935104, 1232708, 1232660, 1232736, 0, ... ) == 0x0
 03684   388   NtUserGetClassInfo  (1989935104, 1232708, 1232660, 1232736, 0, ... ) == 0x0
 03685   388   NtUserGetClassInfo  (1989935104, 1232708, 1232660, 1232736, 0, ... ) == 0x0
 03686   388   NtUserGetClassInfo  (1989935104, 1232708, 1232660, 1232736, 0, ... ) == 0x0
 03687   388   NtUserGetClassInfo  (1989935104, 1232708, 1232660, 1232736, 0, ... ) == 0x0
 03688   388   NtUserGetClassInfo  (1989935104, 1232708, 1232660, 1232736, 0, ... ) == 0x0
 03689   388   NtUnmapViewOfSection  (-1, 0x1790000, ... ) == 0x0
 03690   388   NtClose  (328, ... ) == 0x0
 03691   388   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 03692   388   NtUserDestroyWindow  (458806, ...
 03693   388   NtUserRemoveProp  (458806, 43288, ... ) == 0xffffffff
 03694   388   NtUserRemoveProp  (458806, 43282, ... ) == 0x0
 03695   388   NtUserRemoveProp  (458806, 43287, ... ) == 0x0
 03692   388   NtUserDestroyWindow  ... ) == 0x1
 03696   388   NtUserUnregisterClass  (1233848, 1998258176, 1233836, ... ) == 0x1
 03697   388   NtFreeVirtualMemory  (-1, (0x157000), 12288, 16384, ... (0x157000), 12288, ) == 0x0
 03698   388   NtClose  (232, ... ) == 0x0
 03699   388   NtClose  (224, ... ) == 0x0
 03700   388   NtClose  (228, ... ) == 0x0
 03701   388   NtClose  (204, ... ) == 0x0
 03702   388   NtClose  (220, ... ) == 0x0
 03703   388   NtClose  (252, ... ) == 0x0
 03704   388   NtClose  (256, ... ) == 0x0
 03705   388   NtClose  (248, ... ) == 0x0
 03706   388   NtClose  (240, ... ) == 0x0
 03707   388   NtClose  (244, ... ) == 0x0
 03708   388   NtClose  (268, ... ) == 0x0
 03709   388   NtClose  (272, ... ) == 0x0
 03710   388   NtClose  (260, ... ) == 0x0
 03711   388   NtClose  (264, ... ) == 0x0
 03712   388   NtClose  (292, ... ) == 0x0
 03713   388   NtClose  (284, ... ) == 0x0
 03714   388   NtClose  (288, ... ) == 0x0
 03715   388   NtClose  (276, ... ) == 0x0
 03716   388   NtClose  (280, ... ) == 0x0
 03717   388   NtClose  (296, ... ) == 0x0
 03718   388   NtClose  (300, ... ) == 0x0
 03719   388   NtClose  (312, ... ) == 0x0
 03720   388   NtClose  (316, ... ) == 0x0
 03721   388   NtClose  (304, ... ) == 0x0
 03722   388   NtClose  (308, ... ) == 0x0
 03723   388   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03724   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1234724, ... ) }, 1234724, ... ) == 0x0
 03725   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1235416, ... ) }, 1235416, ... ) == 0x0
 03726   388   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 03727   388   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 308, ... 304, ) == 0x0
 03728   388   NtQueryVolumeInformationFile  (308, 1234724, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03729   388   NtWaitForSingleObject  (212, 0, {-1000000, -1}, ... ) == 0x0
 03730   388   NtReleaseMutant  (212, ... 0x0, ) == 0x0
 03731   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 316, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 316, {status=0x0, info=1}, ) == 0x0
 03732   388   NtQueryInformationFile  (316, 1233312, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03733   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 316, ... 312, ) == 0x0
 03734   388   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1d50000), 0x0, 1028096, ) == 0x0
 03735   388   NtQueryInformationFile  (316, 1233408, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03736   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03737   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 03738   388   NtQueryDirectoryFile  (300, 0, 0, 0, 1230972, 616, BothDirectory, 1,  (300, 0, 0, 0, 1230972, 616, BothDirectory, 1, "algs.exe", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03739   388   NtClose  (300, ... ) == 0x0
