Summary:


NtCallbackReturn(>)  1 
NtDuplicateObject(>)  2 
NtGdiSaveDC(>)  7 
NtQueryDebugFilterState(>)  23 

NtConnectPort(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtWriteFile(>)  23 

NtCreateProcessEx(>)  1 
NtOpenDirectoryObject(>)  2 
NtQueryDirectoryFile(>)  7 
NtCreateEvent(>)  24 

NtCreateThread(>)  1 
NtOpenProcess(>)  2 
NtUserDestroyCursor(>)  7 
NtCreateFile(>)  24 

NtDuplicateToken(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtUserSetCursorIconData(>)  7 
NtReadFile(>)  24 

NtEnumerateValueKey(>)  1 
NtQueryInstallUILanguage(>)  2 
NtGdiCreateBitmap(>)  8 
NtOpenProcessTokenEx(>)  26 

NtFsControlFile(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtSetInformationProcess(>)  8 
NtOpenThreadTokenEx(>)  26 

NtGdiCreatePaletteInternal(>)  1 
NtReadVirtualMemory(>)  2 
NtCreateKey(>)  9 
NtFreeVirtualMemory(>)  31 

NtGdiInit(>)  1 
NtTerminateProcess(>)  2 
NtCreateSemaphore(>)  10 
NtQuerySection(>)  32 

NtGdiQueryFontAssocInfo(>)  1 
NtAddAtom(>)  3 
NtGdiCreateCompatibleDC(>)  10 
NtQueryInformationToken(>)  33 

NtOpenKeyedEvent(>)  1 
NtClearEvent(>)  3 
NtGdiExtGetObjectW(>)  10 
NtQuerySystemInformation(>)  35 

NtQueryEvent(>)  1 
NtGdiHfontCreate(>)  3 
NtQueryDefaultUILanguage(>)  10 
NtWaitForSingleObject(>)  37 

NtQueryInformationJobObject(>)  1 
NtNotifyChangeKey(>)  3 
NtOpenMutant(>)  11 
NtProtectVirtualMemory(>)  41 

NtQueryObject(>)  1 
NtOpenEvent(>)  3 
NtRequestWaitReplyPort(>)  11 
NtCreateSection(>)  43 

NtQueryPerformanceCounter(>)  1 
NtReleaseSemaphore(>)  3 
NtUserGetDC(>)  11 
NtUserUnregisterClass(>)  46 

NtQueryTimerResolution(>)  1 
NtSetInformationObject(>)  3 
NtQueryVolumeInformationFile(>)  12 
NtReleaseMutant(>)  48 

NtRegisterThreadTerminatePort(>)  1 
NtWaitForMultipleObjects(>)  3 
NtSetValueKey(>)  13 
NtOpenSection(>)  54 

NtResumeThread(>)  1 
NtWriteVirtualMemory(>)  4 
NtUserSystemParametersInfo(>)  13 
NtQueryVirtualMemory(>)  56 

NtSecureConnectPort(>)  1 
NtOpenThreadToken(>)  5 
NtQueryInformationProcess(>)  14 
NtGdiSelectBitmap(>)  57 

NtTestAlert(>)  1 
NtDeviceIoControlFile(>)  6 
NtSetInformationThread(>)  14 
NtUserRegisterClassExWOW(>)  63 

NtUserCallNoParam(>)  1 
NtEnumerateKey(>)  6 
NtUserSelectPalette(>)  14 
NtMapViewOfSection(>)  69 

NtUserEnumDisplayMonitors(>)  1 
NtOpenProcessToken(>)  6 
NtSetInformationFile(>)  15 
NtUserFindExistingCursorIcon(>)  72 

NtUserGetKeyboardLayoutList(>)  1 
NtSetEvent(>)  6 
NtGdiDeleteObjectApp(>)  18 
NtOpenFile(>)  73 

NtUserGetObjectInformation(>)  1 
NtCreateMutant(>)  7 
NtUnmapViewOfSection(>)  18 
NtUserGetClassInfo(>)  82 

NtUserGetProcessWindowStation(>)  1 
NtGdiBitBlt(>)  7 
NtQueryDefaultLocale(>)  19 
NtAllocateVirtualMemory(>)  120 

NtUserGetThreadDesktop(>)  1 
NtGdiCreateDIBitmapInternal(>)  7 
NtContinue(>)  20 
NtQueryAttributesFile(>)  129 

NtUserSetWindowsHookEx(>)  1 
NtGdiGetDCObject(>)  7 
NtFlushInstructionCache(>)  20 
NtOpenKey(>)  195 

NtAccessCheck(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtUserCallOneParam(>)  20 
NtClose(>)  336 

NtDelayExecution(>)  2 
NtGdiGetStockObject(>)  7 
NtQueryInformationFile(>)  21 
NtQueryValueKey(>)  340 

NtDeleteAtom(>)  2 
NtGdiRestoreDC(>)  7 
NtUserRegisterWindowMessage(>)  22 

Trace:
 00001   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   484   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   484   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   484   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   484   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   484   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   484   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   484   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   484   NtClose  (12, ... ) == 0x0
 00014   484   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   484   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   484   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   484   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   484   NtClose  (16, ... ) == 0x0
 00021   484   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   484   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   484   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   484   NtClose  (16, ... ) == 0x0
 00026   484   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   484   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   484   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   484   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 464, 484, 1484, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 464, 484, 1484, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 464, 484, 1484, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   484   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   484   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   484   NtClose  (16, ... ) == 0x0
 00036   484   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   484   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   484   NtClose  (28, ... ) == 0x0
 00041   484   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   484   NtClose  (28, ... ) == 0x0
 00045   484   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   484   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   484   NtClose  (28, ... ) == 0x0
 00049   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   484   NtClose  (28, ... ) == 0x0
 00052   484   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 464, 484, 1486, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 464, 484, 1486, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 464, 484, 1486, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   484   NtProtectVirtualMemory  (-1, (0x47c000), 8192, 4, ... (0x47c000), 8192, 128, ) == 0x0
 00057   484   NtProtectVirtualMemory  (-1, (0x47c000), 8192, 128, ... (0x47c000), 8192, 4, ) == 0x0
 00058   484   NtFlushInstructionCache  (-1, 4702208, 8192, ... ) == 0x0
 00059   484   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   484   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   484   NtClose  (28, ... ) == 0x0
 00062   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   484   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   484   NtClose  (28, ... ) == 0x0
 00065   484   NtTestAlert  (... ) == 0x0
 00066   484   NtContinue  (1244464, 1, ...
 00067   484   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x47e000,}, 4, ... ) == 0x0
 00068   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   484   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   484   NtClose  (28, ... ) == 0x0
 00071   484   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00072   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00073   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00074   484   NtClose  (28, ... ) == 0x0
 00075   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00076   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00077   484   NtClose  (28, ... ) == 0x0
 00078   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00079   484   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00080   484   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00081   484   NtClose  (28, ... ) == 0x0
 00082   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00083   484   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084   484   NtClose  (28, ... ) == 0x0
 00085   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00086   484   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00087   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00088   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00089   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 32, ) == 0x0
 00090   484   NtQueryInformationToken  (32, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00091   484   NtClose  (32, ... ) == 0x0
 00092   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 32, ) }, ... 32, ) == 0x0
 00093   484   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00094   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 36, ) }, ... 36, ) == 0x0
 00095   484   NtQueryValueKey  (36,  (36, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   484   NtClose  (36, ... ) == 0x0
 00097   484   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00098   484   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00099   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 36, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 36, {status=0x0, info=1}, ) == 0x0
 00100   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00101   484   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 3, 2, 11, 1311808}  (24, {20, 48, new_msg, 0, 3, 2, 11, 1311808} "\0\0\0\0\2\0\1\0d\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 464, 484, 1504, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 464, 484, 1504, 0}  (24, {20, 48, new_msg, 0, 3, 2, 11, 1311808} "\0\0\0\0\2\0\1\0d\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 464, 484, 1504, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00102   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 40, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 40, {status=0x0, info=2}, ) == 0x0
 00103   484   NtClose  (40, ... ) == 0x0
 00104   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00105   484   NtClose  (-2147482036, ... ) == 0x0
 00104   484   NtCreateFile  ... 40, {status=0x0, info=3}, ) == 0x0
 00106   484   NtSetInformationFile  (36, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00107   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\300z"\0\217 r\0\211 }\0r\337r\05 r\0\215 r\0\315 h\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215"r\070r\16\222\224{\315\254\230sL@\1\342\220\331H\33s\255P\0o\352R\23m\255M\7s\371\0\20e\255R\7n\255U\34d\350RRW\344NA2\200*V7\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0", ) \0\217 r\0\211 }\0r\337r\05 r\0\215 r\0\315 h\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\300z"\0\217 r\0\211 }\0r\337r\05 r\0\215 r\0\315 h\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215"r\070r\16\222\224{\315\254\230sL@\1\342\220\331H\33s\255P\0o\352R\23m\255M\7s\371\0\20e\255R\7n\255U\34d\350RRW\344NA2\200*V7\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0\215 r\0", ) , ) == 0x0
 00108   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00109   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\330(D\34\342\34?E\342R\13,-M\23\10\275#\363\7E\350\24\331\357\3403\304Ec\272<\217l\0\334e\321\30D\347@#\271\211;\16\377\253\342*}\10\217|D\326\210\272\270\5q\15\300\353\253"\1\335\266\31g\354"2\315\361\37s\23d_\32\16\342wRx\25#\21\7\371Ae\255\220\330K\363H1,e\202\240\305\216\31\232\353\323w\256\200\212\247\362\302Z+\5C\2411P\301\234 x^\320\|8\300\261\2531\320;d\31\35\260\252\2256\222"\12!7\371Q\302(\26\203\35$z#A\362^\210\275\346\11\22\314.\223\311ufZIi\26i\37\211\357\202f]\334\3063\213\343\223\15\274\242\2124SL0\266\335D\202X\263\26\240 I\225WE\244\272\257\301\16\3Pddr(\214\374\362\24\16\32X\12\375%w\34\346\213\244\12ep\240<\253P\334\10\333T\7\310\310\246g\212P\355\236\10K \25)\16\31\212\251v\4\270\232\317cKR\227`%\344\35\26C\15\6aF\324$\211\277\\3045w-A\4\352\365\315- \314\335\263\362\221 \262\234\334\24\361V\370(]'uM\253/\304Fy\344\357\1\343\332\306!\220\306F\335.\223\224\265\350!\1\23\210E\225\253\364Z\217>\223\267\223{\32U\250, \314m\342\30\361x\325MB\2139\2538X\240\4u\220\362\350R^\224\303Y\227\231\337\215\12\241XN\231\2548\26\360Y\261\12]\260\16\321\261YE\225\354\214\373~p\207\376\201P\352C\272\266\223bQ\350\364\310y5\344\226\226&ix}\11P\375B\2\217@2\3\37h\332\211\317xI2\251{\225\324Ys\321\17\111\300\1a?\303\22\351h\272\324\212\344(\274\350\211\225$\206+ia\13\354\364[!\320\257\17", ) \1\335\266\31g\354 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\330(D\34\342\34?E\342R\13,-M\23\10\275#\363\7E\350\24\331\357\3403\304Ec\272<\217l\0\334e\321\30D\347@#\271\211;\16\377\253\342*}\10\217|D\326\210\272\270\5q\15\300\353\253"\1\335\266\31g\354"2\315\361\37s\23d_\32\16\342wRx\25#\21\7\371Ae\255\220\330K\363H1,e\202\240\305\216\31\232\353\323w\256\200\212\247\362\302Z+\5C\2411P\301\234 x^\320\|8\300\261\2531\320;d\31\35\260\252\2256\222"\12!7\371Q\302(\26\203\35$z#A\362^\210\275\346\11\22\314.\223\311ufZIi\26i\37\211\357\202f]\334\3063\213\343\223\15\274\242\2124SL0\266\335D\202X\263\26\240 I\225WE\244\272\257\301\16\3Pddr(\214\374\362\24\16\32X\12\375%w\34\346\213\244\12ep\240<\253P\334\10\333T\7\310\310\246g\212P\355\236\10K \25)\16\31\212\251v\4\270\232\317cKR\227`%\344\35\26C\15\6aF\324$\211\277\\3045w-A\4\352\365\315- \314\335\263\362\221 \262\234\334\24\361V\370(]'uM\253/\304Fy\344\357\1\343\332\306!\220\306F\335.\223\224\265\350!\1\23\210E\225\253\364Z\217>\223\267\223{\32U\250, \314m\342\30\361x\325MB\2139\2538X\240\4u\220\362\350R^\224\303Y\227\231\337\215\12\241XN\231\2548\26\360Y\261\12]\260\16\321\261YE\225\354\214\373~p\207\376\201P\352C\272\266\223bQ\350\364\310y5\344\226\226&ix}\11P\375B\2\217@2\3\37h\332\211\317xI2\251{\225\324Ys\321\17\111\300\1a?\303\22\351h\272\324\212\344(\274\350\211\225$\206+ia\13\354\364[!\320\257\17", ) \12!7\371Q\302(\26\203\35$z#A\362^\210\275\346\11\22\314.\223\311ufZIi\26i\37\211\357\202f]\334\3063\213\343\223\15\274\242\2124SL0\266\335D\202X\263\26\240 I\225WE\244\272\257\301\16\3Pddr(\214\374\362\24\16\32X\12\375%w\34\346\213\244\12ep\240<\253P\334\10\333T\7\310\310\246g\212P\355\236\10K \25)\16\31\212\251v\4\270\232\317cKR\227`%\344\35\26C\15\6aF\324$\211\277\\3045w-A\4\352\365\315- \314\335\263\362\221 \262\234\334\24\361V\370(]'uM\253/\304Fy\344\357\1\343\332\306!\220\306F\335.\223\224\265\350!\1\23\210E\225\253\364Z\217>\223\267\223{\32U\250, \314m\342\30\361x\325MB\2139\2538X\240\4u\220\362\350R^\224\303Y\227\231\337\215\12\241XN\231\2548\26\360Y\261\12]\260\16\321\261YE\225\354\214\373~p\207\376\201P\352C\272\266\223bQ\350\364\310y5\344\226\226&ix}\11P\375B\2\217@2\3\37h\332\211\317xI2\251{\225\324Ys\321\17\111\300\1a?\303\22\351h\272\324\212\344(\274\350\211\225$\206+ia\13\354\364[!\320\257\17", ) == 0x0
 00110   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00111   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Z\342yX52gw\274*~H^m\261\30\307\266>\340\330\205\300H\215\213\340\345=\245\305}\225d2\221h\260\27Z\351|*Y\203{\350\0\337k\21T\335DKd\226Bf6\351@\343\345\35E\30!\341H#\226\316\266\0\14\371P^\35D@\271z\361\25\12@\247\241\352C\235\h\301\362\245\346\235\26@\25\20#P\311\363\264\213$%\237\250~9\246\244b\274\212\253\3649\27a\376\14\5O2\323r\327X\276\245\2525\10\267\360\69{f\3113'i\247\256\25\374%\4tL7]:$44~fm\306;bf\270#\314f\5\201nw>\211\2678V\275V\320\310g\246O\366\210+\362K\315x\261\13\37\247'?\206P\261k"\15\231\2211\304\272\257\271\350s\367\214\16\212\27if\23l\376\247\34\31i\243!T\377U\27\1\243#\372\4\342\325C\322\7pdD\235"E\304\10^\371w\266\21\273\212\305c6\10q\3370\267\322 z\215\370/\371|\205'C\300\7.IJqU\305~,{\374\\207\322n\16{\343\255\237\304U\220o\326\213\203\371\232`V\16\214\31\212~P\205\25\5\240\344I\200\265\7}M\211{\211\302\377\304\367\257\342\227\315\202\371\217\373\321\204Ay\212\312\252X\201}r\234\356l\337\255\177V\252*c\31\252,\12\10{!o\341\l\13\2338\375\36\200\31\206\355\200\336*\32\15\307\2559F\334\305\0\3021j\33\370\314\237\355\273"\303 \32\313\272?\15\305\255:;\340\237\355\227\313\220\35\7Lh\221\34180\305\37\337\260\11u\3079u}\257\321:\6\37\301\4\15\37w\266\320\203u\203\os\267\202\322\215\255'\2278\20\367'\214\261\377+\5\15\202\237\273\3\307\374\330\5\261\347\215\321\3\372\215Bh\256K\1", ) \15\231\2211\304\272\257\271\350s\367\214\16\212\27if\23l\376\247\34\31i\243!T\377U\27\1\243#\372\4\342\325C\322\7pdD\235 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Z\342yX52gw\274*~H^m\261\30\307\266>\340\330\205\300H\215\213\340\345=\245\305}\225d2\221h\260\27Z\351|*Y\203{\350\0\337k\21T\335DKd\226Bf6\351@\343\345\35E\30!\341H#\226\316\266\0\14\371P^\35D@\271z\361\25\12@\247\241\352C\235\h\301\362\245\346\235\26@\25\20#P\311\363\264\213$%\237\250~9\246\244b\274\212\253\3649\27a\376\14\5O2\323r\327X\276\245\2525\10\267\360\69{f\3113'i\247\256\25\374%\4tL7]:$44~fm\306;bf\270#\314f\5\201nw>\211\2678V\275V\320\310g\246O\366\210+\362K\315x\261\13\37\247'?\206P\261k"\15\231\2211\304\272\257\271\350s\367\214\16\212\27if\23l\376\247\34\31i\243!T\377U\27\1\243#\372\4\342\325C\322\7pdD\235"E\304\10^\371w\266\21\273\212\305c6\10q\3370\267\322 z\215\370/\371|\205'C\300\7.IJqU\305~,{\374\\207\322n\16{\343\255\237\304U\220o\326\213\203\371\232`V\16\214\31\212~P\205\25\5\240\344I\200\265\7}M\211{\211\302\377\304\367\257\342\227\315\202\371\217\373\321\204Ay\212\312\252X\201}r\234\356l\337\255\177V\252*c\31\252,\12\10{!o\341\l\13\2338\375\36\200\31\206\355\200\336*\32\15\307\2559F\334\305\0\3021j\33\370\314\237\355\273"\303 \32\313\272?\15\305\255:;\340\237\355\227\313\220\35\7Lh\221\34180\305\37\337\260\11u\3079u}\257\321:\6\37\301\4\15\37w\266\320\203u\203\os\267\202\322\215\255'\2278\20\367'\214\261\377+\5\15\202\237\273\3\307\374\330\5\261\347\215\321\3\372\215Bh\256K\1", ) \303 \32\313\272?\15\305\255:;\340\237\355\227\313\220\35\7Lh\221\34180\305\37\337\260\11u\3079u}\257\321:\6\37\301\4\15\37w\266\320\203u\203\os\267\202\322\215\255'\2278\20\367'\214\261\377+\5\15\202\237\273\3\307\374\330\5\261\347\215\321\3\372\215Bh\256K\1", ) == 0x0
 00112   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00113   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\33\313\217\265\15\367\336f\336\251\367\6\233\240\370\265\372\346\367\227\362.\5\21\353\237\306\22\330,\27\211\204\200+\6>\347\23\35\275\234n\2109[\355\240\7\255\347>\207 \306\274\352\165\263\374\12\2620\224y\3514\214\347p\316\11\202-\271\4\267Ft\205zv\310\20\244\344\244\246\376\203t\356{!\364\330rV\361\330( "\312\240\2645\5\2547\13\305\242\331\200#\252~&\244\240C\254\260\304\231\12\220+\5\266{\246\217\13\302\252'\373\232q7v\270F\263i\275\241\2261J|\4\214\250X^\2\207`\360\32\11+\212B*6\362{\270\226b\31C\276\2\353\212\4\246\350\276\240\344t\16bU!\345y2{\36"\377\5\231\306\261\377\240\15\236N\353\201\345\360\353\207R\364\230\246\322\266Y*\206\364]\352b\240\257p\302\326\240\371uCqm\35\0\266pN/\241\1Q\207\235WN8\226R\272\310\261\30N8\244\1T\205*\307=\210\212\373Iw\326.\346\341\214,\322\346L\275r\233\205Zt\243\226"\,H\347$\272'\21dz{\342b\360\334\255\340`\166f\310i|\340\246-\223=X}\313n\30\321\200\331aE\223b\35\276\351&\17\32\252i\0\12\314j\1OP\253\22/.\261^\262!\200\204\326\247Y\271\330\336\206\158\326v\322\360\3267\376\372v\252\353\2471^\332\217f\216\26S]A:\261]y`\3198\33\203\272\32O\34d/\25\205\4P\16\214<3\340\355\267\20\364\316\252`\20yz\324\266\213)\35\21u\320\336\0\225\300vU\243)[*\204$\325\26\205p\36\2531\324a\4F\250U\247\317&XHe\270\2019Tn\307jx&\202\354cK \321^`\212\234O"F\0\336W\14\350\362P\31\330!0m\322uu/8", ) \312\240\2645\5\2547\13\305\242\331\200#\252~&\244\240C\254\260\304\231\12\220+\5\266{\246\217\13\302\252'\373\232q7v\270F\263i\275\241\2261J|\4\214\250X^\2\207`\360\32\11+\212B*6\362{\270\226b\31C\276\2\353\212\4\246\350\276\240\344t\16bU!\345y2{\36 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\33\313\217\265\15\367\336f\336\251\367\6\233\240\370\265\372\346\367\227\362.\5\21\353\237\306\22\330,\27\211\204\200+\6>\347\23\35\275\234n\2109[\355\240\7\255\347>\207 \306\274\352\165\263\374\12\2620\224y\3514\214\347p\316\11\202-\271\4\267Ft\205zv\310\20\244\344\244\246\376\203t\356{!\364\330rV\361\330( "\312\240\2645\5\2547\13\305\242\331\200#\252~&\244\240C\254\260\304\231\12\220+\5\266{\246\217\13\302\252'\373\232q7v\270F\263i\275\241\2261J|\4\214\250X^\2\207`\360\32\11+\212B*6\362{\270\226b\31C\276\2\353\212\4\246\350\276\240\344t\16bU!\345y2{\36"\377\5\231\306\261\377\240\15\236N\353\201\345\360\353\207R\364\230\246\322\266Y*\206\364]\352b\240\257p\302\326\240\371uCqm\35\0\266pN/\241\1Q\207\235WN8\226R\272\310\261\30N8\244\1T\205*\307=\210\212\373Iw\326.\346\341\214,\322\346L\275r\233\205Zt\243\226"\,H\347$\272'\21dz{\342b\360\334\255\340`\166f\310i|\340\246-\223=X}\313n\30\321\200\331aE\223b\35\276\351&\17\32\252i\0\12\314j\1OP\253\22/.\261^\262!\200\204\326\247Y\271\330\336\206\158\326v\322\360\3267\376\372v\252\353\2471^\332\217f\216\26S]A:\261]y`\3198\33\203\272\32O\34d/\25\205\4P\16\214<3\340\355\267\20\364\316\252`\20yz\324\266\213)\35\21u\320\336\0\225\300vU\243)[*\204$\325\26\205p\36\2531\324a\4F\250U\247\317&XHe\270\2019Tn\307jx&\202\354cK \321^`\212\234O"F\0\336W\14\350\362P\31\330!0m\322uu/8", ) \,H\347$\272'\21dz{\342b\360\334\255\340`\166f\310i|\340\246-\223=X}\313n\30\321\200\331aE\223b\35\276\351&\17\32\252i\0\12\314j\1OP\253\22/.\261^\262!\200\204\326\247Y\271\330\336\206\158\326v\322\360\3267\376\372v\252\353\2471^\332\217f\216\26S]A:\261]y`\3198\33\203\272\32O\34d/\25\205\4P\16\214<3\340\355\267\20\364\316\252`\20yz\324\266\213)\35\21u\320\336\0\225\300vU\243)[*\204$\325\26\205p\36\2531\324a\4F\250U\247\317&XHe\270\2019Tn\307jx&\202\354cK \321^`\212\234O (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\33\313\217\265\15\367\336f\336\251\367\6\233\240\370\265\372\346\367\227\362.\5\21\353\237\306\22\330,\27\211\204\200+\6>\347\23\35\275\234n\2109[\355\240\7\255\347>\207 \306\274\352\165\263\374\12\2620\224y\3514\214\347p\316\11\202-\271\4\267Ft\205zv\310\20\244\344\244\246\376\203t\356{!\364\330rV\361\330( "\312\240\2645\5\2547\13\305\242\331\200#\252~&\244\240C\254\260\304\231\12\220+\5\266{\246\217\13\302\252'\373\232q7v\270F\263i\275\241\2261J|\4\214\250X^\2\207`\360\32\11+\212B*6\362{\270\226b\31C\276\2\353\212\4\246\350\276\240\344t\16bU!\345y2{\36"\377\5\231\306\261\377\240\15\236N\353\201\345\360\353\207R\364\230\246\322\266Y*\206\364]\352b\240\257p\302\326\240\371uCqm\35\0\266pN/\241\1Q\207\235WN8\226R\272\310\261\30N8\244\1T\205*\307=\210\212\373Iw\326.\346\341\214,\322\346L\275r\233\205Zt\243\226"\,H\347$\272'\21dz{\342b\360\334\255\340`\166f\310i|\340\246-\223=X}\313n\30\321\200\331aE\223b\35\276\351&\17\32\252i\0\12\314j\1OP\253\22/.\261^\262!\200\204\326\247Y\271\330\336\206\158\326v\322\360\3267\376\372v\252\353\2471^\332\217f\216\26S]A:\261]y`\3198\33\203\272\32O\34d/\25\205\4P\16\214<3\340\355\267\20\364\316\252`\20yz\324\266\213)\35\21u\320\336\0\225\300vU\243)[*\204$\325\26\205p\36\2531\324a\4F\250U\247\317&XHe\270\2019Tn\307jx&\202\354cK \321^`\212\234O"F\0\336W\14\350\362P\31\330!0m\322uu/8", ) , ) == 0x0
 00114   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (40, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00115   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\222O\260#\2540\262\115\14\240\345\351/\333y\353\342\363\307\315Bi\341\223\2\360|\214(\360.\3256g&\256\213\232{\314\222\261\270\203,\312%\314\234\243\273\4xTw[\255\2\30\232\230\303\263J*\373\34D2\17\314\313\232y \205v\351\301\33\210\250\233\340-\224{\1 \234YWJn\334Q\10u\361\370\365\337\210\217$\265]\215\236S\264k\310cx\267Fma=\350\22\315y=\216\252\330\262X\262' '\315\363\267J\322\270VW_\371?%\307\203+pC\250\10\3508f!\235\305/\3\34\5=\351\4YaM\177P\243}\236\271\372l\12\353\260\221\310\370\235T{FQ8\34\303\205\206U\25Q>zD\362\270\237\242\356\0\307\347M`\313\14\276a\247\222\361!\314v\5\1\36509\356\2\302\224\351;q\332sI\370>\177f\237\370i\326;\310\240\7>\351M\252C\331VFJ\331\343\372=\215*\230\4=\32Rm\267I\311\303\353\351\32*\2739\247\241}\257Z\30\270\220\331\366\277\370\26$\23I\177X\272\342Uh\1\23\251\265\226\240\2360\272\351\206\246\224+\3725'\207D\31\273\16\3\265\2056b\214g7\373\342\241\355\257q\345\210\302$\311\225;\4\2155\372\367\207~"\345\265\273\36\362\237P7\344\335\230kF\27\254y\254\10@\373\24[\240\366\35\347dF=\213@QFV\255\324H#\237\376\2\313\236\231 \345B\345\213\1!sX5\242\327I\201y\225\362\237\300\21\2_\260\226i\201N\222\14\177%w\333\214:\222\262\202\247\357\330\207\250It\277\336\314j\207\271\222\340\337\214I\2050W\324\211\1\302\177=\351\344\30\201\266!|\333\2023\357\15\221:i\236:e\217\332\362)\370\344\35d\311\277\370\340\215\233\354[\343\206j:\7", ) \345\265\273\36\362\237P7\344\335\230kF\27\254y\254\10@\373\24[\240\366\35\347dF=\213@QFV\255\324H#\237\376\2\313\236\231 \345B\345\213\1!sX5\242\327I\201y\225\362\237\300\21\2_\260\226i\201N\222\14\177%w\333\214:\222\262\202\247\357\330\207\250It\277\336\314j\207\271\222\340\337\214I\2050W\324\211\1\302\177=\351\344\30\201\266!|\333\2023\357\15\221:i\236:e\217\332\362)\370\344\35d\311\277\370\340\215\233\354[\343\206j:\7", ) == 0x0
 00116   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00117   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\277\276"\20J\02\12?hN\350S+$\34\205\15W\14\271\362s\324F\7\206\377\15}\313A\257\256\351\275Rhy\250R\6\200+J~  \221\353\214\342\317\225\242R\21>\371\373\35O\231\22\3267|\332\353\337d-\211G\317Kb\33\231J\346\272YU\371xEW\273\0\25\22\216\4W\21~\24S%"\264\362\341\310\360/N\27\257\27\377i\7\13\336\237R\374\252\101\6%\273\350\23\267og\364\312cB\202\330\307&\36\25\216\13"j\13`\237u\323\227\350[\230\344V\1\10\271\273\325\27\206\313t\216\325\270\21\240n\35\11>\206\33\237U\304>\223\264L\27\206\304Hi\3B "\13\3560Rk\234>\354\212+\0\232\13\366\177h\3\307}\363x\231\344(\357\243\30\14\23\330\6\323'\301\226\31'\372D&\317\337&bS\321D9c\6=\213J\265\13\36\260Z\261h\304\206.\240 \330\25\36\24\202?\334\32\231^\252;\336\4\332\345K\201\320]\210\2671\30\3\344\237\200xl\336#]\251P\306\316'\367\373F\23\233\1\\344Xe\215a\366\12\333\204\31\337\363\337a\211\211\3462,\215#W@\340\24p\324\36\14\24\210\20H\26\242\211\361\11~\255\300c\360\362\34\225:\327\210\10\237{e\6\371\201\373?\21\226:\276-\271\360\14\4\342\313^\215\311\333t\205_]p\300\246$a\353Fv\320j\330=l\14\371.v\2174m_\27\235\13\260\263\270W\5\4\363&\252\344E\13\270\15\273B^>\6//\20\371=\306\205\35a\310\0T\230\3623\324\317\260\342sw3\36\271\245\37\200V\33\33t\224\320~P\220\22{'C\30\273;\275\240.\310\215\224B\366\254\200\10>/\372\41\15\376\204\272sJ\27\4pJ\221\14\212\343&?#f\275", ) \20J\02\12?hN\350S+$\34\205\15W\14\271\362s\324F\7\206\377\15}\313A\257\256\351\275Rhy\250R\6\200+J~  \221\353\214\342\317\225\242R\21>\371\373\35O\231\22\3267|\332\353\337d-\211G\317Kb\33\231J\346\272YU\371xEW\273\0\25\22\216\4W\21~\24S% (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\277\276"\20J\02\12?hN\350S+$\34\205\15W\14\271\362s\324F\7\206\377\15}\313A\257\256\351\275Rhy\250R\6\200+J~  \221\353\214\342\317\225\242R\21>\371\373\35O\231\22\3267|\332\353\337d-\211G\317Kb\33\231J\346\272YU\371xEW\273\0\25\22\216\4W\21~\24S%"\264\362\341\310\360/N\27\257\27\377i\7\13\336\237R\374\252\101\6%\273\350\23\267og\364\312cB\202\330\307&\36\25\216\13"j\13`\237u\323\227\350[\230\344V\1\10\271\273\325\27\206\313t\216\325\270\21\240n\35\11>\206\33\237U\304>\223\264L\27\206\304Hi\3B "\13\3560Rk\234>\354\212+\0\232\13\366\177h\3\307}\363x\231\344(\357\243\30\14\23\330\6\323'\301\226\31'\372D&\317\337&bS\321D9c\6=\213J\265\13\36\260Z\261h\304\206.\240 \330\25\36\24\202?\334\32\231^\252;\336\4\332\345K\201\320]\210\2671\30\3\344\237\200xl\336#]\251P\306\316'\367\373F\23\233\1\\344Xe\215a\366\12\333\204\31\337\363\337a\211\211\3462,\215#W@\340\24p\324\36\14\24\210\20H\26\242\211\361\11~\255\300c\360\362\34\225:\327\210\10\237{e\6\371\201\373?\21\226:\276-\271\360\14\4\342\313^\215\311\333t\205_]p\300\246$a\353Fv\320j\330=l\14\371.v\2174m_\27\235\13\260\263\270W\5\4\363&\252\344E\13\270\15\273B^>\6//\20\371=\306\205\35a\310\0T\230\3623\324\317\260\342sw3\36\271\245\37\200V\33\33t\224\320~P\220\22{'C\30\273;\275\240.\310\215\224B\366\254\200\10>/\372\41\15\376\204\272sJ\27\4pJ\221\14\212\343&?#f\275", ) j\13`\237u\323\227\350[\230\344V\1\10\271\273\325\27\206\313t\216\325\270\21\240n\35\11>\206\33\237U\304>\223\264L\27\206\304Hi\3B  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\277\276"\20J\02\12?hN\350S+$\34\205\15W\14\271\362s\324F\7\206\377\15}\313A\257\256\351\275Rhy\250R\6\200+J~  \221\353\214\342\317\225\242R\21>\371\373\35O\231\22\3267|\332\353\337d-\211G\317Kb\33\231J\346\272YU\371xEW\273\0\25\22\216\4W\21~\24S%"\264\362\341\310\360/N\27\257\27\377i\7\13\336\237R\374\252\101\6%\273\350\23\267og\364\312cB\202\330\307&\36\25\216\13"j\13`\237u\323\227\350[\230\344V\1\10\271\273\325\27\206\313t\216\325\270\21\240n\35\11>\206\33\237U\304>\223\264L\27\206\304Hi\3B "\13\3560Rk\234>\354\212+\0\232\13\366\177h\3\307}\363x\231\344(\357\243\30\14\23\330\6\323'\301\226\31'\372D&\317\337&bS\321D9c\6=\213J\265\13\36\260Z\261h\304\206.\240 \330\25\36\24\202?\334\32\231^\252;\336\4\332\345K\201\320]\210\2671\30\3\344\237\200xl\336#]\251P\306\316'\367\373F\23\233\1\\344Xe\215a\366\12\333\204\31\337\363\337a\211\211\3462,\215#W@\340\24p\324\36\14\24\210\20H\26\242\211\361\11~\255\300c\360\362\34\225:\327\210\10\237{e\6\371\201\373?\21\226:\276-\271\360\14\4\342\313^\215\311\333t\205_]p\300\246$a\353Fv\320j\330=l\14\371.v\2174m_\27\235\13\260\263\270W\5\4\363&\252\344E\13\270\15\273B^>\6//\20\371=\306\205\35a\310\0T\230\3623\324\317\260\342sw3\36\271\245\37\200V\33\33t\224\320~P\220\22{'C\30\273;\275\240.\310\215\224B\366\254\200\10>/\372\41\15\376\204\272sJ\27\4pJ\221\14\212\343&?#f\275", ) , ) == 0x0