 03740   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03741   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03742   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1230360, ... ) }, 1230360, ... ) == 0x0
 03743   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 03744   388   NtQueryDirectoryFile  (300, 0, 0, 0, 1229720, 616, BothDirectory, 1,  (300, 0, 0, 0, 1229720, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03745   388   NtClose  (300, ... ) == 0x0
 03746   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 03747   388   NtQueryDirectoryFile  (300, 0, 0, 0, 1229720, 616, BothDirectory, 1,  (300, 0, 0, 0, 1229720, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03748   388   NtClose  (300, ... ) == 0x0
 03749   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 03750   388   NtQueryDirectoryFile  (300, 0, 0, 0, 1229720, 616, BothDirectory, 1,  (300, 0, 0, 0, 1229720, 616, BothDirectory, 1, "algs.exe", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03751   388   NtClose  (300, ... ) == 0x0
 03752   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03753   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03754   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03755   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03756   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 03757   388   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03758   388   NtClose  (300, ... ) == 0x0
 03759   388   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03760   388   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\algs.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03761   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03762   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03763   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1232640, ... ) }, 1232640, ... ) == 0x0
 03764   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 03765   388   NtQueryDirectoryFile  (300, 0, 0, 0, 1232000, 616, BothDirectory, 1,  (300, 0, 0, 0, 1232000, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03766   388   NtClose  (300, ... ) == 0x0
 03767   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 03768   388   NtQueryDirectoryFile  (300, 0, 0, 0, 1232000, 616, BothDirectory, 1,  (300, 0, 0, 0, 1232000, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03769   388   NtClose  (300, ... ) == 0x0
 03770   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 03771   388   NtQueryDirectoryFile  (300, 0, 0, 0, 1232000, 616, BothDirectory, 1,  (300, 0, 0, 0, 1232000, 616, BothDirectory, 1, "algs.exe", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03772   388   NtClose  (300, ... ) == 0x0
 03773   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03774   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03775   388   NtWaitForSingleObject  (212, 0, {-1000000, -1}, ... ) == 0x0
 03776   388   NtQueryVolumeInformationFile  (308, 1233284, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03777   388   NtQueryInformationFile  (308, 1233264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03778   388   NtQueryInformationFile  (308, 1233304, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03779   388   NtReleaseMutant  (212, ... 0x0, ) == 0x0
 03780   388   NtUnmapViewOfSection  (-1, 0x1d50000, ... ) == 0x0
 03781   388   NtClose  (312, ... ) == 0x0