 00118   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (40, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00119   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\217\323\252H\370\212\330\277EaP\210P\243\377\327\336\177\302\337\232\340\272d\237yZ`\333%\306a\2262\317\377\233\360\221'5zK\212\301!\215\200d*\374\375Wz\312\4\216\2778\215\253DF?\212\325\377I\315j\7\336\322R\331\14QOp\25\375,\200Ln)\10\4J^\323\4'\203\200d\214\5\5\2\256\334\2602\257b\311\31\313\305<5\177c\274W\2052\6h\7\303\372N\267E\33\325 \330!=\267\253M\355U\2\250\370y\226K\325\221\226\244Y\370\361o;\241\2\341\335\5\300\12\0}\212 *\200s\206-\37\3\300\215\360\330\327v\347\241\2500\371\343\372\0\367)~\254n\247\214 \255\202c\3o\375\254\201\227\301\1\36g\276\275\223\214\203q}\371T\34\243\303\26V]\341^ \16Y\327\312"\222}:\354\205\3020n\206\222s\12g\351|I\272\26\261\3\217\250\273\26}>\3126\321\360K0\361\324D\2131\33\355\220\79!\32\311m\217\372)\324\341\307\22`D\237mQ<\15sfC\214\232\342j\35G\341&\4\3633"\3633\207C\205@~t\226\15\215\257\211\242\35\272\237\2411\4\7p5\351\304\16\261\35fQ}\270u\247N\344\35\330\212C\211\330\272\0\377\5\212\370\350\340\221MuR\313k\251%\367\344\253\260\301<\372,\370\343{\230\266\224\355`\263pV\253\263 \361`\266\30i\6\2437\251\31\331\362\225\273\370S\312\247|\16\215\204~\353\264\322gH\210\223p(\205\243 \362\210"U\350\221\252-R\314\220\313h\371V\272\246\17\341\372m\35\231\32\214K\123\24\305\363\341T}\345\2320\346"r\311\236\351U\357\217\10}a\2130\317o\215o*a\334\361\20H\235\7\331\360\275\264\26\24\261 4`N\10:`\2528C\30", ) \222}:\354\205\3020n\206\222s\12g\351|I\272\26\261\3\217\250\273\26}>\3126\321\360K0\361\324D\2131\33\355\220\79!\32\311m\217\372)\324\341\307\22`D\237mQ<\15sfC\214\232\342j\35G\341&\4\3633 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\217\323\252H\370\212\330\277EaP\210P\243\377\327\336\177\302\337\232\340\272d\237yZ`\333%\306a\2262\317\377\233\360\221'5zK\212\301!\215\200d*\374\375Wz\312\4\216\2778\215\253DF?\212\325\377I\315j\7\336\322R\331\14QOp\25\375,\200Ln)\10\4J^\323\4'\203\200d\214\5\5\2\256\334\2602\257b\311\31\313\305<5\177c\274W\2052\6h\7\303\372N\267E\33\325 \330!=\267\253M\355U\2\250\370y\226K\325\221\226\244Y\370\361o;\241\2\341\335\5\300\12\0}\212 *\200s\206-\37\3\300\215\360\330\327v\347\241\2500\371\343\372\0\367)~\254n\247\214 \255\202c\3o\375\254\201\227\301\1\36g\276\275\223\214\203q}\371T\34\243\303\26V]\341^ \16Y\327\312"\222}:\354\205\3020n\206\222s\12g\351|I\272\26\261\3\217\250\273\26}>\3126\321\360K0\361\324D\2131\33\355\220\79!\32\311m\217\372)\324\341\307\22`D\237mQ<\15sfC\214\232\342j\35G\341&\4\3633"\3633\207C\205@~t\226\15\215\257\211\242\35\272\237\2411\4\7p5\351\304\16\261\35fQ}\270u\247N\344\35\330\212C\211\330\272\0\377\5\212\370\350\340\221MuR\313k\251%\367\344\253\260\301<\372,\370\343{\230\266\224\355`\263pV\253\263 \361`\266\30i\6\2437\251\31\331\362\225\273\370S\312\247|\16\215\204~\353\264\322gH\210\223p(\205\243 \362\210"U\350\221\252-R\314\220\313h\371V\272\246\17\341\372m\35\231\32\214K\123\24\305\363\341T}\345\2320\346"r\311\236\351U\357\217\10}a\2130\317o\215o*a\334\361\20H\235\7\331\360\275\264\26\24\261 4`N\10:`\2528C\30", ) U\350\221\252-R\314\220\313h\371V\272\246\17\341\372m\35\231\32\214K\123\24\305\363\341T}\345\2320\346 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\217\323\252H\370\212\330\277EaP\210P\243\377\327\336\177\302\337\232\340\272d\237yZ`\333%\306a\2262\317\377\233\360\221'5zK\212\301!\215\200d*\374\375Wz\312\4\216\2778\215\253DF?\212\325\377I\315j\7\336\322R\331\14QOp\25\375,\200Ln)\10\4J^\323\4'\203\200d\214\5\5\2\256\334\2602\257b\311\31\313\305<5\177c\274W\2052\6h\7\303\372N\267E\33\325 \330!=\267\253M\355U\2\250\370y\226K\325\221\226\244Y\370\361o;\241\2\341\335\5\300\12\0}\212 *\200s\206-\37\3\300\215\360\330\327v\347\241\2500\371\343\372\0\367)~\254n\247\214 \255\202c\3o\375\254\201\227\301\1\36g\276\275\223\214\203q}\371T\34\243\303\26V]\341^ \16Y\327\312"\222}:\354\205\3020n\206\222s\12g\351|I\272\26\261\3\217\250\273\26}>\3126\321\360K0\361\324D\2131\33\355\220\79!\32\311m\217\372)\324\341\307\22`D\237mQ<\15sfC\214\232\342j\35G\341&\4\3633"\3633\207C\205@~t\226\15\215\257\211\242\35\272\237\2411\4\7p5\351\304\16\261\35fQ}\270u\247N\344\35\330\212C\211\330\272\0\377\5\212\370\350\340\221MuR\313k\251%\367\344\253\260\301<\372,\370\343{\230\266\224\355`\263pV\253\263 \361`\266\30i\6\2437\251\31\331\362\225\273\370S\312\247|\16\215\204~\353\264\322gH\210\223p(\205\243 \362\210"U\350\221\252-R\314\220\313h\371V\272\246\17\341\372m\35\231\32\214K\123\24\305\363\341T}\345\2320\346"r\311\236\351U\357\217\10}a\2130\317o\215o*a\334\361\20H\235\7\331\360\275\264\26\24\261 4`N\10:`\2528C\30", ) , ) == 0x0
 00120   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (40, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (40, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (40, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00121   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\365@\\230\306n\35\374\232\322]{\3063:S\375L\33t\333\214\223,\254\177?\4\344p\213b\362y\365S\334l%a\245Cv\205\15\245w\3239\7p\366\235mr\227\211'F \354\233\276\327\326(E\260\326\327\351\0\272BYz\2163A\25?\4E\12\26m\302\17\216\17Q\340\215w\371\326\3044N\0\345_:S\304ds\340\200X\253\220\17\302\237\353\235\1\271I7\330*\305\214\302\21\262\276(\353\260\277\1\214\231\342,}\0ss\271\214c3\202\73P|\370 I\200\224\242<`W5\372\267\216\300z*\210\201{\12\265%K\327'\20\360\216\373O}\271\240EM\242/\224O\215\233\251\333(\235\234o \36!\346<8!\266ur\240f\6\230\35\362X\235\307K\242\330\36p\201\221 \25\307\257\200u\25o.ZhD\223\336\221\202qy\5M3\10r\342;\320\362y\33\12\4\241\337q\24\266vzI\3313\370|F'n\325!B\307\252\211\364\376\325\210:\6\364\35\17\332\11\362\333\212\207\347)#-\225\252\372;%#\345\200\31y\360'\311O\242\4\0m\212\346\15@\263\11e\1z\313\256/\331\252\232[\346q\25+PX\211i}\244.\240|\10\270:7\22\257\27\304\24\331\223\21\33\360\311fqA\230p\0\210}\377A0\317\2\263m:u\200u\367"{\335+8f\35\314\16I\34\301 \215\344\231&%\261m*\3455\207\205\211\260r|\310WX\12\347"\305\252:\215\320GQ\336\7GJzs\3\217B\26\236\241\353\300l\210,~\20\2354\300,F\222f\30\225\0R\313?\14\271$\251\10Z,\2414\351\0\357\367\203\202\335a\376\355\331 \331S\202\325\372f\334\2379\242\256zp\213\#\230\11Y\203\327v\355\314~\3", ) {\335+8f\35\314\16I\34\301 \215\344\231&%\261m*\3455\207\205\211\260r|\310WX\12\347 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\365@\\230\306n\35\374\232\322]{\3063:S\375L\33t\333\214\223,\254\177?\4\344p\213b\362y\365S\334l%a\245Cv\205\15\245w\3239\7p\366\235mr\227\211'F \354\233\276\327\326(E\260\326\327\351\0\272BYz\2163A\25?\4E\12\26m\302\17\216\17Q\340\215w\371\326\3044N\0\345_:S\304ds\340\200X\253\220\17\302\237\353\235\1\271I7\330*\305\214\302\21\262\276(\353\260\277\1\214\231\342,}\0ss\271\214c3\202\73P|\370 I\200\224\242<`W5\372\267\216\300z*\210\201{\12\265%K\327'\20\360\216\373O}\271\240EM\242/\224O\215\233\251\333(\235\234o \36!\346<8!\266ur\240f\6\230\35\362X\235\307K\242\330\36p\201\221 \25\307\257\200u\25o.ZhD\223\336\221\202qy\5M3\10r\342;\320\362y\33\12\4\241\337q\24\266vzI\3313\370|F'n\325!B\307\252\211\364\376\325\210:\6\364\35\17\332\11\362\333\212\207\347)#-\225\252\372;%#\345\200\31y\360'\311O\242\4\0m\212\346\15@\263\11e\1z\313\256/\331\252\232[\346q\25+PX\211i}\244.\240|\10\270:7\22\257\27\304\24\331\223\21\33\360\311fqA\230p\0\210}\377A0\317\2\263m:u\200u\367"{\335+8f\35\314\16I\34\301 \215\344\231&%\261m*\3455\207\205\211\260r|\310WX\12\347"\305\252:\215\320GQ\336\7GJzs\3\217B\26\236\241\353\300l\210,~\20\2354\300,F\222f\30\225\0R\313?\14\271$\251\10Z,\2414\351\0\357\367\203\202\335a\376\355\331 \331S\202\325\372f\334\2379\242\256zp\213\#\230\11Y\203\327v\355\314~\3", ) , ) == 0x0
 00122   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (40, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (40, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00123   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\230\307\275o\10\2c1V\313r\314\221ta\32\342V\23'^\15\326P\221\210\202\354\242Z&\36Bx+>\370\376`\234o)\36\1\211\237> ;t~\360\274'\210\17\307l\330~\255;\351l\324X\233P\306<|\212R\352;\25q\274HP\334S\245\16\234!p\216\2ig\4.\3\12\203\230 \325\322\21\10q0\256Cy|\221\246}8C'b\213\310\320\362\0\241\276\316\235]\246H\363\345o \330\320\250\25\34\22\310d\366`l\325\353\362\206Y\205"\342C\203\31q\4\210k\330`\377\23\262\303\353\314i\311XM\302h),g<\37u\254\222o0jIV\356\4\11\15\341X\336\340\202\327_=8R\206\201h6\3\5\351y\211\333\31\244\23\316Z 1\35\251?\354FX\236\205]\263\372\[:5`\311\317s1\226\262 \350\31\20\236E\343\373R\1\212^\11\321\301!\34z5\21\226\27\374B6K\372\365\372L\224$B\37y\0R\200q"\245\25\305\341\220\262_b&\27\2030fh\330\112\0F\26\207$\233\216\371\1_\320\206zL;y\200\312$\3279\237(\222%\240\320\226\200\3711\326\344Z0\242\204\212\362\2001t\235\2\214He\13\244z\203=u\375\300\375\7q\364\246\12\265\352\14", ) \342C\203\31q\4\210k\330`\377\23\262\303\353\314i\311XM\302h),g<\37u\254\222o0jIV\356\4\11\15\341X\336\340\202\327_=8R\206\201h6\3\5\351y\211\333\31\244\23\316Z 1\35\251?\354FX\236\205]\263\372\[:5`\311\317s1\226\262 \350\31\20\236E\343\373R\1\212^\11\321\301!\34z5\21\226\27\374B6K\372\365\372L\224$B\37y\0R\200q (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\230\307\275o\10\2c1V\313r\314\221ta\32\342V\23'^\15\326P\221\210\202\354\242Z&\36Bx+>\370\376`\234o)\36\1\211\237> ;t~\360\274'\210\17\307l\330~\255;\351l\324X\233P\306<|\212R\352;\25q\274HP\334S\245\16\234!p\216\2ig\4.\3\12\203\230 \325\322\21\10q0\256Cy|\221\246}8C'b\213\310\320\362\0\241\276\316\235]\246H\363\345o \330\320\250\25\34\22\310d\366`l\325\353\362\206Y\205"\342C\203\31q\4\210k\330`\377\23\262\303\353\314i\311XM\302h),g<\37u\254\222o0jIV\356\4\11\15\341X\336\340\202\327_=8R\206\201h6\3\5\351y\211\333\31\244\23\316Z 1\35\251?\354FX\236\205]\263\372\[:5`\311\317s1\226\262 \350\31\20\236E\343\373R\1\212^\11\321\301!\34z5\21\226\27\374B6K\372\365\372L\224$B\37y\0R\200q"\245\25\305\341\220\262_b&\27\2030fh\330\112\0F\26\207$\233\216\371\1_\320\206zL;y\200\312$\3279\237(\222%\240\320\226\200\3711\326\344Z0\242\204\212\362\2001t\235\2\214He\13\244z\203=u\375\300\375\7q\364\246\12\265\352\14", ) 0\242\204\212\362\2001t\235\2\214He\13\244z\203=u\375\300\375\7q\364\246\12\265\352\14", ) == 0x0
 00124   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00125   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\214\201\215N)\365z\22\322=\26\262Q\244Yq\246ak\367\5\27w4/\255\360:\2n\300C\343L+\205\363\0A\31\250j^\13&&\362\1\24`\314&\252!p\20\335N\23\315IS=6\5\247z\370f&H\76\325"\201\340#\223\367\267"\351\315\331Q\7\32\344\222\340\254\337zn\254\314\247\245/\31\14\2x\14\375e\367\337=\\14?d\306\254\301&A\204\222?\21\274\207mc\23R&\205%*s\201Z\371\300\205\30j*o~\26V\26>\243\352O\361\270\220@\231F\243\354g\32\2778~\320\241\240>\204\254\237\37\2a\240>\37\314\\336\360\226+9 \257b\352\33\371\14\351[\265M\322 C%f\24me\266\262\2258\1K\252\353\244\257\201,~\30\2174\21\7f\266Iu\207(\377_\231\307d\212\0U\337\211\352\3345\327\312\212\204\276\355\27\26\353\232\352a\30\2238\360\220\20T~\301}\244\350\20\230i\236O\315\230\344\252"5\371D\225\252(\31\325\215\7\346\326\27\272\213\314,|\33\207\\251Y\376\2270\2\3078a\10-p\305Q?\14\251\22\346\1f\14\2258\17\266UR~\30\240\233:P\205d^aA-\362[zu\277\22\256z9\270\364\32\234\12\227b\305\232O_X[\266\226q~\304\334w\370\246B`|\367\300\203\261\232\2\206\307\2152y\222}\370R\237\340QC\316\317"\79\215a\276\326$tY\204\276#\3311=\300\374\341\215q\265Z\314\34\212\2000\324\22\366\247\2562 \277/\375\370r4\207\222\203\340\266\3\3778I\306ML\345m\224\376Z8\200\360\273N", ) \201\340#\223\367\267 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\214\201\215N)\365z\22\322=\26\262Q\244Yq\246ak\367\5\27w4/\255\360:\2n\300C\343L+\205\363\0A\31\250j^\13&&\362\1\24`\314&\252!p\20\335N\23\315IS=6\5\247z\370f&H\76\325"\201\340#\223\367\267"\351\315\331Q\7\32\344\222\340\254\337zn\254\314\247\245/\31\14\2x\14\375e\367\337=\\14?d\306\254\301&A\204\222?\21\274\207mc\23R&\205%*s\201Z\371\300\205\30j*o~\26V\26>\243\352O\361\270\220@\231F\243\354g\32\2778~\320\241\240>\204\254\237\37\2a\240>\37\314\\336\360\226+9 \257b\352\33\371\14\351[\265M\322 C%f\24me\266\262\2258\1K\252\353\244\257\201,~\30\2174\21\7f\266Iu\207(\377_\231\307d\212\0U\337\211\352\3345\327\312\212\204\276\355\27\26\353\232\352a\30\2238\360\220\20T~\301}\244\350\20\230i\236O\315\230\344\252"5\371D\225\252(\31\325\215\7\346\326\27\272\213\314,|\33\207\\251Y\376\2270\2\3078a\10-p\305Q?\14\251\22\346\1f\14\2258\17\266UR~\30\240\233:P\205d^aA-\362[zu\277\22\256z9\270\364\32\234\12\227b\305\232O_X[\266\226q~\304\334w\370\246B`|\367\300\203\261\232\2\206\307\2152y\222}\370R\237\340QC\316\317"\79\215a\276\326$tY\204\276#\3311=\300\374\341\215q\265Z\314\34\212\2000\324\22\366\247\2562 \277/\375\370r4\207\222\203\340\266\3\3778I\306ML\345m\224\376Z8\200\360\273N", ) 5\371D\225\252(\31\325\215\7\346\326\27\272\213\314,|\33\207\\251Y\376\2270\2\3078a\10-p\305Q?\14\251\22\346\1f\14\2258\17\266UR~\30\240\233:P\205d^aA-\362[zu\277\22\256z9\270\364\32\234\12\227b\305\232O_X[\266\226q~\304\334w\370\246B`|\367\300\203\261\232\2\206\307\2152y\222}\370R\237\340QC\316\317 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\214\201\215N)\365z\22\322=\26\262Q\244Yq\246ak\367\5\27w4/\255\360:\2n\300C\343L+\205\363\0A\31\250j^\13&&\362\1\24`\314&\252!p\20\335N\23\315IS=6\5\247z\370f&H\76\325"\201\340#\223\367\267"\351\315\331Q\7\32\344\222\340\254\337zn\254\314\247\245/\31\14\2x\14\375e\367\337=\\14?d\306\254\301&A\204\222?\21\274\207mc\23R&\205%*s\201Z\371\300\205\30j*o~\26V\26>\243\352O\361\270\220@\231F\243\354g\32\2778~\320\241\240>\204\254\237\37\2a\240>\37\314\\336\360\226+9 \257b\352\33\371\14\351[\265M\322 C%f\24me\266\262\2258\1K\252\353\244\257\201,~\30\2174\21\7f\266Iu\207(\377_\231\307d\212\0U\337\211\352\3345\327\312\212\204\276\355\27\26\353\232\352a\30\2238\360\220\20T~\301}\244\350\20\230i\236O\315\230\344\252"5\371D\225\252(\31\325\215\7\346\326\27\272\213\314,|\33\207\\251Y\376\2270\2\3078a\10-p\305Q?\14\251\22\346\1f\14\2258\17\266UR~\30\240\233:P\205d^aA-\362[zu\277\22\256z9\270\364\32\234\12\227b\305\232O_X[\266\226q~\304\334w\370\246B`|\367\300\203\261\232\2\206\307\2152y\222}\370R\237\340QC\316\317"\79\215a\276\326$tY\204\276#\3311=\300\374\341\215q\265Z\314\34\212\2000\324\22\366\247\2562 \277/\375\370r4\207\222\203\340\266\3\3778I\306ML\345m\224\376Z8\200\360\273N", ) , ) == 0x0
 00126   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (40, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00127   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\347$\200\30\363\316\361\332\314\200\246|\5/\301\237CB\27\204e\300\261{\6,7\332\347\270\2710\13\361K\35\234\267\222D\236\257\276]\15\367\26D\245\267\14"-[\7\15\377!\14\34\333\276;\217+\215\212\226\230\15\365f\320\354\266\353\375:\353\14\235)y\25A%\3068\222\341\26\333\303\370\15\360\203"&\5N\255]\370\240\367q\11'i\1\267'\355&\23\222\61\271K\240(Q}6\21\275\34\\360\233\4\304H\234\301R\3667\205\310\376\341\300\242\342\343\260\333\3633\231\21)\244D\252p\2163\260F\262\243\250\312\1O\241\211W\207.-\343\363)\265\20\205\313\2410\217\30\363m95\224\216\243\322\343\217\12\15p~\210\253w\340;|\343\311a\266\303\30\3066\346\13q\324\362\3\237\375Y\336\371\363[\221\33twD\257\330C!\15\241i\234\234\365:\26\342$\311\235\14.\343\35TD\372K\33\\236\250\3651{E\34\320n\330v\262\0\263QC\205\31\300y'\211q\327X*s\212S\3p\274\263L\231A\221|\202$v\373\35\350}\267D2\372!9\302A\5o\362t\32\246\12mb\222<)\30\204u/\364\4P\17\254\7\245\17\10\353\241\270\265O{\362\16Kmf\243/\10D\25e]/d\251B8\365}fZD\366\226\357\353\272\247\2458\265\251\12\344i\352\4y\360\4J\364\11e \2497\310\222\255\240\331\4EB1`|\364\214\0\323*6\211o\260G\375\211\6\343\362\360\11\14\257!\206\256\233\217{s\205\13\205aNr\3178\232\33\274\302|9q\307|tf\217\315\14ss\201&\322\350\254\241\261f\25\374.\276p)\6\14\353\337\273\4f0\373P\206!t\3\335\123=\334/2S\305\1\365\214>\263\312D\214\7S\353", ) -[\7\15\377!\14\34\333\276;\217+\215\212\226\230\15\365f\320\354\266\353\375:\353\14\235)y\25A%\3068\222\341\26\333\303\370\15\360\203 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\347$\200\30\363\316\361\332\314\200\246|\5/\301\237CB\27\204e\300\261{\6,7\332\347\270\2710\13\361K\35\234\267\222D\236\257\276]\15\367\26D\245\267\14"-[\7\15\377!\14\34\333\276;\217+\215\212\226\230\15\365f\320\354\266\353\375:\353\14\235)y\25A%\3068\222\341\26\333\303\370\15\360\203"&\5N\255]\370\240\367q\11'i\1\267'\355&\23\222\61\271K\240(Q}6\21\275\34\\360\233\4\304H\234\301R\3667\205\310\376\341\300\242\342\343\260\333\3633\231\21)\244D\252p\2163\260F\262\243\250\312\1O\241\211W\207.-\343\363)\265\20\205\313\2410\217\30\363m95\224\216\243\322\343\217\12\15p~\210\253w\340;|\343\311a\266\303\30\3066\346\13q\324\362\3\237\375Y\336\371\363[\221\33twD\257\330C!\15\241i\234\234\365:\26\342$\311\235\14.\343\35TD\372K\33\\236\250\3651{E\34\320n\330v\262\0\263QC\205\31\300y'\211q\327X*s\212S\3p\274\263L\231A\221|\202$v\373\35\350}\267D2\372!9\302A\5o\362t\32\246\12mb\222<)\30\204u/\364\4P\17\254\7\245\17\10\353\241\270\265O{\362\16Kmf\243/\10D\25e]/d\251B8\365}fZD\366\226\357\353\272\247\2458\265\251\12\344i\352\4y\360\4J\364\11e \2497\310\222\255\240\331\4EB1`|\364\214\0\323*6\211o\260G\375\211\6\343\362\360\11\14\257!\206\256\233\217{s\205\13\205aNr\3178\232\33\274\302|9q\307|tf\217\315\14ss\201&\322\350\254\241\261f\25\374.\276p)\6\14\353\337\273\4f0\373P\206!t\3\335\123=\334/2S\305\1\365\214>\263\312D\214\7S\353", ) , ) == 0x0
 00128   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (40, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00129   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\236\7a\223\366\11.\15w\310\15\3\202a\327\240\340M\262+\264\4\256?\304\232_\335#\320\20\215\320\16\260\10v(\7\323\271\355\5\367@\7Q\363bc\2414\300>h$\255sRw{\3434O/\364.\273f\355\304\306\231\330)\373\306\32\206\212\253\240\216+\363$_uQ\22\226\271\20\226\244.%a40\334\331\276\2328C#^\336\252\4\214KZ\371-\3266\215[f\250\321\303r^\372\12K;\16\14\324\374\215MU^\31\245wU\204\353\200\337\177\261N\304\14\22fa\240c\226\266ZC\223+9\21m^C}?>\322\2129+\31\271\213\212\7\353\223\275x\27\254{\250\25\335\303}\262E\322\376M\3470'.3(AF$t:\322\227\350T\303\333si\371\241L\237O"\212t\343ah_\10;\337d\16\226\205W\364\217\35tu\257F\205\240Gu\265F\213\276c\35\371\301\24\226\210^\177\3\315I\264C3\14\2\267a\3117@V\16\300?\344\340bM\13\253p\336\210\341\212\20\360\311\207\227e\15\255\370T\301\2701\305\371\216\333\240\253\30\13R\206\2\330T\273\257\202\26s\200\350RB\17A\371)\250\273c\330\255uk\255\11\3r\315m\202\251\273\370D\230\305\256\300e$\362\344\202Fw\360`\227\2500\275\301\23\353\277\340\330\213i#\17\10\364\201\224\340\320\322\360;\360,I\4u^\211\27\3672\1'\273\33q5\377\5\264D\213 =x\200\336\223nr\307u\22\264W\237\353\222F\265\245\274 \23\13\342\220\305^2\262V\31\255\200\203\333\266\200\32\360\226\330\24\301gJ\373\7\235\300\212\3\5sp\303\314\351p\340 "K\310\206\352\17\201\326\261f\373\364'\4\367U\243\250\12\15\215B\12\353+?|u\326Iz\211\m\277\203a_!", ) \212t\343ah_\10;\337d\16\226\205W\364\217\35tu\257F\205\240Gu\265F\213\276c\35\371\301\24\226\210^\177\3\315I\264C3\14\2\267a\3117@V\16\300?\344\340bM\13\253p\336\210\341\212\20\360\311\207\227e\15\255\370T\301\2701\305\371\216\333\240\253\30\13R\206\2\330T\273\257\202\26s\200\350RB\17A\371)\250\273c\330\255uk\255\11\3r\315m\202\251\273\370D\230\305\256\300e$\362\344\202Fw\360`\227\2500\275\301\23\353\277\340\330\213i#\17\10\364\201\224\340\320\322\360;\360,I\4u^\211\27\3672\1'\273\33q5\377\5\264D\213 =x\200\336\223nr\307u\22\264W\237\353\222F\265\245\274 \23\13\342\220\305^2\262V\31\255\200\203\333\266\200\32\360\226\330\24\301gJ\373\7\235\300\212\3\5sp\303\314\351p\340  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\236\7a\223\366\11.\15w\310\15\3\202a\327\240\340M\262+\264\4\256?\304\232_\335#\320\20\215\320\16\260\10v(\7\323\271\355\5\367@\7Q\363bc\2414\300>h$\255sRw{\3434O/\364.\273f\355\304\306\231\330)\373\306\32\206\212\253\240\216+\363$_uQ\22\226\271\20\226\244.%a40\334\331\276\2328C#^\336\252\4\214KZ\371-\3266\215[f\250\321\303r^\372\12K;\16\14\324\374\215MU^\31\245wU\204\353\200\337\177\261N\304\14\22fa\240c\226\266ZC\223+9\21m^C}?>\322\2129+\31\271\213\212\7\353\223\275x\27\254{\250\25\335\303}\262E\322\376M\3470'.3(AF$t:\322\227\350T\303\333si\371\241L\237O"\212t\343ah_\10;\337d\16\226\205W\364\217\35tu\257F\205\240Gu\265F\213\276c\35\371\301\24\226\210^\177\3\315I\264C3\14\2\267a\3117@V\16\300?\344\340bM\13\253p\336\210\341\212\20\360\311\207\227e\15\255\370T\301\2701\305\371\216\333\240\253\30\13R\206\2\330T\273\257\202\26s\200\350RB\17A\371)\250\273c\330\255uk\255\11\3r\315m\202\251\273\370D\230\305\256\300e$\362\344\202Fw\360`\227\2500\275\301\23\353\277\340\330\213i#\17\10\364\201\224\340\320\322\360;\360,I\4u^\211\27\3672\1'\273\33q5\377\5\264D\213 =x\200\336\223nr\307u\22\264W\237\353\222F\265\245\274 \23\13\342\220\305^2\262V\31\255\200\203\333\266\200\32\360\226\330\24\301gJ\373\7\235\300\212\3\5sp\303\314\351p\340 "K\310\206\352\17\201\326\261f\373\364'\4\367U\243\250\12\15\215B\12\353+?|u\326Iz\211\m\277\203a_!", ) , ) == 0x0
 00130   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00131   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\275\1Z\336\33,\231'\233#$\15\13\336\345\254\200\236\24\372V\2510T\240P\243a\250zR\311$I\270l\254/\350c#\267\211x\253oT\232:\14Nfq\200s\2\316\5\14Q\15^\200\216VI\31\372\33Ic%Z\352\333\13\251w\24\201VIb\16\235^t\333R\367\12J\365\23\2347%7\250\25/\255\251o\344\335\252\325U\325Q\264e\35kL\205\315\31\203)r\360\214db\344\233!O\334\205-\334[2\260\322\10\326\360\371\352\14\242\34[\\305r\376\216,\363\302\270\273\11\233\200\241\220\16K\316(a@-T\34\3457\213\270\356\373\216\257@N\316\363\234\304\335\347C\211\217\373*\257;\366(\313/\2027\256\213\210\337\4\36\3320Y\373\332\221ov3s\262B(\313{6\250)\370\317\203\231\316\210\1779D&\246\225\201\241\14\306\273\20i\26F\235f#=\310DA\257F{\13tA\11\30\244m\342\37n$\376#\371\4\266\317\1\214", ) \236\24\372V\2510T\240P\243a\250zR\311$I\270l\254/\350c#\267\211x\253oT\232:\14Nfq\200s\2\316\5\14Q\15^\200\216VI\31\372\33Ic%Z\352\333\13\251w\24\201VIb\16\235^t\333R\367\12J\365\23\2347%7\250\25/\255\251o\344\335\252\325U\325Q\264e\35kL\205\315\31\203)r\360\214db\344\233!O\334\205-\334[2\260\322\10\326\360\371\352\14\242\34[\\305r\376\216,\363\302\270\273\11\233\200\241\220\16K\316(a@-T\34\3457\213\270\356\373\216\257@N\316\363\234\304\335\347C\211\217\373*\257;\366(\313/\2027\256\213\210\337\4\36\3320Y\373\332\221ov3s\262B(\313{6\250)\370\317\203\231\316\210\1779D&\246\225\201\241\14\306\273\20i\26F\235f#=\310DA\257F{\13tA\11\30\244m\342\37n$\376#\371\4\266\317\1\214", ) == 0x0
 00132   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (40, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00133   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\236\15\371\274\16\32L\334p\25?\15\207\251s\241\213\374\264\0\203Y\16\364\353\353X\2632\257%\2Z%\347\32J)\266\231\27\1z\17\11\263U\353\246e\226\35\335\13v\202t\272o\257\335\311\17\217\205pc0\379\4\11\205\256\346c\322\3R 2\357&p\25\222\274\207\376\266\26\177\33\\276-\5|\304;\11\305l\0Lh'|&\30v\270zc_\17\351t0\0\255\343\235T\2746m\20Y3\334\265\307&\325~\207/)\25\301Amt\260I%PM6\25\34\302\205\331\255\37\334\336D\224\24\12\353\337w!\246\300U\6_\332 f\360\225\30\314\240\275\255\2\30z\204!\300\315a\267\261WP\177\211\207\242\231.\224\2629+1\260\332\222\204\318\320%ysd\351\260\332\33\21\31B5\236\347\21\227\3354\262\3\26{'P'\240p\22*\246\311\220\365>B\310\351Wy\230t\200\373\312\334M*LL\352\344\320\207'\305S "\202Z\205\233\15\331\255\210\347\202\211!\253\233\314\375A\213G\267\355#\246\240\215\260\254\33\214r\254T_\375\224"\12\255\240\7\7aM\37\261\223\34\216\261q/4\257\356\34\345\177\304\257%\212}\220Q\34060"\212m\327\260\374\300}\24\253u\227\35\231\0le\374\213gp\213\212\341\230\3\237E\251\332\340'y\4\307\377w\10\205,\344e\324\266U\20\231>j\34\324\266\27Y\230\0V\14\245kw\277\310*\150\307U\272\350\314(\24\2550\334\34m\207'\253[.\317}\13\5'\214\312?@6\27r5\34\257\370\223\371\205\353/\245\363\353\213\355\2\325\326k\357\23\22\262$q\260\215\374\177\216\377wr\253\17\14\246\331\365\367\245\320?\21\341\3017\250\216U_\213Pv\277\1\201:\272\1\215\241,\340:\355\220\200", ) \202Z\205\233\15\331\255\210\347\202\211!\253\233\314\375A\213G\267\355#\246\240\215\260\254\33\214r\254T_\375\224 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\236\15\371\274\16\32L\334p\25?\15\207\251s\241\213\374\264\0\203Y\16\364\353\353X\2632\257%\2Z%\347\32J)\266\231\27\1z\17\11\263U\353\246e\226\35\335\13v\202t\272o\257\335\311\17\217\205pc0\379\4\11\205\256\346c\322\3R 2\357&p\25\222\274\207\376\266\26\177\33\\276-\5|\304;\11\305l\0Lh'|&\30v\270zc_\17\351t0\0\255\343\235T\2746m\20Y3\334\265\307&\325~\207/)\25\301Amt\260I%PM6\25\34\302\205\331\255\37\334\336D\224\24\12\353\337w!\246\300U\6_\332 f\360\225\30\314\240\275\255\2\30z\204!\300\315a\267\261WP\177\211\207\242\231.\224\2629+1\260\332\222\204\318\320%ysd\351\260\332\33\21\31B5\236\347\21\227\3354\262\3\26{'P'\240p\22*\246\311\220\365>B\310\351Wy\230t\200\373\312\334M*LL\352\344\320\207'\305S "\202Z\205\233\15\331\255\210\347\202\211!\253\233\314\375A\213G\267\355#\246\240\215\260\254\33\214r\254T_\375\224"\12\255\240\7\7aM\37\261\223\34\216\261q/4\257\356\34\345\177\304\257%\212}\220Q\34060"\212m\327\260\374\300}\24\253u\227\35\231\0le\374\213gp\213\212\341\230\3\237E\251\332\340'y\4\307\377w\10\205,\344e\324\266U\20\231>j\34\324\266\27Y\230\0V\14\245kw\277\310*\150\307U\272\350\314(\24\2550\334\34m\207'\253[.\317}\13\5'\214\312?@6\27r5\34\257\370\223\371\205\353/\245\363\353\213\355\2\325\326k\357\23\22\262$q\260\215\374\177\216\377wr\253\17\14\246\331\365\367\245\320?\21\341\3017\250\216U_\213Pv\277\1\201:\272\1\215\241,\340:\355\220\200", ) \212m\327\260\374\300}\24\253u\227\35\231\0le\374\213gp\213\212\341\230\3\237E\251\332\340'y\4\307\377w\10\205,\344e\324\266U\20\231>j\34\324\266\27Y\230\0V\14\245kw\277\310*\150\307U\272\350\314(\24\2550\334\34m\207'\253[.\317}\13\5'\214\312?@6\27r5\34\257\370\223\371\205\353/\245\363\353\213\355\2\325\326k\357\23\22\262$q\260\215\374\177\216\377wr\253\17\14\246\331\365\367\245\320?\21\341\3017\250\216U_\213Pv\277\1\201:\272\1\215\241,\340:\355\220\200", ) == 0x0
 00134   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00135   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\256\325g\205\353f\216\6\226T\371\22\210\373zs\242\373\354\242\343\24HC\23"\220\6\234\317r29R\234/ \332I\373\372\202\17\31=1o\353vV\235\377\341\337u\16\255\202\347\12\266m\212\177\35#J\0\215\221\7\2139r\211xDx\2770QG3`f\321\254\5\205\227_\227i\246\356\231(\310\242\16I8\304\375u'\232\13\371\10kW\230}\331\200\232d\377_\211n\310\24m\26X\32Guj\24D9\312?\277\33E|gO\335\330j\241\362\14U0\222\202\355\361\340\330vJt\304\201\224\224olM\345\267\16\337\237h\314]w\55zt\15wy\327\32u\311`\17\6\23,N\311\242\353\350\324\321\212\226\34\240\306\36=\304\302\17\247\240\5\30\236\243\16\223Bv\21\201\317_\233t\313 o\247\245\240\363\21.\365y\14\366\15\251\213\225q%\341\263em\237\333\347\241\364\262\21\331w:\261%\3\251\337\177~X\345j_\276\13&\2241\35L\301\33/\361%1B\354\360\253\2443\13\214j\353\3\237 \2736\231\330#n*\210\343\12\307O\217\336\312\223p\316\236\235\177\22\2358H\2373\15Q\367\370\353\235\363(j\35\370\305\232\347\34./\203k\220\202cm\21\324#\303\342"w\346\221p!a\302\320\362n\375\335[\376/\331b\1Gr3\301s\354\333"\3551\212\273\11Ar,\5\263q\370\370\21\200\243\320p#\351&@\261\202\236DJ\213G\232jO\2058s\346\324x&2\15\211\274\370\331\222\242\262\237\230\240\22\232\24e(\232\13\202\323iy\262c\333$\21\17\213\23\345DN\224y\260%\246*x\3365"\376V!\363{\32\255n\224\310's\1\3606\357|\251\14\232\0\371\253@]\347<4\354\234\324X\361Vc\265kbVq\", ) \220\6\234\317r29R\234/ \332I\373\372\202\17\31=1o\353vV\235\377\341\337u\16\255\202\347\12\266m\212\177\35#J\0\215\221\7\2139r\211xDx\2770QG3`f\321\254\5\205\227_\227i\246\356\231(\310\242\16I8\304\375u'\232\13\371\10kW\230}\331\200\232d\377_\211n\310\24m\26X\32Guj\24D9\312?\277\33E|gO\335\330j\241\362\14U0\222\202\355\361\340\330vJt\304\201\224\224olM\345\267\16\337\237h\314]w\55zt\15wy\327\32u\311`\17\6\23,N\311\242\353\350\324\321\212\226\34\240\306\36=\304\302\17\247\240\5\30\236\243\16\223Bv\21\201\317_\233t\313 o\247\245\240\363\21.\365y\14\366\15\251\213\225q%\341\263em\237\333\347\241\364\262\21\331w:\261%\3\251\337\177~X\345j_\276\13&\2241\35L\301\33/\361%1B\354\360\253\2443\13\214j\353\3\237 \2736\231\330#n*\210\343\12\307O\217\336\312\223p\316\236\235\177\22\2358H\2373\15Q\367\370\353\235\363(j\35\370\305\232\347\34./\203k\220\202cm\21\324#\303\342 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\256\325g\205\353f\216\6\226T\371\22\210\373zs\242\373\354\242\343\24HC\23"\220\6\234\317r29R\234/ \332I\373\372\202\17\31=1o\353vV\235\377\341\337u\16\255\202\347\12\266m\212\177\35#J\0\215\221\7\2139r\211xDx\2770QG3`f\321\254\5\205\227_\227i\246\356\231(\310\242\16I8\304\375u'\232\13\371\10kW\230}\331\200\232d\377_\211n\310\24m\26X\32Guj\24D9\312?\277\33E|gO\335\330j\241\362\14U0\222\202\355\361\340\330vJt\304\201\224\224olM\345\267\16\337\237h\314]w\55zt\15wy\327\32u\311`\17\6\23,N\311\242\353\350\324\321\212\226\34\240\306\36=\304\302\17\247\240\5\30\236\243\16\223Bv\21\201\317_\233t\313 o\247\245\240\363\21.\365y\14\366\15\251\213\225q%\341\263em\237\333\347\241\364\262\21\331w:\261%\3\251\337\177~X\345j_\276\13&\2241\35L\301\33/\361%1B\354\360\253\2443\13\214j\353\3\237 \2736\231\330#n*\210\343\12\307O\217\336\312\223p\316\236\235\177\22\2358H\2373\15Q\367\370\353\235\363(j\35\370\305\232\347\34./\203k\220\202cm\21\324#\303\342"w\346\221p!a\302\320\362n\375\335[\376/\331b\1Gr3\301s\354\333"\3551\212\273\11Ar,\5\263q\370\370\21\200\243\320p#\351&@\261\202\236DJ\213G\232jO\2058s\346\324x&2\15\211\274\370\331\222\242\262\237\230\240\22\232\24e(\232\13\202\323iy\262c\333$\21\17\213\23\345DN\224y\260%\246*x\3365"\376V!\363{\32\255n\224\310's\1\3606\357|\251\14\232\0\371\253@]\347<4\354\234\324X\361Vc\265kbVq\", ) \3551\212\273\11Ar,\5\263q\370\370\21\200\243\320p#\351&@\261\202\236DJ\213G\232jO\2058s\346\324x&2\15\211\274\370\331\222\242\262\237\230\240\22\232\24e(\232\13\202\323iy\262c\333$\21\17\213\23\345DN\224y\260%\246*x\3365 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\256\325g\205\353f\216\6\226T\371\22\210\373zs\242\373\354\242\343\24HC\23"\220\6\234\317r29R\234/ \332I\373\372\202\17\31=1o\353vV\235\377\341\337u\16\255\202\347\12\266m\212\177\35#J\0\215\221\7\2139r\211xDx\2770QG3`f\321\254\5\205\227_\227i\246\356\231(\310\242\16I8\304\375u'\232\13\371\10kW\230}\331\200\232d\377_\211n\310\24m\26X\32Guj\24D9\312?\277\33E|gO\335\330j\241\362\14U0\222\202\355\361\340\330vJt\304\201\224\224olM\345\267\16\337\237h\314]w\55zt\15wy\327\32u\311`\17\6\23,N\311\242\353\350\324\321\212\226\34\240\306\36=\304\302\17\247\240\5\30\236\243\16\223Bv\21\201\317_\233t\313 o\247\245\240\363\21.\365y\14\366\15\251\213\225q%\341\263em\237\333\347\241\364\262\21\331w:\261%\3\251\337\177~X\345j_\276\13&\2241\35L\301\33/\361%1B\354\360\253\2443\13\214j\353\3\237 \2736\231\330#n*\210\343\12\307O\217\336\312\223p\316\236\235\177\22\2358H\2373\15Q\367\370\353\235\363(j\35\370\305\232\347\34./\203k\220\202cm\21\324#\303\342"w\346\221p!a\302\320\362n\375\335[\376/\331b\1Gr3\301s\354\333"\3551\212\273\11Ar,\5\263q\370\370\21\200\243\320p#\351&@\261\202\236DJ\213G\232jO\2058s\346\324x&2\15\211\274\370\331\222\242\262\237\230\240\22\232\24e(\232\13\202\323iy\262c\333$\21\17\213\23\345DN\224y\260%\246*x\3365"\376V!\363{\32\255n\224\310's\1\3606\357|\251\14\232\0\371\253@]\347<4\354\234\324X\361Vc\265kbVq\", ) , ) == 0x0
 00136   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00137   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\356nj!\241\33Q\264\27#\4B\314tyD\231!\21t\315n\26t\231G3\14EE\277\4\231\30Q\220!k\345<\16\4.\310\262h\233^\354\274\372\233\317xQ\364\316\351\27(\361i~\240%~&\5\376?\272\3\214\2138D\210cj\316\212\351\271H\214#\27\30\215\36V\313/\12\252\7]\362\370A\247\240\342\204\311\332v\231\15\353{:\255e$\7T\313\M\241Wv\306\206\304>\201\316`E\3{\350(+\316\254y|\345`<\232\231!\356\254\35\267\203J\212o\324\357\334}\244*\366\17#\274~\267q%=LrO2oS\233\355\3776\24\311\24zK\213\314\27\13\3110Q8>7\273\215\11c`\24\311\304\241\14\365$`S\310(\311\11\264\265\356S\270eJ\35Op\252S\221O\123\201\267O\204\31\177\271E%\177&a1\350\4/\330(\201EUO\243\267AT'\303\2/Ft\242\31\343_\310\3344\30\342\2648\232\240\261QH5\247\362\220\226Lqwc\232?p\26w5\30\216Gu\246\355\0\313\1\17\7s\271\345#\213 t a4\215wJ\217p&\226\0\334\300pi?p\0\3\330D\24T\231\357\2T\215\0\360*5\371\334\27\337\30b\344\372v\273&\2128dP\234W$\18\356c\27vS\262\354!*O\347\262s\22\20\235\262sE\275\264"Tm\336MSE1\35\3517\314\366\346\206t \2R|\271\30\255\221\344\334V#\374p\2142\231\2Fg\316\367\247\331\16\4\215g\252H\231\38.\316i\3128\324\350t\244\2078.\242\211\333~\2\300Ub\257\305#\26\2/\206*h\346\305\25p\2269\226\3"\14\273\360\264\327v\4\236\260p\3_-v\266\201 r\10\221#\270\226\271#2 \236\235\367M", ) Tm\336MSE1\35\3517\314\366\346\206t \2R|\271\30\255\221\344\334V#\374p\2142\231\2Fg\316\367\247\331\16\4\215g\252H\231\38.\316i\3128\324\350t\244\2078.\242\211\333~\2\300Ub\257\305#\26\2/\206*h\346\305\25p\2269\226\3 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\356nj!\241\33Q\264\27#\4B\314tyD\231!\21t\315n\26t\231G3\14EE\277\4\231\30Q\220!k\345<\16\4.\310\262h\233^\354\274\372\233\317xQ\364\316\351\27(\361i~\240%~&\5\376?\272\3\214\2138D\210cj\316\212\351\271H\214#\27\30\215\36V\313/\12\252\7]\362\370A\247\240\342\204\311\332v\231\15\353{:\255e$\7T\313\M\241Wv\306\206\304>\201\316`E\3{\350(+\316\254y|\345`<\232\231!\356\254\35\267\203J\212o\324\357\334}\244*\366\17#\274~\267q%=LrO2oS\233\355\3776\24\311\24zK\213\314\27\13\3110Q8>7\273\215\11c`\24\311\304\241\14\365$`S\310(\311\11\264\265\356S\270eJ\35Op\252S\221O\123\201\267O\204\31\177\271E%\177&a1\350\4/\330(\201EUO\243\267AT'\303\2/Ft\242\31\343_\310\3344\30\342\2648\232\240\261QH5\247\362\220\226Lqwc\232?p\26w5\30\216Gu\246\355\0\313\1\17\7s\271\345#\213 t a4\215wJ\217p&\226\0\334\300pi?p\0\3\330D\24T\231\357\2T\215\0\360*5\371\334\27\337\30b\344\372v\273&\2128dP\234W$\18\356c\27vS\262\354!*O\347\262s\22\20\235\262sE\275\264"Tm\336MSE1\35\3517\314\366\346\206t \2R|\271\30\255\221\344\334V#\374p\2142\231\2Fg\316\367\247\331\16\4\215g\252H\231\38.\316i\3128\324\350t\244\2078.\242\211\333~\2\300Ub\257\305#\26\2/\206*h\346\305\25p\2269\226\3"\14\273\360\264\327v\4\236\260p\3_-v\266\201 r\10\221#\270\226\271#2 \236\235\367M", ) , ) == 0x0
 00138   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00139   484   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\27`b\214\2178\334\1\227R\340\207$\210}\236q|GL\354\11\255~\342\346\226\340\267h{/_\330\235\21\302Ff\334>\15\351+\11\301\201 \252\17\261*4\21I6.kw\0\24A\220!\246k\305\263x\345n\306\372a\342\370y+\206L\304\214\257\236b\201\217\202\231\3012!\24@1\371Yv\3.\252\262\255`}\21=\20\352\315\307\22?\263a\5\351@\365.\364\14D\355`\226\245h|\13\251`\261@\235e\370\261\324;\363|\351*{\221\272\273w\20*1!\3600\343\300\11\304+.BJ#l\357:,\264\217sb"\261\11\12.\203\354\3410\20\7\333T\364\205\242\330\211\267\221\36\26)\256`\14\253SC\353\32"\351\11\343\4bsL\16\10\266\264}\Y\1\22\25\20VT"\5>*[\370?)\271\352\232\224\275:\201\4iB\335*&\20\2056vM\213q^\2\211\344\15d\210Kf\6\313\204\342\11\233+\360\242\346\6l#\324=p=e\354\352\5l\265\2218\235;k\263\210o\6\242g2\344\260\236\11G\26\2668t\234\333EI;IB>\20\13\321\10\355\223J$!\7cI\305\270\31\4\203\20\2\232\240[cn\200\310\22\300\16AB\211\242\14\253\214TPf\2q.Q\250\225\342*\337\321\351\354-\202U\20\236\310v#\21\211>}\22\317,4@\362r\300CG*\300\14P\236z\322=\202!\344\340$\36YN\2134\16\179\301%\20/\320\336\276T\271F\Lz6\201@\355)\257\335\310A\201x\262\340\354\343\315\241\267\317\2\357qNs\231$\203Nur\204h\306\272*\237\234\31\200\1\245B\317\11j\27\341\226@\374~\224\204}\252\222L\222\26\20z0(x;\332d\4", ) \261\11\12.\203\354\3410\20\7\333T\364\205\242\330\211\267\221\36\26)\256`\14\253SC\353\32 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\27`b\214\2178\334\1\227R\340\207$\210}\236q|GL\354\11\255~\342\346\226\340\267h{/_\330\235\21\302Ff\334>\15\351+\11\301\201 \252\17\261*4\21I6.kw\0\24A\220!\246k\305\263x\345n\306\372a\342\370y+\206L\304\214\257\236b\201\217\202\231\3012!\24@1\371Yv\3.\252\262\255`}\21=\20\352\315\307\22?\263a\5\351@\365.\364\14D\355`\226\245h|\13\251`\261@\235e\370\261\324;\363|\351*{\221\272\273w\20*1!\3600\343\300\11\304+.BJ#l\357:,\264\217sb"\261\11\12.\203\354\3410\20\7\333T\364\205\242\330\211\267\221\36\26)\256`\14\253SC\353\32"\351\11\343\4bsL\16\10\266\264}\Y\1\22\25\20VT"\5>*[\370?)\271\352\232\224\275:\201\4iB\335*&\20\2056vM\213q^\2\211\344\15d\210Kf\6\313\204\342\11\233+\360\242\346\6l#\324=p=e\354\352\5l\265\2218\235;k\263\210o\6\242g2\344\260\236\11G\26\2668t\234\333EI;IB>\20\13\321\10\355\223J$!\7cI\305\270\31\4\203\20\2\232\240[cn\200\310\22\300\16AB\211\242\14\253\214TPf\2q.Q\250\225\342*\337\321\351\354-\202U\20\236\310v#\21\211>}\22\317,4@\362r\300CG*\300\14P\236z\322=\202!\344\340$\36YN\2134\16\179\301%\20/\320\336\276T\271F\Lz6\201@\355)\257\335\310A\201x\262\340\354\343\315\241\267\317\2\357qNs\231$\203Nur\204h\306\272*\237\234\31\200\1\245B\317\11j\27\341\226@\374~\224\204}\252\222L\222\26\20z0(x;\332d\4", ) \5>*[\370?)\271\352\232\224\275:\201\4iB\335*&\20\2056vM\213q^\2\211\344\15d\210Kf\6\313\204\342\11\233+\360\242\346\6l#\324=p=e\354\352\5l\265\2218\235;k\263\210o\6\242g2\344\260\236\11G\26\2668t\234\333EI;IB>\20\13\321\10\355\223J$!\7cI\305\270\31\4\203\20\2\232\240[cn\200\310\22\300\16AB\211\242\14\253\214TPf\2q.Q\250\225\342*\337\321\351\354-\202U\20\236\310v#\21\211>}\22\317,4@\362r\300CG*\300\14P\236z\322=\202!\344\340$\36YN\2134\16\179\301%\20/\320\336\276T\271F\Lz6\201@\355)\257\335\310A\201x\262\340\354\343\315\241\267\317\2\357qNs\231$\203Nur\204h\306\272*\237\234\31\200\1\245B\317\11j\27\341\226@\374~\224\204}\252\222L\222\26\20z0(x;\332d\4", ) == 0x0
 00140   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (40, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00141   484   NtReadFile  (36, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (36, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\315kr\0\335kr\0\351{r\0\371{r\0iIr\0yIr\0\211Jr\0\201Jr\0\231Jr\0\221Jr\0\251Jr\0\241Jr\0\271Jr\0\261Jr\0\311Jr\0\301Jr\0-Jr\09Jr\0UJr\0\221Kr\0\335Kr\0%Kr\0]Kr\0\235Lr\0\35Lr\0eLr\0\11Nr\0}Or\0\275Pr\0\231Qr\0-Qr\0\371Sr\0\361Ur\0\311Wr\0\245Xr\0EXr\0\305Yr\0\5Yr\0\361Zr\0\21Zr\0MZr\0}Zr\0\25cw\0mcw\0Z\11u\0f\11u\0\217\12u\0\227\12u\0\271\12u\0\303\12u\0\344\12u\0\11\12u\0-\12u\04\12u\0Y\12u\0e\12u\0s\12u\0\237\13u\0\245\13u\0\314\13u\0\335\13u\0\360\13u\0\33\13u\0:\13u\0\\13u\0u\13u\0\226\14u\0\307\14u\0\342\14u\0\37\14u\0L\14u\0l\14u\0\211\15u\0\264\15u\0\352\15u\0\361\15u\0\37\15u\0'\15u\0M\15u\0[\15u\0a\15u\0\214\16u\0\227\16u\0\242\16u\0\311\16u\0\323\16u\0\364\16u\0\11\16u\0\7\16u\0\36\16u\0\22\16u\0\221 d\0\232 k\0\231 j\0\230 h\0\211 q\0\205 u\0\213 w\0\246 i\0\220 l\0\251 R\0\245 X\0\244 S\0\256 P\0\222 W\0\253 U\0\236 c\0\237 ~\0\235 |\0\202 \177\0\206 x\0\204 ^\0\215 p\0\214 \\0\240 r\0\215 r\0\215 r\0\215 r@\251X\2$\274\22, ) , ) == 0x0
 00142   484   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00143   484   NtClose  (40, ... ) == 0x0
 00144   484   NtClose  (36, ... ) == 0x0
 00145   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.tmp"}, 1242420, ... ) }, 1242420, ... ) == 0x0
 00146   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.tmp"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00147   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 36, ... 40, ) == 0x0
 00148   484   NtClose  (36, ... ) == 0x0
 00149   484   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x320000), 0x0, 176128, ) == 0x0
 00150   484   NtClose  (40, ... ) == 0x0
 00151   484   NtUnmapViewOfSection  (-1, 0x320000, ... ) == 0x0
 00152   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00153   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00154   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.tmp"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00155   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 40, ... 36, ) == 0x0
 00156   484   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00157   484   NtOpenProcessToken  (-1, 0x8, ... 44, ) == 0x0
 00158   484   NtQueryInformationToken  (44, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00159   484   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 48, ) }, ... 48, ) == 0x0
 00161   484   NtQueryValueKey  (48,  (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00162   484   NtClose  (48, ... ) == 0x0
 00163   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00164   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00165   484   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00166   484   NtClose  (48, ... ) == 0x0
 00167   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   484   NtClose  (44, ... ) == 0x0
 00169   484   NtClose  (40, ... ) == 0x0
 00170   484   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x320000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00171   484   NtMapViewOfSection  (36, -1, (0x320000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00172   484   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00173   484   NtClose  (36, ... ) == 0x0
 00174   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 8, ) == 0x0
 00175   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 8, ... (0x392000), 4096, 4, ) == 0x0
 00176   484   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00177   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00178   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00179   484   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00180   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00181   484   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00182   484   NtClose  (36, ... ) == 0x0
 00183   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00184   484   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00185   484   NtClose  (36, ... ) == 0x0
 00186   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00187   484   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00188   484   NtClose  (36, ... ) == 0x0
 00189   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00190   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00191   484   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00192   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00193   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00194   484   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00195   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00196   484   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00197   484   NtClose  (36, ... ) == 0x0
 00198   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00199   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00200   484   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00201   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00202   484   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00203   484   NtClose  (36, ... ) == 0x0
 00204   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00205   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00206   484   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00207   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00208   484   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00209   484   NtClose  (36, ... ) == 0x0
 00210   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00211   484   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00212   484   NtClose  (36, ... ) == 0x0
 00213   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00214   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00215   484   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00216   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00217   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00218   484   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00219   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00221   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00222   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == 0x0
 00223   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00224   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 40, ) == 0x0
 00225   484   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00226   484   NtClose  (36, ... ) == 0x0
 00227   484   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00228   484   NtClose  (40, ... ) == 0x0
 00229   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241148, ... ) }, 1241148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00231   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241148, ... ) }, 1241148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00232   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241148, ... ) }, 1241148, ... ) == 0x0
 00233   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00234   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 40, ... 36, ) == 0x0
 00235   484   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00236   484   NtClose  (40, ... ) == 0x0
 00237   484   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00238   484   NtClose  (36, ... ) == 0x0
 00239   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240344, ... ) }, 1240344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240344, ... ) }, 1240344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240344, ... ) }, 1240344, ... ) == 0x0
 00243   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00244   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 40, ) == 0x0
 00245   484   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00246   484   NtClose  (36, ... ) == 0x0
 00247   484   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00248   484   NtClose  (40, ... ) == 0x0
 00249   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00250   484   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00251   484   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00252   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00253   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 464, 484, 1518, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 464, 484, 1518, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 464, 484, 1518, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00254   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   484   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x550000), 0x0, 1060864, ) == 0x0
 00256   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00257   484   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00258   484   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482040, ) == 0x0
 00259   484   NtQueryInformationToken  (-2147482040, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00260   484   NtQueryInformationToken  (-2147482040, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00261   484   NtClose  (-2147482040, ... ) == 0x0
 00262   484   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3801088, 4096, ) == 0x0
 00263   484   NtFreeVirtualMemory  (-1, (0x3a0000), 4096, 32768, ... (0x3a0000), 4096, ) == 0x0
 00264   484   NtDuplicateObject  (-1, 44, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00265   484   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0
 00266   484   NtQueryValueKey  (-2147482040,  (-2147482040, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   484   NtClose  (-2147482040, ... ) == 0x0
 00268   484   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0
 00269   484   NtQueryValueKey  (-2147482040,  (-2147482040, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   484   NtClose  (-2147482040, ... ) == 0x0
 00271   484   NtQueryDefaultLocale  (0, -136312308, ... ) == 0x0
 00272   484   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00273   484   NtUserCallNoParam  (24, ... ) == 0x0
 00274   484   NtGdiCreateCompatibleDC  (0, ...
 00275   484   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3801088, 4096, ) == 0x0
 00274   484   NtGdiCreateCompatibleDC  ... ) == 0x130102fb
 00276   484   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00277   484   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00278   484   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xc0503e1
 00279   484   NtGdiCreateSolidBrush  (0, 0, ...
 00280   484   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3866624, 4096, ) == 0x0
 00279   484   NtGdiCreateSolidBrush  ... ) == 0x1b1003c8
 00281   484   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00282   484   NtGdiCreateCompatibleDC  (0, ... ) == 0x70010383
 00283   484   NtGdiSelectBitmap  (1879114627, 201655265, ... ) == 0x185000f
 00284   484   NtUserGetThreadDesktop  (484, 0, ... ) == 0x30
 00285   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 56, ) }, ... 56, ) == 0x0
 00286   484   NtQueryValueKey  (56,  (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00287   484   NtClose  (56, ... ) == 0x0
 00288   484   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00289   484   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 673, 128, 0, ... ) == 0x810dc017
 00290   484   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00291   484   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 674, 128, 0, ... ) == 0x810dc01c
 00292   484   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00293   484   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 675, 128, 0, ... ) == 0x810dc01e
 00294   484   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00295   484   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 676, 128, 0, ... ) == 0x810d8002
 00296   484   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10013
 00297   484   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 677, 128, 0, ... ) == 0x810dc018
 00298   484   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00299   484   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 678, 128, 0, ... ) == 0x810dc01a
 00300   484   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00301   484   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 679, 128, 0, ... ) == 0x810dc01d
 00302   484   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00303   484   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 681, 128, 0, ... ) == 0x810dc026
 00304   484   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00305   484   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 680, 128, 0, ... ) == 0x810dc019
 00306   484   NtUserRegisterClassExWOW  (1241004, 1241084, 1241068, 1241100, 0, 128, 0, ...
 00307   484   NtAllocateVirtualMemory  (-1, 6778880, 0, 4096, 4096, 32, ... 6778880, 4096, ) == 0x0
 00306   484   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00308   484   NtUserRegisterClassExWOW  (1241004, 1241080, 1241096, 1241068, 0, 130, 0, ... ) == 0x810dc022
 00309   484   NtUserRegisterClassExWOW  (1241004, 1241084, 1241068, 1241100, 0, 128, 0, ... ) == 0x810dc023
 00310   484   NtUserRegisterClassExWOW  (1241004, 1241080, 1241096, 1241068, 0, 130, 0, ... ) == 0x810dc024
 00311   484   NtUserRegisterClassExWOW  (1241004, 1241084, 1241068, 1241100, 0, 128, 0, ... ) == 0x810dc025
 00312   484   NtCallbackReturn  (0, 0, 0, ...
 00313   484   NtGdiInit  (... ) == 0x1
 00314   484   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00315   484   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00316   484   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00317   484   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {464, 0}, ... 56, ) == 0x0
 00318   484   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00319   484   NtClose  (56, ... ) == 0x0
 00320   484   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00321   484   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00322   484   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00323   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00324   484   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   484   NtClose  (56, ... ) == 0x0
 00326   484   NtUserSystemParametersInfo  (41, 500, 1242460, 0, ... ) == 0x1
 00327   484   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00328   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00329   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00330   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03b
 00331   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00332   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03d
 00333   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00334   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00335   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03f
 00336   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00337   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00338   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc041
 00339   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00340   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00341   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc043
 00342   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00343   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc045
 00344   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00345   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00346   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc047
 00347   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00348   484   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00349   484   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810dc049
 00350   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00351   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00352   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04b
 00353   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00354   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00355   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04d
 00356   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00357   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00358   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04f
 00359   484   NtUserGetClassInfo  (1999896576, 1242872, 1242824, 1242900, 0, ... ) == 0x0