 03782   388   NtClose  (316, ... ) == 0x0
 03783   388   NtQuerySection  (304, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03784   388   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algs.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03785   388   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 03786   388   NtOpenProcessToken  (-1, 0xa, ... 316, ) == 0x0
 03787   388   NtQueryInformationToken  (316, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 03788   388   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03789   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 312, ) }, ... 312, ) == 0x0
 03790   388   NtQueryValueKey  (312,  (312, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (312, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03791   388   NtQueryValueKey  (312,  (312, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (312, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03792   388   NtClose  (312, ... ) == 0x0
 03793   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 312, ) }, ... 312, ) == 0x0
 03794   388   NtQueryValueKey  (312,  (312, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03795   388   NtQueryValueKey  (312,  (312, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (312, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 03796   388   NtClose  (312, ... ) == 0x0
 03797   388   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 312, ) }, ... 312, ) == 0x0
 03798   388   NtQuerySymbolicLinkObject  (312, ...  (312, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 03799   388   NtClose  (312, ... ) == 0x0
 03800   388   NtQueryInformationFile  (308, 1233076, 528, Name, ... {status=0x0, info=56}, ) == 0x0
 03801   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03802   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03803   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe"}, 1231756, ... ) }, 1231756, ... ) == 0x0
 03804   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 312, {status=0x0, info=1}, ) }, 3, 16417, ... 312, {status=0x0, info=1}, ) == 0x0
 03805   388   NtQueryDirectoryFile  (312, 0, 0, 0, 1231116, 616, BothDirectory, 1,  (312, 0, 0, 0, 1231116, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03806   388   NtClose  (312, ... ) == 0x0
 03807   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 312, {status=0x0, info=1}, ) }, 3, 16417, ... 312, {status=0x0, info=1}, ) == 0x0
 03808   388   NtQueryDirectoryFile  (312, 0, 0, 0, 1231116, 616, BothDirectory, 1,  (312, 0, 0, 0, 1231116, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03809   388   NtClose  (312, ... ) == 0x0
 03810   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 312, {status=0x0, info=1}, ) }, 3, 16417, ... 312, {status=0x0, info=1}, ) == 0x0
 03811   388   NtQueryDirectoryFile  (312, 0, 0, 0, 1231116, 616, BothDirectory, 1,  (312, 0, 0, 0, 1231116, 616, BothDirectory, 1, "algs.exe", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03812   388   NtClose  (312, ... ) == 0x0
 03813   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03814   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03815   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 312, ) }, ... 312, ) == 0x0
 03816   388   NtQueryValueKey  (312,  (312, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03817   388   NtClose  (312, ... ) == 0x0
 03818   388   NtQueryInformationToken  (316, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03819   388   NtQueryInformationToken  (316, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03820   388   NtClose  (316, ... ) == 0x0