 00360   484   NtUserRegisterClassExWOW  (1242708, 1242788, 1242772, 1242804, 0, 384, 0, ... ) == 0x810dc051
 00361   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00362   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00363   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc053
 00364   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00365   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00366   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc055
 00367   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc057
 00368   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00369   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00370   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc059
 00371   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00372   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10013
 00373   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05b
 00374   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00375   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00376   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05d
 00377   484   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00378   484   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00379   484   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05f
 00380   484   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 56, ) == 0x0
 00381   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 60, ) == 0x0
 00382   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 64, ) }, ... 64, ) == 0x0
 00383   484   NtNotifyChangeKey  (64, 60, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00384   484   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00385   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00386   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00387   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00388   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00389   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 76, ) }, ... 76, ) == 0x0
 00390   484   NtQueryValueKey  (76,  (76, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00391   484   NtClose  (76, ... ) == 0x0
 00392   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00393   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00394   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00395   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00396   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 76, ) }, ... 76, ) == 0x0
 00397   484   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   484   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00399   484   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   484   NtClose  (76, ... ) == 0x0
 00401   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 76, ) }, ... 76, ) == 0x0
 00402   484   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   484   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00404   484   NtClose  (76, ... ) == 0x0
 00405   484   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 76, ) }, ... 76, ) == 0x0
 00406   484   NtOpenEvent  (0x1f0003, {24, 76, 0x0, 0, 0,  (0x1f0003, {24, 76, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00407   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00408   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3932160, 65536, ) == 0x0
 00409   484   NtAllocateVirtualMemory  (-1, 3932160, 0, 4096, 4096, 4, ... 3932160, 4096, ) == 0x0
 00410   484   NtAllocateVirtualMemory  (-1, 3936256, 0, 8192, 4096, 4, ... 3936256, 8192, ) == 0x0
 00411   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00412   484   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3d0000), 0x0, 12288, ) == 0x0
 00413   484   NtClose  (80, ... ) == 0x0
 00414   484   NtAllocateVirtualMemory  (-1, 3944448, 0, 4096, 4096, 4, ... 3944448, 4096, ) == 0x0
 00415   484   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00416   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00417   484   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00419   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00420   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00421   484   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00422   484   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00423   484   NtQueryVirtualMemory  (-1, 0x12f674, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00424   484   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00425   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9830400, 1048576, ) == 0x0
 00426   484   NtAllocateVirtualMemory  (-1, 9830400, 0, 16384, 4096, 4, ... 9830400, 16384, ) == 0x0
 00427   484   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00428   484   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00429   484   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00430   484   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00431   484   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00432   484   NtQueryInformationToken  (80, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00433   484   NtClose  (80, ... ) == 0x0
 00434   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00435   484   NtReleaseMutant  (16, ...
 00436   484   NtContinue  (-136314744, 0, ...
 00435   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00437   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.ENU"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00438   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.ENU"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.ENU.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00440   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.EN"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00441   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.EN"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00442   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ona1.EN.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00443   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00444   484   NtReleaseMutant  (16, ...
 00445   484   NtContinue  (-136314744, 0, ...
 00444   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00446   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00447   484   NtReleaseMutant  (16, ...
 00448   484   NtContinue  (-136314744, 0, ...
 00447   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00449   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00450   484   NtReleaseMutant  (16, ...
 00451   484   NtContinue  (-136314744, 0, ...
 00450   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00452   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00453   484   NtReleaseMutant  (16, ...
 00454   484   NtContinue  (-136314744, 0, ...
 00453   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00455   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00456   484   NtReleaseMutant  (16, ...
 00457   484   NtContinue  (-136314744, 0, ...
 00456   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00458   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00459   484   NtReleaseMutant  (16, ...
 00460   484   NtContinue  (-136314744, 0, ...
 00459   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00461   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00462   484   NtReleaseMutant  (16, ...
 00463   484   NtContinue  (-136314744, 0, ...
 00462   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00464   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00465   484   NtReleaseMutant  (16, ...
 00466   484   NtContinue  (-136314744, 0, ...
 00465   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00467   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00468   484   NtReleaseMutant  (16, ...
 00469   484   NtContinue  (-136314744, 0, ...
 00468   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00470   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00471   484   NtReleaseMutant  (16, ...
 00472   484   NtContinue  (-136314744, 0, ...
 00471   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00473   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00474   484   NtReleaseMutant  (16, ...
 00475   484   NtContinue  (-136314744, 0, ...
 00474   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00476   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00477   484   NtReleaseMutant  (16, ...
 00478   484   NtContinue  (-136314744, 0, ...
 00477   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00479   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00480   484   NtReleaseMutant  (16, ...
 00481   484   NtContinue  (-136314744, 0, ...
 00480   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00482   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00483   484   NtReleaseMutant  (16, ...
 00484   484   NtContinue  (-136314744, 0, ...
 00483   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00485   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00486   484   NtReleaseMutant  (16, ...
 00487   484   NtContinue  (-136314744, 0, ...
 00486   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00488   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00489   484   NtReleaseMutant  (16, ...
 00490   484   NtContinue  (-136314744, 0, ...
 00489   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00491   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00492   484   NtReleaseMutant  (16, ...
 00493   484   NtContinue  (-136314744, 0, ...
 00492   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00494   484   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00495   484   NtReleaseMutant  (16, ...
 00496   484   NtContinue  (-136314744, 0, ...
 00495   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00497   484   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 80, ) == 0x0
 00498   484   NtUserGetDC  (0, ... ) == 0x1010054
 00499   484   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00500   484   NtUserGetDC  (0, ... ) == 0x1010054
 00501   484   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00502   484   NtGdiCreatePaletteInternal  (1241872, 16, ... ) == 0x16080381
 00503   484   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00504   484   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00505   484   NtUserFindExistingCursorIcon  (1242268, 1242284, 1242852, ... ) == 0x10003
 00506   484   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\01\0D\00\0", 28, 1242804, ... ) , 28, 1242804, ... ) == 0x0
 00507   484   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\03\02\00\00\00\00\00\00\00\00\00\01\0E\04\0", 52, 1242804, ... ) , 52, 1242804, ... ) == 0x0
 00508   484   NtUserSystemParametersInfo  (104, 0, 9835644, 0, ... ) == 0x1
 00509   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00510   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10023
 00511   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00512   484   NtUserGetDC  (0, ... ) == 0x1010054
 00513   484   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xb0503e0
 00514   484   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00515   484   NtGdiSelectBitmap  (318833403, 184878048, ... ) == 0x185000f
 00516   484   NtGdiGetDCforBitmap  (184878048, ... ) == 0x130102fb
 00517   484   NtGdiSaveDC  (318833403, ... ) == 0x1
 00518   484   NtGdiSelectBitmap  (318833403, 184878048, ... ) == 0xb0503e0
 00519   484   NtGdiGetDCObject  (318833403, 524288, ... ) == 0x188000b
 00520   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00521   484   NtGdiSetDIBitsToDeviceInternal  (318833403, 0, 0, 32, 64, 0, 0, 0, 64, 3683852, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00522   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00523   484   NtGdiSelectBitmap  (318833403, 184878048, ... ) == 0xb0503e0
 00524   484   NtGdiRestoreDC  (318833403, -1, ... ) == 0x1
 00525   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0xb0503e0
 00526   484   NtGdiCreateCompatibleDC  (318833403, ... ) == 0x2d0103ba
 00527   484   NtGdiExtGetObjectW  (184878048, 24, 1241324, ... ) == 0x18
 00528   484   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x1a0503e8
 00529   484   NtGdiSelectBitmap  (318833403, 184878048, ... ) == 0x185000f
 00530   484   NtGdiSelectBitmap  (755041210, 436536296, ... ) == 0x185000f
 00531   484   NtGdiBitBlt  (755041210, 0, 0, 32, 64, 318833403, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00532   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0xb0503e0
 00533   484   NtGdiSelectBitmap  (755041210, 25493519, ... ) == 0x1a0503e8
 00534   484   NtGdiDeleteObjectApp  (184878048, ... ) == 0x1
 00535   484   NtGdiDeleteObjectApp  (755041210, ... ) == 0x1
 00536   484   NtUserCallOneParam  (0, 33, ... ) == 0x3006f
 00537   484   NtUserSetCursorIconData  (196719, 1241432, 1241448, 1242028, ... ) == 0x1
 00538   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10029
 00539   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10027
 00540   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10025
 00541   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00542   484   NtUserGetDC  (0, ... ) == 0x1010054
 00543   484   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x70503e4
 00544   484   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00545   484   NtGdiSelectBitmap  (318833403, 117769188, ... ) == 0x185000f
 00546   484   NtGdiGetDCforBitmap  (117769188, ... ) == 0x130102fb
 00547   484   NtGdiSaveDC  (318833403, ... ) == 0x1
 00548   484   NtGdiSelectBitmap  (318833403, 117769188, ... ) == 0x70503e4
 00549   484   NtGdiGetDCObject  (318833403, 524288, ... ) == 0x188000b
 00550   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00551   484   NtGdiSetDIBitsToDeviceInternal  (318833403, 0, 0, 32, 64, 0, 0, 0, 64, 3684160, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00552   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00553   484   NtGdiSelectBitmap  (318833403, 117769188, ... ) == 0x70503e4
 00554   484   NtGdiRestoreDC  (318833403, -1, ... ) == 0x1
 00555   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0x70503e4
 00556   484   NtGdiCreateCompatibleDC  (318833403, ... ) == 0xd0103e0
 00557   484   NtGdiExtGetObjectW  (117769188, 24, 1241324, ... ) == 0x18
 00558   484   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x140503de
 00559   484   NtGdiSelectBitmap  (318833403, 117769188, ... ) == 0x185000f
 00560   484   NtGdiSelectBitmap  (218170336, 335872990, ... ) == 0x185000f
 00561   484   NtGdiBitBlt  (218170336, 0, 0, 32, 64, 318833403, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00562   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0x70503e4
 00563   484   NtGdiSelectBitmap  (218170336, 25493519, ... ) == 0x140503de
 00564   484   NtGdiDeleteObjectApp  (117769188, ... ) == 0x1
 00565   484   NtGdiDeleteObjectApp  (218170336, ... ) == 0x1
 00566   484   NtUserCallOneParam  (0, 33, ... ) == 0x20069
 00567   484   NtUserSetCursorIconData  (131177, 1241432, 1241448, 1242028, ... ) == 0x1
 00568   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00569   484   NtUserGetDC  (0, ... ) == 0x1010054
 00570   484   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x2f0503ba
 00571   484   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00572   484   NtGdiSelectBitmap  (318833403, 788857786, ... ) == 0x185000f
 00573   484   NtGdiGetDCforBitmap  (788857786, ... ) == 0x130102fb
 00574   484   NtGdiSaveDC  (318833403, ... ) == 0x1
 00575   484   NtGdiSelectBitmap  (318833403, 788857786, ... ) == 0x2f0503ba
 00576   484   NtGdiGetDCObject  (318833403, 524288, ... ) == 0x188000b
 00577   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00578   484   NtGdiSetDIBitsToDeviceInternal  (318833403, 0, 0, 32, 64, 0, 0, 0, 64, 3684468, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00579   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00580   484   NtGdiSelectBitmap  (318833403, 788857786, ... ) == 0x2f0503ba
 00581   484   NtGdiRestoreDC  (318833403, -1, ... ) == 0x1
 00582   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0x2f0503ba
 00583   484   NtGdiCreateCompatibleDC  (318833403, ... ) == 0x90103e4
 00584   484   NtGdiExtGetObjectW  (788857786, 24, 1241324, ... ) == 0x18
 00585   484   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x60503e7
 00586   484   NtGdiSelectBitmap  (318833403, 788857786, ... ) == 0x185000f
 00587   484   NtGdiSelectBitmap  (151061476, 100991975, ... ) == 0x185000f
 00588   484   NtGdiBitBlt  (151061476, 0, 0, 32, 64, 318833403, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00589   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0x2f0503ba
 00590   484   NtGdiSelectBitmap  (151061476, 25493519, ... ) == 0x60503e7
 00591   484   NtGdiDeleteObjectApp  (788857786, ... ) == 0x1
 00592   484   NtGdiDeleteObjectApp  (151061476, ... ) == 0x1
 00593   484   NtUserCallOneParam  (0, 33, ... ) == 0x2006b
 00594   484   NtUserSetCursorIconData  (131179, 1241432, 1241448, 1242028, ... ) == 0x1
 00595   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00596   484   NtUserGetDC  (0, ... ) == 0x1010054
 00597   484   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xf0503e0
 00598   484   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00599   484   NtGdiSelectBitmap  (318833403, 251986912, ... ) == 0x185000f
 00600   484   NtGdiGetDCforBitmap  (251986912, ... ) == 0x130102fb
 00601   484   NtGdiSaveDC  (318833403, ... ) == 0x1
 00602   484   NtGdiSelectBitmap  (318833403, 251986912, ... ) == 0xf0503e0
 00603   484   NtGdiGetDCObject  (318833403, 524288, ... ) == 0x188000b
 00604   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00605   484   NtGdiSetDIBitsToDeviceInternal  (318833403, 0, 0, 32, 64, 0, 0, 0, 64, 3684776, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00606   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00607   484   NtGdiSelectBitmap  (318833403, 251986912, ... ) == 0xf0503e0
 00608   484   NtGdiRestoreDC  (318833403, -1, ... ) == 0x1
 00609   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0xf0503e0
 00610   484   NtGdiCreateCompatibleDC  (318833403, ... ) == 0x310103ba
 00611   484   NtGdiExtGetObjectW  (251986912, 24, 1241324, ... ) == 0x18
 00612   484   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xd050382
 00613   484   NtGdiSelectBitmap  (318833403, 251986912, ... ) == 0x185000f
 00614   484   NtGdiSelectBitmap  (822150074, 218432386, ... ) == 0x185000f
 00615   484   NtGdiBitBlt  (822150074, 0, 0, 32, 64, 318833403, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00616   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0xf0503e0
 00617   484   NtGdiSelectBitmap  (822150074, 25493519, ... ) == 0xd050382
 00618   484   NtGdiDeleteObjectApp  (251986912, ... ) == 0x1
 00619   484   NtGdiDeleteObjectApp  (822150074, ... ) == 0x1
 00620   484   NtUserCallOneParam  (0, 33, ... ) == 0x20093
 00621   484   NtUserSetCursorIconData  (131219, 1241432, 1241448, 1242028, ... ) == 0x1
 00622   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00623   484   NtUserGetDC  (0, ... ) == 0x1010054
 00624   484   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xb0503e4
 00625   484   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00626   484   NtGdiSelectBitmap  (318833403, 184878052, ... ) == 0x185000f
 00627   484   NtGdiGetDCforBitmap  (184878052, ... ) == 0x130102fb
 00628   484   NtGdiSaveDC  (318833403, ... ) == 0x1
 00629   484   NtGdiSelectBitmap  (318833403, 184878052, ... ) == 0xb0503e4
 00630   484   NtGdiGetDCObject  (318833403, 524288, ... ) == 0x188000b
 00631   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00632   484   NtGdiSetDIBitsToDeviceInternal  (318833403, 0, 0, 32, 64, 0, 0, 0, 64, 3685084, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00633   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00634   484   NtGdiSelectBitmap  (318833403, 184878052, ... ) == 0xb0503e4
 00635   484   NtGdiRestoreDC  (318833403, -1, ... ) == 0x1
 00636   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0xb0503e4
 00637   484   NtGdiCreateCompatibleDC  (318833403, ... ) == 0x110103e0
 00638   484   NtGdiExtGetObjectW  (184878052, 24, 1241324, ... ) == 0x18
 00639   484   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x30503e9
 00640   484   NtGdiSelectBitmap  (318833403, 184878052, ... ) == 0x185000f
 00641   484   NtGdiSelectBitmap  (285279200, 50660329, ... ) == 0x185000f
 00642   484   NtGdiBitBlt  (285279200, 0, 0, 32, 64, 318833403, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00643   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0xb0503e4
 00644   484   NtGdiSelectBitmap  (285279200, 25493519, ... ) == 0x30503e9
 00645   484   NtGdiDeleteObjectApp  (184878052, ... ) == 0x1
 00646   484   NtGdiDeleteObjectApp  (285279200, ... ) == 0x1
 00647   484   NtUserCallOneParam  (0, 33, ... ) == 0x4006d
 00648   484   NtUserSetCursorIconData  (262253, 1241432, 1241448, 1242028, ... ) == 0x1
 00649   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00650   484   NtUserGetDC  (0, ... ) == 0x1010054
 00651   484   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x330503ba
 00652   484   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00653   484   NtGdiSelectBitmap  (318833403, 855966650, ... ) == 0x185000f
 00654   484   NtGdiGetDCforBitmap  (855966650, ... ) == 0x130102fb
 00655   484   NtGdiSaveDC  (318833403, ... ) == 0x1
 00656   484   NtGdiSelectBitmap  (318833403, 855966650, ... ) == 0x330503ba
 00657   484   NtGdiGetDCObject  (318833403, 524288, ... ) == 0x188000b
 00658   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00659   484   NtGdiSetDIBitsToDeviceInternal  (318833403, 0, 0, 32, 64, 0, 0, 0, 64, 3685700, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00660   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00661   484   NtGdiSelectBitmap  (318833403, 855966650, ... ) == 0x330503ba
 00662   484   NtGdiRestoreDC  (318833403, -1, ... ) == 0x1
 00663   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0x330503ba
 00664   484   NtGdiCreateCompatibleDC  (318833403, ... ) == 0xd0103e4
 00665   484   NtGdiExtGetObjectW  (855966650, 24, 1241324, ... ) == 0x18
 00666   484   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x30503ea
 00667   484   NtGdiSelectBitmap  (318833403, 855966650, ... ) == 0x185000f
 00668   484   NtGdiSelectBitmap  (218170340, 50660330, ... ) == 0x185000f
 00669   484   NtGdiBitBlt  (218170340, 0, 0, 32, 64, 318833403, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00670   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0x330503ba
 00671   484   NtGdiSelectBitmap  (218170340, 25493519, ... ) == 0x30503ea
 00672   484   NtGdiDeleteObjectApp  (855966650, ... ) == 0x1
 00673   484   NtGdiDeleteObjectApp  (218170340, ... ) == 0x1
 00674   484   NtUserCallOneParam  (0, 33, ... ) == 0x20095
 00675   484   NtUserSetCursorIconData  (131221, 1241432, 1241448, 1242028, ... ) == 0x1
 00676   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00677   484   NtUserGetDC  (0, ... ) == 0x1010054
 00678   484   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x130503e0
 00679   484   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00680   484   NtGdiSelectBitmap  (318833403, 319095776, ... ) == 0x185000f
 00681   484   NtGdiGetDCforBitmap  (319095776, ... ) == 0x130102fb
 00682   484   NtGdiSaveDC  (318833403, ... ) == 0x1
 00683   484   NtGdiSelectBitmap  (318833403, 319095776, ... ) == 0x130503e0
 00684   484   NtGdiGetDCObject  (318833403, 524288, ... ) == 0x188000b
 00685   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00686   484   NtGdiSetDIBitsToDeviceInternal  (318833403, 0, 0, 32, 64, 0, 0, 0, 64, 3685392, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00687   484   NtUserSelectPalette  (318833403, 25690123, 0, ... ) == 0x188000b
 00688   484   NtGdiSelectBitmap  (318833403, 319095776, ... ) == 0x130503e0
 00689   484   NtGdiRestoreDC  (318833403, -1, ... ) == 0x1
 00690   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0x130503e0
 00691   484   NtGdiCreateCompatibleDC  (318833403, ... ) == 0x350103ba
 00692   484   NtGdiExtGetObjectW  (319095776, 24, 1241324, ... ) == 0x18
 00693   484   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x30503eb
 00694   484   NtGdiSelectBitmap  (318833403, 319095776, ... ) == 0x185000f
 00695   484   NtGdiSelectBitmap  (889258938, 50660331, ... ) == 0x185000f
 00696   484   NtGdiBitBlt  (889258938, 0, 0, 32, 64, 318833403, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00697   484   NtGdiSelectBitmap  (318833403, 25493519, ... ) == 0x130503e0
 00698   484   NtGdiSelectBitmap  (889258938, 25493519, ... ) == 0x30503eb
 00699   484   NtGdiDeleteObjectApp  (319095776, ... ) == 0x1
 00700   484   NtGdiDeleteObjectApp  (889258938, ... ) == 0x1
 00701   484   NtUserCallOneParam  (0, 33, ... ) == 0x10097
 00702   484   NtUserSetCursorIconData  (65687, 1241432, 1241448, 1242028, ... ) == 0x1
 00703   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10015
 00704   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10019
 00705   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001f
 00706   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001b
 00707   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10021
 00708   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001d
 00709   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10013
 00710   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10017
 00711   484   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00712   484   NtUserCallOneParam  (0, 39, ... ) == 0x4090409
 00713   484   NtUserGetDC  (0, ... ) == 0x1010054
 00714   484   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00715   484   NtUserEnumDisplayMonitors  (0, 0, 3408484, 9836224, ... ) == 0x1
 00716   484   NtUserSystemParametersInfo  (31, 60, 1241588, 0, ... ) == 0x1
 00717   484   NtGdiHfontCreate  (1241984, 356, 0, 0, 1329296, ... ) == 0x360a03ba
 00718   484   NtGdiExtGetObjectW  (906625978, 420, 1241808, ... ) == 0x164
 00719   484   NtUserSystemParametersInfo  (41, 0, 1241788, 0, ... ) == 0x1
 00720   484   NtGdiHfontCreate  (1241984, 356, 0, 0, 1329288, ... ) == 0xf0a03e4
 00721   484   NtGdiExtGetObjectW  (252314596, 420, 1241808, ... ) == 0x164
 00722   484   NtGdiHfontCreate  (1241984, 356, 0, 0, 1329280, ... ) == 0x140a03e0
 00723   484   NtGdiExtGetObjectW  (336200672, 420, 1241808, ... ) == 0x164
 00724   484   NtUserFindExistingCursorIcon  (1241896, 1241912, 1242480, ... ) == 0x0
 00725   484   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 4063232, 4096, ) == 0x0
 00726   484   NtUserGetKeyboardLayoutList  (64, 1242468, ... ) == 0x1
 00727   484   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc0cc
 00728   484   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc0cd
 00729   484   NtOpenMutant  (0x1f0001, {24, 76, 0x0, 0, 0,  (0x1f0001, {24, 76, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00730   484   NtUserSetWindowsHookEx  (3276800, 1243796, 0, 4, 3284668, 2, ... ) == 0x10099
 00731   484   NtProtectVirtualMemory  (-1, (0x4000e0), 4096, 4, ... (0x400000), 8192, 2, ) == 0x0
 00732   484   NtProtectVirtualMemory  (-1, (0x4000e0), 4096, 4, ... (0x400000), 8192, 4, ) == 0x0
 00733   484   NtAllocateVirtualMemory  (-1, 0, 0, 16777216, 4096, 64, ... 10878976, 16777216, ) == 0x0
 00734   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00735   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4128768, 65536, ) == 0x0
 00736   484   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 00737   484   NtAllocateVirtualMemory  (-1, 4132864, 0, 8192, 4096, 4, ... 4132864, 8192, ) == 0x0
 00738   484   NtAllocateVirtualMemory  (-1, 4141056, 0, 4096, 4096, 4, ... 4141056, 4096, ) == 0x0
 00739   484   NtQueryPerformanceCounter  (... {129428151, 0}, {3579545, 0}, ) == 0x0
 00740   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00741   484   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00742   484   NtClose  (84, ... ) == 0x0
 00743   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00744   484   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00745   484   NtClose  (84, ... ) == 0x0
 00746   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00747   484   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00748   484   NtClose  (84, ... ) == 0x0
 00749   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00750   484   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00751   484   NtClose  (84, ... ) == 0x0
 00752   484   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00753   484   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00754   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00755   484   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00756   484   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00757   484   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00758   484   NtCreateEvent  (0x1f0003, {24, 76, 0x80, 1240440, 0,  (0x1f0003, {24, 76, 0x80, 1240440, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00759   484   NtOpenEvent  (0x100000, {24, 76, 0x0, 0, 0,  (0x100000, {24, 76, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 84, ) }, ... 84, ) == 0x0
 00760   484   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00761   484   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00762   484   NtCreateKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 88, 2, ) }, 0, 0x0, 0, ... 88, 2, ) == 0x0
 00763   484   NtQueryDefaultUILanguage  (1238676, ...
 00764   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00765   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482040, ) == 0x0
 00766   484   NtQueryInformationToken  (-2147482040, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00767   484   NtClose  (-2147482040, ... ) == 0x0
 00768   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0
 00769   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   484   NtOpenKey  (0x80000000, {24, -2147482040, 0x640, 0, 0,  (0x80000000, {24, -2147482040, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00771   484   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00772   484   NtClose  (-2147482036, ... ) == 0x0
 00773   484   NtClose  (-2147482040, ... ) == 0x0
 00763   484   NtQueryDefaultUILanguage  ... ) == 0x0
 00774   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00775   484   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00776   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 92, {status=0x0, info=1}, ) }, 1, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00777   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 92, ... 96, ) == 0x0
 00778   484   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1a60000), 0x0, 593920, ) == 0x0
 00779   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00780   484   NtQueryDefaultUILanguage  (2013024600, ...
 00781   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00782   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482040, ) == 0x0
 00783   484   NtQueryInformationToken  (-2147482040, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00784   484   NtClose  (-2147482040, ... ) == 0x0
 00785   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0
 00786   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00787   484   NtOpenKey  (0x80000000, {24, -2147482040, 0x640, 0, 0,  (0x80000000, {24, -2147482040, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00788   484   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789   484   NtClose  (-2147482036, ... ) == 0x0
 00790   484   NtClose  (-2147482040, ... ) == 0x0
 00780   484   NtQueryDefaultUILanguage  ... ) == 0x0
 00791   484   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00792   484   NtQueryDefaultLocale  (1, 1236712, ... ) == 0x0
 00793   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00794   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237568, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237568, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\345\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\255\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0@\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 484, 1519, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\345\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\255\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0@\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 484, 1519, 0}  (24, {128, 156, new_msg, 0, 1237568, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\345\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\255\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0@\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 484, 1519, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\345\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\\0\0\0\377\377\377\377\0\0\0\0P\275\255\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0@\351\22\0\0\0\0\0" )  ) == 0x0
 00795   484   NtClose  (92, ... ) == 0x0
 00796   484   NtClose  (96, ... ) == 0x0
 00797   484   NtUnmapViewOfSection  (-1, 0x1a60000, ... ) == 0x0
 00798   484   NtUnmapViewOfSection  (-1, 0x12e940, ... ) == STATUS_NOT_MAPPED_VIEW
 00799   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00800   484   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00801   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00802   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00803   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1235252, ... ) }, 1235252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00805   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00806   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00807   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1235844, ... ) }, 1235844, ... ) == 0x0
 00808   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 96, {status=0x0, info=1}, ) }, 3, 33, ... 96, {status=0x0, info=1}, ) == 0x0
 00809   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00810   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00811   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 100, ) == 0x0
 00812   484   NtClose  (92, ... ) == 0x0
 00813   484   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1b10000), 0x0, 921600, ) == 0x0
 00814   484   NtClose  (100, ... ) == 0x0
 00815   484   NtUnmapViewOfSection  (-1, 0x1b10000, ... ) == 0x0
 00816   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00817   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 92, ) == 0x0
 00818   484   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00819   484   NtClose  (100, ... ) == 0x0
 00820   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00821   484   NtClose  (92, ... ) == 0x0
 00822   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00823   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00824   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00825   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00826   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00827   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00828   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00829   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00830   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00831   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00832   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00833   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00834   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00835   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00836   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00837   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00838   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00839   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00840   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00841   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00842   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00843   484   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1237028, ... ) , 42, 1237028, ... ) == 0x0
 00844   484   NtQueryDefaultUILanguage  (1235744, ...
 00845   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00846   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482040, ) == 0x0
 00847   484   NtQueryInformationToken  (-2147482040, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00848   484   NtClose  (-2147482040, ... ) == 0x0
 00849   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0
 00850   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   484   NtOpenKey  (0x80000000, {24, -2147482040, 0x640, 0, 0,  (0x80000000, {24, -2147482040, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00852   484   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00853   484   NtClose  (-2147482036, ... ) == 0x0
 00854   484   NtClose  (-2147482040, ... ) == 0x0
 00844   484   NtQueryDefaultUILanguage  ... ) == 0x0
 00855   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00856   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234596, ... ) }, 1234596, ... ) == 0x0
 00857   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00858   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 100, ) == 0x0
 00859   484   NtClose  (92, ... ) == 0x0
 00860   484   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1a60000), 0x0, 4096, ) == 0x0
 00861   484   NtClose  (100, ... ) == 0x0
 00862   484   NtUnmapViewOfSection  (-1, 0x1a60000, ... ) == 0x0
 00863   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234236, ... ) }, 1234236, ... ) == 0x0
 00864   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234936,  (0x80100080, {24, 0, 0x40, 0, 1234936, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) == 0x0
 00865   484   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 100, ... 92, ) == 0x0
 00866   484   NtClose  (100, ... ) == 0x0
 00867   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1a60000), {0, 0}, 4096, ) == 0x0
 00868   484   NtClose  (92, ... ) == 0x0
 00869   484   NtUnmapViewOfSection  (-1, 0x1a60000, ... ) == 0x0
 00870   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 92, {status=0x0, info=1}, ) }, 1, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00871   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 92, ... 100, ) == 0x0
 00872   484   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1a60000), 0x0, 4096, ) == 0x0
 00873   484   NtQueryInformationFile  (92, 1234556, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00874   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234636, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234636, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\314\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 484, 1520, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\314\335\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 484, 1520, 0}  (24, {128, 156, new_msg, 0, 1234636, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\314\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 484, 1520, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\314\335\22\0\0\0\0\0" )  ) == 0x0
 00876   484   NtClose  (92, ... ) == 0x0
 00877   484   NtClose  (100, ... ) == 0x0
 00878   484   NtUnmapViewOfSection  (-1, 0x1a60000, ... ) == 0x0
 00879   484   NtUnmapViewOfSection  (-1, 0x12ddcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00880   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00881   484   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00882   484   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00883   484   NtUserGetDC  (0, ... ) == 0x1010054
 00884   484   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00885   484   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00886   484   NtUserSystemParametersInfo  (66, 12, 1237048, 0, ... ) == 0x1
 00887   484   NtOpenProcessToken  (-1, 0x8, ... 100, ) == 0x0
 00888   484   NtAccessCheck  (1364096, 100, 0x1, 1236452, 1236396, 56, 1236480, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00889   484   NtClose  (100, ... ) == 0x0
 00890   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Control Panel\Desktop"}, ... 100, ) }, ... 100, ) == 0x0
 00891   484   NtQueryValueKey  (100,  (100, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00892   484   NtClose  (100, ... ) == 0x0
 00893   484   NtUserSystemParametersInfo  (41, 500, 1236548, 0, ... ) == 0x1
 00894   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 100, ) }, ... 100, ) == 0x0
 00895   484   NtQueryValueKey  (100,  (100, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 00897   484   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898   484   NtClose  (92, ... ) == 0x0
 00899   484   NtClose  (100, ... ) == 0x0
 00900   484   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00901   484   NtUserSystemParametersInfo  (4130, 0, 1237072, 0, ... ) == 0x1
 00902   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 100, ) }, ... 100, ) == 0x0
 00903   484   NtEnumerateValueKey  (100, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00904   484   NtClose  (100, ... ) == 0x0
 00905   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00906   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc03b
 00907   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc03d
 00908   484   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00909   484   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc03f
 00910   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00911   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc041
 00912   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00913   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ...
 00914   484   NtAllocateVirtualMemory  (-1, 6782976, 0, 4096, 4096, 32, ... 6782976, 4096, ) == 0x0
 00913   484   NtUserRegisterClassExWOW  ... ) == 0x810dc043
 00915   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc045
 00916   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00917   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc047
 00918   484   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00919   484   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc049
 00920   484   NtUserGetClassInfo  (1905590272, 1236968, 1236920, 1236996, 0, ... ) == 0xc049
 00921   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00922   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc04b
 00923   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00924   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc04d
 00925   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00926   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc04f
 00927   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc051
 00928   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00929   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc053
 00930   484   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00931   484   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc055
 00932   484   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc057
 00933   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00934   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc059
 00935   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10013
 00936   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc05b
 00937   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00938   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc05d
 00939   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00940   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc05f
 00941   484   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00942   484   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc017
 00943   484   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00944   484   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc019
 00945   484   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10013
 00946   484   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc018
 00947   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00948   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc01a
 00949   484   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00950   484   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc01c
 00951   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00952   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc01e
 00953   484   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00954   484   NtUserRegisterClassExWOW  (1236864, 1236944, 1236928, 1236960, 0, 384, 0, ... ) == 0x810dc01b
 00955   484   NtUserFindExistingCursorIcon  (1236348, 1236364, 1236932, ... ) == 0x10011
 00956   484   NtUserRegisterClassExWOW  (1236860, 1236940, 1236924, 1236956, 0, 384, 0, ... ) == 0x810dc068
 00957   484   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00958   484   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc06a
 00959   484   NtCreateKey  (0x2001f, {24, 32, 0x40, 0, 0,  (0x2001f, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 00960   484   NtQueryValueKey  (100,  (100, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   484   NtQueryValueKey  (100,  (100, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   484   NtQueryValueKey  (100,  (100, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   484   NtQueryValueKey  (100,  (100, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   484   NtQueryValueKey  (100,  (100, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   484   NtQueryValueKey  (100,  (100, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966   484   NtQueryValueKey  (100,  (100, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00967   484   NtQueryValueKey  (100,  (100, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968   484   NtQueryValueKey  (100,  (100, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00969   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1239780, ... ) }, 1239780, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1239780, ... ) }, 1239780, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00972   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1239780, ... ) }, 1239780, ... ) == 0x0
 00973   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00974   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 104, ) == 0x0
 00975   484   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00976   484   NtClose  (92, ... ) == 0x0
 00977   484   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 00978   484   NtClose  (104, ... ) == 0x0
 00979   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 104, ) == 0x0
 00980   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00981   484   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 108, ) }, ... 108, ) == 0x0
 00982   484   NtQueryEvent  (108, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 00983   484   NtClose  (108, ... ) == 0x0
 00984   484   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1241264, 140, ... 108, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241264, 140, ... 108, 0x0, 0x0, 256, 140, ) == 0x0
 00985   484   NtRequestWaitReplyPort  (108, {28, 52, new_msg, 0, 0, 0, 0, 0}  (108, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 464, 484, 1522, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 464, 484, 1522, 0}  (108, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 464, 484, 1522, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 00986   484   NtQueryValueKey  (100,  (100, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987   484   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 112, ) }, ... 112, ) == 0x0
 00988   484   NtQueryValueKey  (112,  (112, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989   484   NtClose  (112, ... ) == 0x0
 00990   484   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 112, ) }, ... 112, ) == 0x0
 00991   484   NtQueryValueKey  (112,  (112, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00992   484   NtClose  (112, ... ) == 0x0
 00993   484   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 112, ) }, ... 112, ) == 0x0
 00994   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 116, ) }, ... 116, ) == 0x0
 00995   484   NtQueryValueKey  (116,  (116, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00996   484   NtClose  (116, ... ) == 0x0
 00997   484   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 116, ) }, ... 116, ) == 0x0
 00998   484   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 120, ) }, ... 120, ) == 0x0
 00999   484   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 124, ) }, ... 124, ) == 0x0
 01000   484   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 128, ) }, ... 128, ) == 0x0
 01001   484   NtQueryValueKey  (128,  (128, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01002   484   NtQueryValueKey  (128,  (128, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01003   484   NtClose  (128, ... ) == 0x0
 01004   484   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 128, ) }, ... 128, ) == 0x0
 01005   484   NtQueryValueKey  (128,  (128, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (128, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01006   484   NtQueryValueKey  (128,  (128, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (128, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01007   484   NtQueryValueKey  (128,  (128, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (128, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01008   484   NtQueryValueKey  (128,  (128, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (128, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01009   484   NtQueryValueKey  (128,  (128, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (128, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01010   484   NtQueryValueKey  (128,  (128, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (128, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01011   484   NtClose  (128, ... ) == 0x0
 01012   484   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Content"}, ... 128, ) }, ... 128, ) == 0x0
 01013   484   NtQueryValueKey  (128,  (128, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01014   484   NtClose  (128, ... ) == 0x0
 01015   484   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Content"}, ... 128, ) }, ... 128, ) == 0x0
 01016   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 132, ) }, ... 132, ) == 0x0
 01017   484   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 01018   484   NtClose  (132, ... ) == 0x0
 01019   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01020   484   NtQueryValueKey  (132,  (132, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01021   484   NtClose  (132, ... ) == 0x0
 01022   484   NtQueryDefaultUILanguage  (1236232, ...
 01023   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01024   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482040, ) == 0x0
 01025   484   NtQueryInformationToken  (-2147482040, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01026   484   NtClose  (-2147482040, ... ) == 0x0
 01027   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0
 01028   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01029   484   NtOpenKey  (0x80000000, {24, -2147482040, 0x640, 0, 0,  (0x80000000, {24, -2147482040, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 01030   484   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01031   484   NtClose  (-2147482036, ... ) == 0x0
 01032   484   NtClose  (-2147482040, ... ) == 0x0
 01022   484   NtQueryDefaultUILanguage  ... ) == 0x0
 01033   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01034   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 132, {status=0x0, info=1}, ) }, 1, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01035   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 132, ... 136, ) == 0x0
 01036   484   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1b10000), 0x0, 8323072, ) == 0x0
 01037   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01038   484   NtQueryDefaultLocale  (1, 1234268, ... ) == 0x0
 01039   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01040   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235124, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235124, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\204\0\0\0\377\377\377\377\0\0\0\0\20\311\350\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\264\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 484, 1523, 0} " S\26\0\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\204\0\0\0\377\377\377\377\0\0\0\0\20\311\350\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\264\337\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 484, 1523, 0}  (24, {128, 156, new_msg, 0, 1235124, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\204\0\0\0\377\377\377\377\0\0\0\0\20\311\350\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\264\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 484, 1523, 0} " S\26\0\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\204\0\0\0\377\377\377\377\0\0\0\0\20\311\350\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\264\337\22\0\0\0\0\0" )  ) == 0x0