 03821   388   NtCreateProcessEx  (1237352, 2035711, 0, -1, 4, 304, 0, 0, 0, ... ) == 0x0
 03822   388   NtSetInformationProcess  (316, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 03823   388   NtQueryInformationProcess  (316, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=992,ParentPid=316,}, 0x0, ) == 0x0
 03824   388   NtReadVirtualMemory  (316, 0x7ffdf008, 4, ...  (316, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 03825   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\algs.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03826   388   NtReadVirtualMemory  (316, 0x400000, 4096, ...  (316, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]c\221?P\0\0\0\0PE\0\0L\1\7\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\314\240R\0\0\20\0\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0S\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\377D\300G\0\0\0\0\0\0\0\0\0\240R\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.BSS\0\0\0\0\0`\1\0\0\20\0\0P\251\0\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 03827   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03828   388   NtQueryInformationProcess  (316, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=992,ParentPid=316,}, 0x0, ) == 0x0
 03829   388   NtAllocateVirtualMemory  (-1, 0, 0, 1648, 4096, 4, ... 24707072, 4096, ) == 0x0
 03830   388   NtAllocateVirtualMemory  (316, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03831   388   NtWriteVirtualMemory  (316, 0x10000,  (316, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03832   388   NtAllocateVirtualMemory  (316, 0, 0, 1648, 4096, 4, ... 131072, 4096, ) == 0x0
 03833   388   NtWriteVirtualMemory  (316, 0x20000,  (316, 0x20000, "\0\20\0\0p\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\10\2\220\2\0\0\237\0\0\0\374\0\376\0\230\4\0\08\0:\0\230\5\0\08\0:\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\08\0:\0\20\6\0\0\36\0 \0L\6\0\0\0\0\2\0l\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1648, ... 0x0, ) , 1648, ... 0x0, ) == 0x0
 03834   388   NtWriteVirtualMemory  (316, 0x7ffdf010,  (316, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03835   388   NtWriteVirtualMemory  (316, 0x7ffdf1e8,  (316, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03836   388   NtFreeVirtualMemory  (-1, (0x1790000), 0, 32768, ... (0x1790000), 4096, ) == 0x0
 03837   388   NtAllocateVirtualMemory  (316, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03838   388   NtAllocateVirtualMemory  (316, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 03839   388   NtProtectVirtualMemory  (316, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 03840   388   NtCreateThread  (0x1f03ff, 0x0, 316, 1235616, 1236336, 1, ... 312, {992, 1000}, ) == 0x0
 03841   388   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1460072, 1237436}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1460072, 1237436} "\0\0\0\0\0\0\1\0\2$\370w U\367w?\1\0\08\1\0\0\340\3\0\0\350\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 388, 1547, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w<\1\0\08\1\0\0\340\3\0\0\350\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 316, 388, 1547, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1460072, 1237436} "\0\0\0\0\0\0\1\0\2$\370w U\367w?\1\0\08\1\0\0\340\3\0\0\350\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 388, 1547, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w<\1\0\08\1\0\0\340\3\0\0\350\3\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03842   388   NtResumeThread  (312, ... 1, ) == 0x0
 03843   388   NtClose  (308, ... ) == 0x0
 03844   388   NtClose  (304, ... ) == 0x0
 03845   388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 304, ) == 0x0
 03846   388   NtYieldExecution  (... ) == STATUS_NO_YIELD_PERFORMED
 03847   388   NtClose  (88, ... ) == 0x0
 03848   388   NtClose  (84, ... ) == 0x0
 03849   388   NtYieldExecution  (... ) == 0x0
 03850   388   NtClose  (108, ... ) == 0x0
 03851   388   NtClose  (92, ... ) == 0x0
 03852   388   NtTerminateProcess  (0, 0, ...
 00330   564   NtDelayExecution  ... ) == 0xc0
 00562   384   NtDelayExecution  ... ) == 0xc0
 00327   380   NtDelayExecution  ... ) == 0xc0
 02354   960   NtWaitForMultipleObjects  ... ) == 0xc0
 03852   388   NtTerminateProcess  ... ) == 0x0
 03853   388   NtRaiseException  (1237100, 1236360, 1, ...
 03854   388   NtContinue  (1235156, 0, ...
 03855   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 03856   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03857   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 03858   388   NtRaiseException  (1227076, 1226336, 1, ...
 03859   388   NtContinue  (1225132, 0, ...
 03860   388   NtWaitForSingleObject  (364, 0, 0x0, ... ) == 0x0
 03861   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03862   388   NtReleaseMutant  (364, ... 0x0, ) == 0x0
 03863   388   NtUnmapViewOfSection  (-1, 0x1ce0000, ... ) == 0x0
 03864   388   NtClose  (392, ... ) == 0x0
 03865   388   NtClose  (388, ... ) == 0x0
 03866   388   NtClose  (376, ... ) == 0x0
 03867   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 03868   388   NtFreeVirtualMemory  (-1, (0x1cd0000), 0, 32768, ... (0x1cd0000), 65536, ) == 0x0
 03869   388   NtClose  (368, ... ) == 0x0
 03870   388   NtClose  (372, ... ) == 0x0
 03871   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 03872   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 372, ) }, ... 372, ) == 0x0
 03873   388   NtQueryValueKey  (372,  (372, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (372, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03874   388   NtClose  (372, ... ) == 0x0
 03875   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 03876   388   NtFreeVirtualMemory  (-1, (0x1780000), 0, 32768, ... (0x1780000), 65536, ) == 0x0
 03877   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 03878   388   NtFreeVirtualMemory  (-1, (0x1640000), 0, 32768, ... (0x1640000), 262144, ) == 0x0
 03879   388   NtUnmapViewOfSection  (-1, 0x1620000, ... ) == 0x0
 03880   388   NtClose  (320, ... ) == 0x0
 03881   388   NtFreeVirtualMemory  (-1, (0x1630000), 4096, 16384, ... (0x1630000), 4096, ) == 0x0
 03882   388   NtFreeVirtualMemory  (-1, (0x1630000), 0, 32768, ... (0x1630000), 65536, ) == 0x0
 03883   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 03884   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 03885   388   NtUnmapViewOfSection  (-1, 0x15b0000, ... ) == 0x0
 03886   388   NtClose  (152, ... ) == 0x0
 03887   388   NtGdiDeleteObjectApp  (672138208, ... ) == 0x1
 03888   388   NtUserGetProcessWindowStation  (... ) == 0x28
 03889   388   NtUserBuildNameList  (40, 256, 1348456, 1237740, ... ) == 0x0
 03890   388   NtUserGetProcessWindowStation  (... ) == 0x28
 03891   388   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x98
 03892   388   NtUserBuildHwndList  (152, 0, 0, 0, 64, ... (0x100ac, 0x100aa, 0x100a8, 0x100a4, 0x20062, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x1009c, 0x10090, 0x1007c, 0x10026, 0x100c6, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20060, 0x100ae, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 35, ) == 0x0