 01041   484   NtClose  (132, ... ) == 0x0
 01042   484   NtClose  (136, ... ) == 0x0
 01043   484   NtUnmapViewOfSection  (-1, 0x1b10000, ... ) == 0x0
 01044   484   NtUnmapViewOfSection  (-1, 0x12dfb4, ... ) == STATUS_NOT_MAPPED_VIEW
 01045   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01046   484   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01047   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01048   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01049   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233352, ... ) }, 1233352, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01051   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01052   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01053   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233944, ... ) }, 1233944, ... ) == 0x0
 01054   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 136, {status=0x0, info=1}, ) }, 3, 33, ... 136, {status=0x0, info=1}, ) == 0x0
 01055   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01056   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc03b
 01057   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc03d
 01058   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc03f
 01059   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc041
 01060   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc043
 01061   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc045
 01062   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc047
 01063   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc049
 01064   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc04b
 01065   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc04d
 01066   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc04f
 01067   484   NtUserGetClassInfo  (1999896576, 1237972, 1237924, 1238000, 0, ... ) == 0xc051
 01068   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc053
 01069   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc055
 01070   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc059
 01071   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc05b
 01072   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc05d
 01073   484   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc05f
 01074   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01075   484   NtCreateSemaphore  (0x1f0003, {24, 76, 0x80, 1367176, 0,  (0x1f0003, {24, 76, 0x80, 1367176, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 132, ) }, 0, 2147483647, ... 132, ) == STATUS_OBJECT_NAME_EXISTS
 01076   484   NtReleaseSemaphore  (132, 1, ... 0, ) == 0x0
 01077   484   NtWaitForSingleObject  (132, 0, {0, 0}, ... ) == 0x0
 01078   484   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01079   484   NtQueryValueKey  (140,  (140, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (140, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01080   484   NtClose  (140, ... ) == 0x0
 01081   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1238492, ... ) }, 1238492, ... ) == 0x0
 01082   484   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01083   484   NtSetValueKey  (140,  (140, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (140, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 01084   484   NtClose  (140, ... ) == 0x0
 01085   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239824, ... ) }, 1239824, ... ) == 0x0
 01086   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239556, ... ) }, 1239556, ... ) == 0x0
 01087   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 140, {status=0x0, info=1}, ) }, 7, 2113568, ... 140, {status=0x0, info=1}, ) == 0x0
 01088   484   NtSetInformationFile  (140, 1239532, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01089   484   NtClose  (140, ... ) == 0x0
 01090   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1239556, ... ) }, 1239556, ... ) == 0x0
 01091   484   NtQueryValueKey  (128,  (128, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01092   484   NtQueryValueKey  (128,  (128, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01093   484   NtQueryValueKey  (128,  (128, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 01094   484   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 140, ) }, ... 140, ) == 0x0
 01095   484   NtOpenKey  (0xf, {24, 140, 0x40, 0, 0,  (0xf, {24, 140, 0x40, 0, 0, "Paths"}, ... 144, ) }, ... 144, ) == 0x0
 01096   484   NtOpenKey  (0xf, {24, 144, 0x40, 0, 0,  (0xf, {24, 144, 0x40, 0, 0, "Path1"}, ... 148, ) }, ... 148, ) == 0x0
 01097   484   NtOpenKey  (0xf, {24, 144, 0x40, 0, 0,  (0xf, {24, 144, 0x40, 0, 0, "Path2"}, ... 152, ) }, ... 152, ) == 0x0
 01098   484   NtOpenKey  (0xf, {24, 144, 0x40, 0, 0,  (0xf, {24, 144, 0x40, 0, 0, "Path3"}, ... 156, ) }, ... 156, ) == 0x0
 01099   484   NtOpenKey  (0xf, {24, 144, 0x40, 0, 0,  (0xf, {24, 144, 0x40, 0, 0, "Path4"}, ... 160, ) }, ... 160, ) == 0x0
 01100   484   NtOpenKey  (0xf, {24, 140, 0x40, 0, 0,  (0xf, {24, 140, 0x40, 0, 0, "Special Paths"}, ... 164, ) }, ... 164, ) == 0x0
 01101   484   NtSetValueKey  (144,  (144, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (144, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 01102   484   NtSetValueKey  (144,  (144, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (144, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01103   484   NtSetValueKey  (148,  (148, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (148, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01104   484   NtSetValueKey  (152,  (152, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (152, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01105   484   NtSetValueKey  (156,  (156, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (156, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01106   484   NtSetValueKey  (160,  (160, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (160, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01107   484   NtSetValueKey  (148,  (148, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (148, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01108   484   NtSetValueKey  (152,  (152, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (152, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01109   484   NtSetValueKey  (156,  (156, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (156, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01110   484   NtSetValueKey  (160,  (160, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (160, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01111   484   NtClose  (160, ... ) == 0x0
 01112   484   NtClose  (156, ... ) == 0x0
 01113   484   NtClose  (152, ... ) == 0x0
 01114   484   NtClose  (148, ... ) == 0x0
 01115   484   NtClose  (144, ... ) == 0x0
 01116   484   NtClose  (164, ... ) == 0x0
 01117   484   NtClose  (140, ... ) == 0x0
 01118   484   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Cookies"}, ... 140, ) }, ... 140, ) == 0x0
 01119   484   NtQueryValueKey  (140,  (140, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (140, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01120   484   NtClose  (140, ... ) == 0x0
 01121   484   NtClose  (128, ... ) == 0x0
 01122   484   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Cookies"}, ... 128, ) }, ... 128, ) == 0x0
 01123   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01124   484   NtReleaseSemaphore  (132, 1, ... 0, ) == 0x0
 01125   484   NtWaitForSingleObject  (132, 0, {0, 0}, ... ) == 0x0
 01126   484   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01127   484   NtQueryValueKey  (140,  (140, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (140, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01128   484   NtClose  (140, ... ) == 0x0
 01129   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1238492, ... ) }, 1238492, ... ) == 0x0
 01130   484   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01131   484   NtSetValueKey  (140,  (140, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (140, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01132   484   NtClose  (140, ... ) == 0x0
 01133   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1239824, ... ) }, 1239824, ... ) == 0x0
 01134   484   NtQueryValueKey  (128,  (128, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01135   484   NtQueryValueKey  (128,  (128, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01136   484   NtQueryValueKey  (128,  (128, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01137   484   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "History"}, ... 140, ) }, ... 140, ) == 0x0
 01138   484   NtQueryValueKey  (140,  (140, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (140, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01139   484   NtClose  (140, ... ) == 0x0
 01140   484   NtClose  (128, ... ) == 0x0
 01141   484   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "History"}, ... 128, ) }, ... 128, ) == 0x0
 01142   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01143   484   NtReleaseSemaphore  (132, 1, ... 0, ) == 0x0
 01144   484   NtWaitForSingleObject  (132, 0, {0, 0}, ... ) == 0x0
 01145   484   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01146   484   NtQueryValueKey  (140,  (140, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (140, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01147   484   NtClose  (140, ... ) == 0x0
 01148   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1238492, ... ) }, 1238492, ... ) == 0x0
 01149   484   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01150   484   NtSetValueKey  (140,  (140, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (140, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 01151   484   NtClose  (140, ... ) == 0x0
 01152   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239824, ... ) }, 1239824, ... ) == 0x0
 01153   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239556, ... ) }, 1239556, ... ) == 0x0
 01154   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 140, {status=0x0, info=1}, ) }, 7, 2113568, ... 140, {status=0x0, info=1}, ) == 0x0
 01155   484   NtSetInformationFile  (140, 1239532, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01156   484   NtClose  (140, ... ) == 0x0
 01157   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1239556, ... ) }, 1239556, ... ) == 0x0
 01158   484   NtQueryValueKey  (128,  (128, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01159   484   NtQueryValueKey  (128,  (128, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01160   484   NtQueryValueKey  (128,  (128, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01161   484   NtClose  (128, ... ) == 0x0
 01162   484   NtClose  (124, ... ) == 0x0
 01163   484   NtClose  (116, ... ) == 0x0
 01164   484   NtClose  (120, ... ) == 0x0
 01165   484   NtClose  (112, ... ) == 0x0
 01166   484   NtOpenMutant  (0x100000, {24, 76, 0x0, 0, 0,  (0x100000, {24, 76, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 112, ) }, ... 112, ) == 0x0
 01167   484   NtOpenMutant  (0x100000, {24, 76, 0x0, 0, 0,  (0x100000, {24, 76, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 120, ) }, ... 120, ) == 0x0
 01168   484   NtWaitForSingleObject  (120, 0, 0x0, ... ) == 0x0
 01169   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 116, {status=0x0, info=1}, ) }, 3, 8388641, ... 116, {status=0x0, info=1}, ) == 0x0
 01170   484   NtQueryVolumeInformationFile  (116, 1241076, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01171   484   NtClose  (116, ... ) == 0x0
 01172   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 116, {status=0x0, info=1}, ) }, 3, 8388641, ... 116, {status=0x0, info=1}, ) == 0x0
 01173   484   NtQueryVolumeInformationFile  (116, 1241100, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01174   484   NtClose  (116, ... ) == 0x0
 01175   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241428, ... ) }, 1241428, ... ) == 0x0
 01176   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 01177   484   NtSetInformationFile  (116, 1241404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01178   484   NtClose  (116, ... ) == 0x0
 01179   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1367176, 1241420,  (0xc0100080, {24, 0, 0x40, 1367176, 1241420, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 01180   484   NtSetInformationFile  (116, 1241472, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01181   484   NtQueryInformationFile  (116, 1241472, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01182   484   NtClose  (116, ... ) == 0x0
 01183   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1367176, 1241404,  (0xc0100080, {24, 0, 0x40, 1367176, 1241404, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 01184   484   NtOpenSection  (0x2, {24, 76, 0x0, 0, 0,  (0x2, {24, 76, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 124, ) }, ... 124, ) == 0x0
 01185   484   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1a80000), {0, 0}, 32768, ) == 0x0
 01186   484   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01187   484   NtOpenMutant  (0x100000, {24, 76, 0x0, 0, 0,  (0x100000, {24, 76, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 128, ) }, ... 128, ) == 0x0
 01188   484   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 01189   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 140, {status=0x0, info=1}, ) }, 3, 8388641, ... 140, {status=0x0, info=1}, ) == 0x0
 01190   484   NtQueryVolumeInformationFile  (140, 1241076, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01191   484   NtClose  (140, ... ) == 0x0
 01192   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 140, {status=0x0, info=1}, ) }, 3, 8388641, ... 140, {status=0x0, info=1}, ) == 0x0
 01193   484   NtQueryVolumeInformationFile  (140, 1241100, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01194   484   NtClose  (140, ... ) == 0x0
 01195   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1241428, ... ) }, 1241428, ... ) == 0x0
 01196   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 140, {status=0x0, info=1}, ) }, 7, 2113568, ... 140, {status=0x0, info=1}, ) == 0x0
 01197   484   NtSetInformationFile  (140, 1241404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01198   484   NtClose  (140, ... ) == 0x0
 01199   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1367176, 1241420,  (0xc0100080, {24, 0, 0x40, 1367176, 1241420, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 140, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 140, {status=0x0, info=1}, ) == 0x0
 01200   484   NtSetInformationFile  (140, 1241472, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01201   484   NtQueryInformationFile  (140, 1241472, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01202   484   NtClose  (140, ... ) == 0x0
 01203   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1367176, 1241404,  (0xc0100080, {24, 0, 0x40, 1367176, 1241404, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 140, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 140, {status=0x0, info=1}, ) == 0x0
 01204   484   NtOpenSection  (0x2, {24, 76, 0x0, 0, 0,  (0x2, {24, 76, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 164, ) }, ... 164, ) == 0x0
 01205   484   NtMapViewOfSection  (164, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1a90000), {0, 0}, 16384, ) == 0x0
 01206   484   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 01207   484   NtOpenMutant  (0x100000, {24, 76, 0x0, 0, 0,  (0x100000, {24, 76, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 144, ) }, ... 144, ) == 0x0
 01208   484   NtWaitForSingleObject  (144, 0, 0x0, ... ) == 0x0
 01209   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 148, {status=0x0, info=1}, ) }, 3, 8388641, ... 148, {status=0x0, info=1}, ) == 0x0
 01210   484   NtQueryVolumeInformationFile  (148, 1241076, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01211   484   NtClose  (148, ... ) == 0x0
 01212   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 148, {status=0x0, info=1}, ) }, 3, 8388641, ... 148, {status=0x0, info=1}, ) == 0x0
 01213   484   NtQueryVolumeInformationFile  (148, 1241100, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01214   484   NtClose  (148, ... ) == 0x0
 01215   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241428, ... ) }, 1241428, ... ) == 0x0
 01216   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 148, {status=0x0, info=1}, ) }, 7, 2113568, ... 148, {status=0x0, info=1}, ) == 0x0
 01217   484   NtSetInformationFile  (148, 1241404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01218   484   NtClose  (148, ... ) == 0x0
 01219   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1367176, 1241420,  (0xc0100080, {24, 0, 0x40, 1367176, 1241420, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 01220   484   NtSetInformationFile  (148, 1241472, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01221   484   NtQueryInformationFile  (148, 1241472, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01222   484   NtClose  (148, ... ) == 0x0
 01223   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1367176, 1241404,  (0xc0100080, {24, 0, 0x40, 1367176, 1241404, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 01224   484   NtOpenSection  (0x2, {24, 76, 0x0, 0, 0,  (0x2, {24, 76, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 152, ) }, ... 152, ) == 0x0
 01225   484   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1aa0000), {0, 0}, 32768, ) == 0x0
 01226   484   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01227   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 01228   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 156, {status=0x0, info=1}, ) }, 7, 2113568, ... 156, {status=0x0, info=1}, ) == 0x0
 01229   484   NtSetInformationFile  (156, 1241460, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01230   484   NtClose  (156, ... ) == 0x0
 01231   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 01232   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 01233   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 156, {status=0x0, info=1}, ) }, 7, 2113568, ... 156, {status=0x0, info=1}, ) == 0x0
 01234   484   NtSetInformationFile  (156, 1241460, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01235   484   NtClose  (156, ... ) == 0x0
 01236   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 01237   484   NtWaitForSingleObject  (120, 0, 0x0, ... ) == 0x0
 01238   484   NtQueryInformationFile  (116, 1239868, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01239   484   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01240   484   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 156, ) }, ... 156, ) == 0x0
 01241   484   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "Extensible Cache"}, ... 160, ) }, ... 160, ) == 0x0
 01242   484   NtClose  (156, ... ) == 0x0
 01243   484   NtWaitForSingleObject  (112, 0, {-600000000, -1}, ... ) == 0x0
 01244   484   NtEnumerateKey  (160, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (160, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 01245   484   NtOpenKey  (0xf, {24, 160, 0x40, 0, 0,  (0xf, {24, 160, 0x40, 0, 0, "MSHist012007051420070521"}, ... 156, ) }, ... 156, ) == 0x0
 01246   484   NtQueryValueKey  (156,  (156, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01247   484   NtQueryValueKey  (156,  (156, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01248   484   NtQueryValueKey  (156,  (156, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (156, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01249   484   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01250   484   NtQueryValueKey  (156,  (156, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01251   484   NtQueryValueKey  (156,  (156, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (156, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01252   484   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01253   484   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01254   484   NtQueryValueKey  (156,  (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01255   484   NtQueryValueKey  (156,  (156, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01256   484   NtClose  (156, ... ) == 0x0
 01257   484   NtEnumerateKey  (160, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (160, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 01258   484   NtOpenKey  (0xf, {24, 160, 0x40, 0, 0,  (0xf, {24, 160, 0x40, 0, 0, "MSHist012007052120070528"}, ... 156, ) }, ... 156, ) == 0x0
 01259   484   NtQueryValueKey  (156,  (156, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01260   484   NtQueryValueKey  (156,  (156, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01261   484   NtQueryValueKey  (156,  (156, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (156, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01262   484   NtQueryValueKey  (156,  (156, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01263   484   NtQueryValueKey  (156,  (156, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (156, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01264   484   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01265   484   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01266   484   NtQueryValueKey  (156,  (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01267   484   NtQueryValueKey  (156,  (156, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01268   484   NtClose  (156, ... ) == 0x0
 01269   484   NtEnumerateKey  (160, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (160, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 01270   484   NtOpenKey  (0xf, {24, 160, 0x40, 0, 0,  (0xf, {24, 160, 0x40, 0, 0, "MSHist012007053120070601"}, ... 156, ) }, ... 156, ) == 0x0
 01271   484   NtQueryValueKey  (156,  (156, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01272   484   NtQueryValueKey  (156,  (156, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01273   484   NtQueryValueKey  (156,  (156, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (156, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01274   484   NtQueryValueKey  (156,  (156, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01275   484   NtQueryValueKey  (156,  (156, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (156, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01276   484   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01277   484   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01278   484   NtQueryValueKey  (156,  (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01279   484   NtQueryValueKey  (156,  (156, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01280   484   NtClose  (156, ... ) == 0x0
 01281   484   NtEnumerateKey  (160, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01282   484   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01283   484   NtClose  (160, ... ) == 0x0
 01284   484   NtWaitForSingleObject  (120, 0, 0x0, ... ) == 0x0
 01285   484   NtQueryInformationFile  (116, 1241796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01286   484   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01287   484   NtWaitForSingleObject  (120, 0, 0x0, ... ) == 0x0
 01288   484   NtQueryInformationFile  (116, 1241868, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01289   484   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01290   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01292   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01294   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 160, ) }, ... 160, ) == 0x0
 01296   484   NtQueryValueKey  (160,  (160, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01297   484   NtClose  (160, ... ) == 0x0
 01298   484   NtQueryValueKey  (100,  (100, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01299   484   NtQueryValueKey  (100,  (100, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   484   NtQueryValueKey  (100,  (100, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   484   NtQueryValueKey  (100,  (100, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   484   NtQueryValueKey  (100,  (100, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   484   NtQueryValueKey  (100,  (100, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304   484   NtQueryValueKey  (100,  (100, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305   484   NtQueryValueKey  (100,  (100, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01306   484   NtQueryValueKey  (100,  (100, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   484   NtQueryValueKey  (100,  (100, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01308   484   NtQueryValueKey  (100,  (100, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01309   484   NtQueryValueKey  (100,  (100, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01310   484   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 160, ) }, ... 160, ) == 0x0
 01311   484   NtQueryValueKey  (160,  (160, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   484   NtClose  (160, ... ) == 0x0
 01313   484   NtQueryValueKey  (100,  (100, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01314   484   NtQueryValueKey  (100,  (100, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01315   484   NtQueryValueKey  (100,  (100, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01316   484   NtQueryValueKey  (100,  (100, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01317   484   NtQueryValueKey  (100,  (100, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01318   484   NtQueryValueKey  (100,  (100, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01319   484   NtQueryValueKey  (100,  (100, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01320   484   NtQueryValueKey  (100,  (100, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321   484   NtQueryValueKey  (100,  (100, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01322   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 160, ) }, ... 160, ) == 0x0
 01323   484   NtQueryValueKey  (160,  (160, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01324   484   NtClose  (160, ... ) == 0x0