 03893   388   NtUserQueryWindow  (65708, 0, ... ) == 0x7e0
 03894   388   NtUserQueryWindow  (65708, 1, ... ) == 0x7e4
 03895   388   NtUserQueryWindow  (65706, 0, ... ) == 0x7e0
 03896   388   NtUserQueryWindow  (65706, 1, ... ) == 0x7e4
 03897   388   NtUserQueryWindow  (65704, 0, ... ) == 0x7e0
 03898   388   NtUserQueryWindow  (65704, 1, ... ) == 0x7e4
 03899   388   NtUserQueryWindow  (65700, 0, ... ) == 0x7e0
 03900   388   NtUserQueryWindow  (65700, 1, ... ) == 0x7e4
 03901   388   NtUserQueryWindow  (131170, 0, ... ) == 0x76c
 03902   388   NtUserQueryWindow  (131170, 1, ... ) == 0x784
 03903   388   NtUserQueryWindow  (65664, 0, ... ) == 0x76c
 03904   388   NtUserQueryWindow  (65664, 1, ... ) == 0x784
 03905   388   NtUserBuildHwndList  (0, 65664, 1, 0, 64, ... (0x10082, 0x10086, 0x10088, 0x1008a, 0x10092, 0x10094, 0x10096, 0x10098, 0x1009a, 0x1009e, 0x100a0, 0x100a2, 0x1, ), 13, ) == 0x0
 03906   388   NtUserQueryWindow  (65666, 0, ... ) == 0x76c
 03907   388   NtUserQueryWindow  (65666, 1, ... ) == 0x784
 03908   388   NtUserQueryWindow  (65670, 0, ... ) == 0x76c
 03909   388   NtUserQueryWindow  (65670, 1, ... ) == 0x784
 03910   388   NtUserQueryWindow  (65672, 0, ... ) == 0x76c
 03911   388   NtUserQueryWindow  (65672, 1, ... ) == 0x784
 03912   388   NtUserQueryWindow  (65674, 0, ... ) == 0x76c
 03913   388   NtUserQueryWindow  (65674, 1, ... ) == 0x784
 03914   388   NtUserQueryWindow  (65682, 0, ... ) == 0x76c
 03915   388   NtUserQueryWindow  (65682, 1, ... ) == 0x784
 03916   388   NtUserQueryWindow  (65684, 0, ... ) == 0x76c
 03917   388   NtUserQueryWindow  (65684, 1, ... ) == 0x784
 03918   388   NtUserQueryWindow  (65686, 0, ... ) == 0x76c
 03919   388   NtUserQueryWindow  (65686, 1, ... ) == 0x784
 03920   388   NtUserQueryWindow  (65688, 0, ... ) == 0x76c
 03921   388   NtUserQueryWindow  (65688, 1, ... ) == 0x784
 03922   388   NtUserQueryWindow  (65690, 0, ... ) == 0x76c
 03923   388   NtUserQueryWindow  (65690, 1, ... ) == 0x784
 03924   388   NtUserQueryWindow  (65694, 0, ... ) == 0x76c
 03925   388   NtUserQueryWindow  (65694, 1, ... ) == 0x784
 03926   388   NtUserQueryWindow  (65696, 0, ... ) == 0x76c
 03927   388   NtUserQueryWindow  (65696, 1, ... ) == 0x784
 03928   388   NtUserQueryWindow  (65698, 0, ... ) == 0x76c
 03929   388   NtUserQueryWindow  (65698, 1, ... ) == 0x784
 03930   388   NtUserQueryWindow  (65652, 0, ... ) == 0x76c
 03931   388   NtUserQueryWindow  (65652, 1, ... ) == 0x784
 03932   388   NtUserQueryWindow  (65640, 0, ... ) == 0x76c
 03933   388   NtUserQueryWindow  (65640, 1, ... ) == 0x784
 03934   388   NtUserQueryWindow  (196682, 0, ... ) == 0x76c
 03935   388   NtUserQueryWindow  (196682, 1, ... ) == 0x784
 03936   388   NtUserQueryWindow  (65638, 0, ... ) == 0x76c
 03937   388   NtUserQueryWindow  (65638, 1, ... ) == 0x784
 03938   388   NtUserQueryWindow  (196684, 0, ... ) == 0x76c
 03939   388   NtUserQueryWindow  (196684, 1, ... ) == 0x784
 03940   388   NtUserQueryWindow  (196668, 0, ... ) == 0x76c
 03941   388   NtUserQueryWindow  (196668, 1, ... ) == 0x784
 03942   388   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 03943   388   NtUserQueryWindow  (196670, 0, ... ) == 0x76c
 03944   388   NtUserQueryWindow  (196670, 1, ... ) == 0x784
 03945   388   NtUserQueryWindow  (196674, 0, ... ) == 0x76c
 03946   388   NtUserQueryWindow  (196674, 1, ... ) == 0x784
 03947   388   NtUserQueryWindow  (196672, 0, ... ) == 0x76c
 03948   388   NtUserQueryWindow  (196672, 1, ... ) == 0x784
 03949   388   NtUserQueryWindow  (196676, 0, ... ) == 0x76c
 03950   388   NtUserQueryWindow  (196676, 1, ... ) == 0x784
 03951   388   NtUserQueryWindow  (196678, 0, ... ) == 0x76c
 03952   388   NtUserQueryWindow  (196678, 1, ... ) == 0x784
 03953   388   NtUserQueryWindow  (196680, 0, ... ) == 0x76c
 03954   388   NtUserQueryWindow  (196680, 1, ... ) == 0x784
 03955   388   NtUserQueryWindow  (65642, 0, ... ) == 0x76c
 03956   388   NtUserQueryWindow  (65642, 1, ... ) == 0x784
 03957   388   NtUserQueryWindow  (65646, 0, ... ) == 0x76c
 03958   388   NtUserQueryWindow  (65646, 1, ... ) == 0x784
 03959   388   NtUserQueryWindow  (65650, 0, ... ) == 0x76c
 03960   388   NtUserQueryWindow  (65650, 1, ... ) == 0x784
 03961   388   NtUserQueryWindow  (65692, 0, ... ) == 0x76c
 03962   388   NtUserQueryWindow  (65692, 1, ... ) == 0x784
 03963   388   NtUserQueryWindow  (65680, 0, ... ) == 0x76c
 03964   388   NtUserQueryWindow  (65680, 1, ... ) == 0x784
 03965   388   NtUserQueryWindow  (65660, 0, ... ) == 0x76c
 03966   388   NtUserQueryWindow  (65660, 1, ... ) == 0x770
 03967   388   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 03968   388   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 03969   388   NtUserQueryWindow  (65734, 0, ... ) == 0x3c4
 03970   388   NtUserQueryWindow  (65734, 1, ... ) == 0x3c8
 03971   388   NtUserQueryWindow  (65726, 0, ... ) == 0x7e8
 03972   388   NtUserQueryWindow  (65726, 1, ... ) == 0x7ec
 03973   388   NtUserQueryWindow  (65724, 0, ... ) == 0x7e8
 03974   388   NtUserQueryWindow  (65724, 1, ... ) == 0x7ec
 03975   388   NtUserQueryWindow  (65722, 0, ... ) == 0x7e8
 03976   388   NtUserQueryWindow  (65722, 1, ... ) == 0x7ec
 03977   388   NtUserQueryWindow  (65720, 0, ... ) == 0x7e8
 03978   388   NtUserQueryWindow  (65720, 1, ... ) == 0x7ec
 03979   388   NtUserQueryWindow  (65718, 0, ... ) == 0x7e8
 03980   388   NtUserQueryWindow  (65718, 1, ... ) == 0x7ec
 03981   388   NtUserQueryWindow  (65716, 0, ... ) == 0x7e8
 03982   388   NtUserQueryWindow  (65716, 1, ... ) == 0x7ec
 03983   388   NtUserQueryWindow  (65714, 0, ... ) == 0x7e8
 03984   388   NtUserQueryWindow  (65714, 1, ... ) == 0x7ec
 03985   388   NtUserQueryWindow  (65712, 0, ... ) == 0x7e8
 03986   388   NtUserQueryWindow  (65712, 1, ... ) == 0x7ec
 03987   388   NtUserQueryWindow  (131168, 0, ... ) == 0x7f4
 03988   388   NtUserQueryWindow  (131168, 1, ... ) == 0x7f8
 03989   388   NtUserQueryWindow  (65710, 0, ... ) == 0x7e0
 03990   388   NtUserQueryWindow  (65710, 1, ... ) == 0x7e4
 03991   388   NtUserQueryWindow  (131166, 0, ... ) == 0x7d8
 03992   388   NtUserQueryWindow  (131166, 1, ... ) == 0x7dc
 03993   388   NtUserQueryWindow  (65644, 0, ... ) == 0x76c
 03994   388   NtUserQueryWindow  (65644, 1, ... ) == 0x7b0
 03995   388   NtUserQueryWindow  (327760, 0, ... ) == 0x76c
 03996   388   NtUserQueryWindow  (327760, 1, ... ) == 0x770
 03997   388   NtUserQueryWindow  (262228, 0, ... ) == 0x76c
 03998   388   NtUserQueryWindow  (262228, 1, ... ) == 0x770
 03999   388   NtUserQueryWindow  (327758, 0, ... ) == 0x76c
 04000   388   NtUserQueryWindow  (327758, 1, ... ) == 0x770
 04001   388   NtUserQueryWindow  (65662, 0, ... ) == 0x76c
 04002   388   NtUserQueryWindow  (65662, 1, ... ) == 0x770
 04003   388   NtUserQueryWindow  (65654, 0, ... ) == 0x76c
 04004   388   NtUserQueryWindow  (65654, 1, ... ) == 0x770
 04005   388   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 04006   388   NtUserQueryWindow  (65656, 0, ... ) == 0x76c
 04007   388   NtUserQueryWindow  (65656, 1, ... ) == 0x770
 04008   388   NtUserQueryWindow  (65658, 0, ... ) == 0x76c
 04009   388   NtUserQueryWindow  (65658, 1, ... ) == 0x770
 04010   388   NtUserCloseDesktop  (152, ...
 04011   388   NtClose  (152, ... ) == 0x0
 04010   388   NtUserCloseDesktop  ... ) == 0x1
 04012   388   NtUserGetProcessWindowStation  (... ) == 0x28
 04013   388   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04014   388   NtUserGetProcessWindowStation  (... ) == 0x28
 04015   388   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04016   388   NtGdiDeleteObjectApp  (302646246, ... ) == 0x1
 04017   388   NtGdiDeleteObjectApp  (101319650, ... ) == 0x1
 04018   388   NtClose  (12, ... ) == 0x0
 04019   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 04020   388   NtFreeVirtualMemory  (-1, (0x151000), 16384, 16384, ... (0x151000), 16384, ) == 0x0
 04021   388   NtClose  (144, ... ) == 0x0
 04022   388   NtUnmapViewOfSection  (-1, 0x1550000, ... ) == 0x0
 04023   388   NtClose  (148, ... ) == 0x0
 04024   388   NtClose  (140, ... ) == 0x0
 04025   388   NtFreeVirtualMemory  (-1, (0x1570000), 0, 32768, ... (0x1570000), 262144, ) == 0x0
 04026   388   NtUserUnregisterClass  (1237700, 1991376896, 1237688, ... ) == 0x0
 04027   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 04028   388   NtUnmapViewOfSection  (-1, 0x18a0000, ... ) == 0x0
 04029   388   NtClose  (360, ... ) == 0x0
 04030   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc03b
 04031   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04032   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc03d
 04033   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04034   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc03f
 04035   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04036   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc041
 04037   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04038   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc043
 04039   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04040   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc045
 04041   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04042   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc047
 04043   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04044   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc049
 04045   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04046   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc04b
 04047   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04048   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc04d
 04049   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04050   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc04f
 04051   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04052   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc051
 04053   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04054   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc053
 04055   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04056   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc057
 04057   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04058   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc059
 04059   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04060   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc05b
 04061   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04062   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc05d
 04063   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04064   388   NtUserGetClassInfo  (1999896576, 1237788, 1237740, 1237816, 0, ... ) == 0xc05f
 04065   388   NtUserUnregisterClass  (1237792, 1999896576, 1237780, ... ) == 0x1
 04066   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc03b
 04067   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04068   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc03d
 04069   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04070   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc03f
 04071   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04072   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc041
 04073   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04074   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc043
 04075   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04076   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc045
 04077   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04078   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc047
 04079   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04080   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc049
 04081   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04082   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc04b
 04083   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04084   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc04d
 04085   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04086   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc04f
 04087   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04088   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc051
 04089   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04090   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc053
 04091   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04092   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc057
 04093   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04094   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc059
 04095   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04096   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc05b
 04097   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04098   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc05d
 04099   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04100   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc05f
 04101   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04102   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc017
 04103   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04104   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc019
 04105   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04106   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc018
 04107   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04108   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc01a
 04109   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04110   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc01c
 04111   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04112   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc01e
 04113   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04114   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc01b
 04115   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04116   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc068
 04117   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04118   388   NtUserGetClassInfo  (1905590272, 1237788, 1237740, 1237816, 0, ... ) == 0xc06a
 04119   388   NtUserUnregisterClass  (1237792, 1905590272, 1237780, ... ) == 0x1
 04120   388   NtUnmapViewOfSection  (-1, 0x1560000, ... ) == 0x0
 04121   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 04122   388   NtClose  (384, ... ) == 0x0
 04123   388   NtClose  (200, ... ) == 0x0
 04124   388   NtClose  (400, ... ) == 0x0
 04125   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 04126   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 04127   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 04128   388   NtClose  (196, ... ) == 0x0
 04129   388   NtClose  (404, ... ) == 0x0
 04130   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04131   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04132   388   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 04133   388   NtUserUnhookWindowsHookEx  (196685, ... ) == 0x1
 04134   388   NtTerminateThread  (72, 0, ... ) == 0x0
 04135   388   NtTerminateThread  (68, 0, ... ) == 0x0
 04136   388   NtTerminateThread  (60, 0, ... ) == 0x0
 04137   388   NtUserKillTimer  (0, 32761, ... ) == 0x1
 04138   388   NtClose  (76, ... ) == 0x0
 04139   388   NtClose  (160, ... ) == 0x0
 04140   388   NtFreeVirtualMemory  (-1, (0x1ca0000), 4096, 32768, ... (0x1ca0000), 4096, ) == 0x0
 04141   388   NtClose  (332, ... ) == 0x0
 04142   388   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 1238292, 2012553151, 1310720}  (24, {20, 48, new_msg, 0, 0, 1238292, 2012553151, 1310720} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 316, 388, 1560, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 316, 388, 1560, 0}  (24, {20, 48, new_msg, 0, 0, 1238292, 2012553151, 1310720} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 316, 388, 1560, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04143   388   NtTerminateProcess  (-1, 0, ...
 04144   388   NtClose  (44, ... ) == 0x0