 01325   484   NtQueryValueKey  (100,  (100, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01326   484   NtQueryValueKey  (100,  (100, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01327   484   NtQueryValueKey  (100,  (100, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (100, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01328   484   NtQueryValueKey  (100,  (100, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (100, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01329   484   NtQueryValueKey  (100,  (100, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (100, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01330   484   NtQueryValueKey  (100,  (100, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (100, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01331   484   NtQueryValueKey  (100,  (100, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332   484   NtQueryValueKey  (100,  (100, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01333   484   NtQueryValueKey  (100,  (100, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01334   484   NtQueryValueKey  (100,  (100, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01335   484   NtQueryValueKey  (100,  (100, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (100, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01336   484   NtQueryValueKey  (100,  (100, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01337   484   NtQueryValueKey  (100,  (100, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01338   484   NtQueryValueKey  (100,  (100, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01339   484   NtQueryValueKey  (100,  (100, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01340   484   NtQueryValueKey  (100,  (100, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01341   484   NtQueryValueKey  (100,  (100, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01342   484   NtOpenMutant  (0x100000, {24, 76, 0x0, 0, 0,  (0x100000, {24, 76, 0x0, 0, 0, "WininetStartupMutex"}, ... 160, ) }, ... 160, ) == 0x0
 01343   484   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 156, ) == 0x0
 01344   484   NtQueryValueKey  (100,  (100, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345   484   NtWaitForSingleObject  (120, 0, 0x0, ... ) == 0x0
 01346   484   NtQueryInformationFile  (116, 1241844, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01347   484   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01348   484   NtOpenMutant  (0x100000, {24, 76, 0x0, 0, 0,  (0x100000, {24, 76, 0x0, 0, 0, "WininetConnectionMutex"}, ... 168, ) }, ... 168, ) == 0x0
 01349   484   NtCreateMutant  (0x1f0001, 0x0, 0, ... 172, ) == 0x0
 01350   484   NtOpenMutant  (0x100000, {24, 76, 0x0, 0, 0,  (0x100000, {24, 76, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 176, ) }, ... 176, ) == 0x0
 01351   484   NtQueryValueKey  (100,  (100, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01352   484   NtQueryValueKey  (100,  (100, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01353   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 180, ) }, ... 180, ) == 0x0
 01354   484   NtQueryValueKey  (180,  (180, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01355   484   NtQueryValueKey  (180,  (180, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01356   484   NtClose  (180, ... ) == 0x0
 01357   484   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 180, ) == 0x0
 01358   484   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 01359   484   NtClearEvent  (180, ... ) == 0x0
 01360   484   NtSetEvent  (180, ... 0x0, ) == 0x0
 01361   484   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01362   484   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 01363   484   NtQueryValueKey  (184,  (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01364   484   NtQueryValueKey  (184,  (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01365   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 188, ) == 0x0
 01366   484   NtOpenKey  (0x2000000, {24, 184, 0x40, 0, 0,  (0x2000000, {24, 184, 0x40, 0, 0, "Protocol_Catalog9"}, ... 192, ) }, ... 192, ) == 0x0
 01367   484   NtQueryValueKey  (192,  (192, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01368   484   NtNotifyChangeKey  (192, 188, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01369   484   NtQueryValueKey  (192,  (192, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01370   484   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371   484   NtQueryValueKey  (192,  (192, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 01372   484   NtQueryValueKey  (192,  (192, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01373   484   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "Catalog_Entries"}, ... 196, ) }, ... 196, ) == 0x0
 01374   484   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000001"}, ... 200, ) }, ... 200, ) == 0x0
 01375   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01376   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01377   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0b\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0c\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0d\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0b\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0c\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0d\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0b\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0c\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0d\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01378   484   NtClose  (200, ... ) == 0x0
 01379   484   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000002"}, ... 200, ) }, ... 200, ) == 0x0
 01380   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01381   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01382   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0g\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0h\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0i\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0g\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0h\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0i\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0g\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0h\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0i\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01383   484   NtClose  (200, ... ) == 0x0
 01384   484   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000003"}, ... 200, ) }, ... 200, ) == 0x0
 01385   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01386   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01387   484   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01388   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0m\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0m\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0n\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0n\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0o\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0o\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0m\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0m\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0n\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0n\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0o\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0o\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0o\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0m\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0m\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0n\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0n\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0o\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0o\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01389   484   NtClose  (200, ... ) == 0x0
 01390   484   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000004"}, ... 200, ) }, ... 200, ) == 0x0
 01391   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01392   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01393   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0r\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0r\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0s\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0s\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0t\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0t\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0u\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0r\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0r\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0s\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0s\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0t\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0t\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0u\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0t\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0u\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0r\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0r\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0s\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0s\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0t\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0t\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0u\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01394   484   NtClose  (200, ... ) == 0x0
 01395   484   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000005"}, ... 200, ) }, ... 200, ) == 0x0
 01396   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01397   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01398   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0w\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0w\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0x\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0y\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0w\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0w\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0x\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0y\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0w\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0w\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0x\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0y\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01399   484   NtClose  (200, ... ) == 0x0
 01400   484   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000006"}, ... 200, ) }, ... 200, ) == 0x0
 01401   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01402   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01403   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0|\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0|\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0}\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0~\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0|\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0|\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0}\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0~\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0|\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0|\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0}\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0~\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01404   484   NtClose  (200, ... ) == 0x0
 01405   484   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000007"}, ... 200, ) }, ... 200, ) == 0x0
 01406   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01407   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01408   484   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01409   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\202\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\202\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\203\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\204\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\204\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\202\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\202\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\203\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\204\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\204\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\204\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\202\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\202\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\203\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\204\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\204\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01410   484   NtClose  (200, ... ) == 0x0
 01411   484   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000008"}, ... 200, ) }, ... 200, ) == 0x0
 01412   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01413   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01414   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\207\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\207\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\210\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\211\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\211\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\207\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\207\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\210\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\211\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\211\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\211\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\207\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\207\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\210\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\211\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\211\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01415   484   NtClose  (200, ... ) == 0x0
 01416   484   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000009"}, ... 200, ) }, ... 200, ) == 0x0
 01417   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01418   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01419   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\214\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\214\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\215\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\216\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\214\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\214\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\215\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\216\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\214\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\214\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\215\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\216\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01420   484   NtClose  (200, ... ) == 0x0
 01421   484   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000010"}, ... 200, ) }, ... 200, ) == 0x0
 01422   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01423   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01424   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\221\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\221\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\222\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\223\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\221\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\221\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\222\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\223\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\221\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\221\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\361\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\222\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\223\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\5\0\0\320\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01425   484   NtClose  (200, ... ) == 0x0
 01426   484   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000011"}, ... 200, ) }, ... 200, ) == 0x0
 01427   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01428   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01429   484   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\226\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\226\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\227\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\5\0\0\320\1\0\0\344\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\5\0\0\320\1\0\0\344\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\231\5\0\0\320\1\0\0\344\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\231\5\0\0\320\1\0\0\344\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\232\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\314\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\320\360\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\226\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\226\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\227\5\0\0\320\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\5\0\0\320\1\0\0\344\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\5\0\0\320\1\0\0\344\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\231\5\0\0\320\1\0\0\344\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\231\5\0\0\320\1\0\0\344\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\232\5\0\0\320\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\314\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\320\360\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01430   484   NtClose  (200, ... ) == 0x0
 01431   484   NtClose  (196, ... ) == 0x0
 01432   484   NtWaitForSingleObject  (188, 0, {0, 0}, ... ) == 0x102
 01433   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 196, ) == 0x0
 01434   484   NtOpenKey  (0x2000000, {24, 184, 0x40, 0, 0,  (0x2000000, {24, 184, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 200, ) }, ... 200, ) == 0x0
 01435   484   NtQueryValueKey  (200,  (200, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01436   484   NtNotifyChangeKey  (200, 196, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01437   484   NtQueryValueKey  (200,  (200, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01438   484   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   484   NtQueryValueKey  (200,  (200, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01440   484   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "Catalog_Entries"}, ... 204, ) }, ... 204, ) == 0x0
 01441   484   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01442   484   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "000000000001"}, ... 208, ) }, ... 208, ) == 0x0
 01443   484   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01444   484   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01445   484   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01446   484   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01447   484   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01448   484   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01449   484   NtQueryValueKey  (208,  (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01450   484   NtQueryValueKey  (208,  (208, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451   484   NtQueryValueKey  (208,  (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01452   484   NtQueryValueKey  (208,  (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01453   484   NtQueryValueKey  (208,  (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01454   484   NtQueryValueKey  (208,  (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01455   484   NtClose  (208, ... ) == 0x0
 01456   484   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "000000000002"}, ... 208, ) }, ... 208, ) == 0x0
 01457   484   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01458   484   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01459   484   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01460   484   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01461   484   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01462   484   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01463   484   NtQueryValueKey  (208,  (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01464   484   NtQueryValueKey  (208,  (208, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01465   484   NtQueryValueKey  (208,  (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01466   484   NtQueryValueKey  (208,  (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01467   484   NtQueryValueKey  (208,  (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01468   484   NtQueryValueKey  (208,  (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01469   484   NtClose  (208, ... ) == 0x0
 01470   484   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "000000000003"}, ... 208, ) }, ... 208, ) == 0x0
 01471   484   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01472   484   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01473   484   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01474   484   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01475   484   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01476   484   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01477   484   NtQueryValueKey  (208,  (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01478   484   NtQueryValueKey  (208,  (208, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479   484   NtQueryValueKey  (208,  (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01480   484   NtQueryValueKey  (208,  (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01481   484   NtQueryValueKey  (208,  (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01482   484   NtQueryValueKey  (208,  (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01483   484   NtClose  (208, ... ) == 0x0
 01484   484   NtClose  (204, ... ) == 0x0
 01485   484   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x102
 01486   484   NtClose  (184, ... ) == 0x0
 01487   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01488   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01489   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 01490   484   NtQueryValueKey  (184,  (184, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491   484   NtClose  (184, ... ) == 0x0
 01492   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 184, ) == 0x0
 01493   484   NtClearEvent  (156, ... ) == 0x0
 01494   484   NtSetEvent  (156, ... 0x0, ) == 0x0
 01495   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01496   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\icmp.dll"}, 1240308, ... ) }, 1240308, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01497   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "icmp.dll"}, 1240308, ... ) }, 1240308, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01498   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 1240308, ... ) }, 1240308, ... ) == 0x0
 01499   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01500   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01501   484   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01502   484   NtClose  (204, ... ) == 0x0
 01503   484   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 01504   484   NtClose  (208, ... ) == 0x0
 01505   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1240772, ... ) }, 1240772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01507   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "iphlpapi.dll"}, 1240772, ... ) }, 1240772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01508   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 1240772, ... ) }, 1240772, ... ) == 0x0
 01509   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01510   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 01511   484   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01512   484   NtClose  (208, ... ) == 0x0
 01513   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 01514   484   NtClose  (204, ... ) == 0x0
 01515   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 1239968, ... ) }, 1239968, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netman.dll"}, 1239968, ... ) }, 1239968, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 1239968, ... ) }, 1239968, ... ) == 0x0
 01519   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01520   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01521   484   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01522   484   NtClose  (204, ... ) == 0x0
 01523   484   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 01524   484   NtClose  (208, ... ) == 0x0
 01525   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 1239164, ... ) }, 1239164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01527   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MPRAPI.dll"}, 1239164, ... ) }, 1239164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01528   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 1239164, ... ) }, 1239164, ... ) == 0x0
 01529   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01530   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 01531   484   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01532   484   NtClose  (208, ... ) == 0x0
 01533   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 01534   484   NtClose  (204, ... ) == 0x0
 01535   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01537   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ACTIVEDS.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01539   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01540   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01541   484   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01542   484   NtClose  (204, ... ) == 0x0
 01543   484   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 01544   484   NtClose  (208, ... ) == 0x0
 01545   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01546   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "adsldpc.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 1237556, ... ) }, 1237556, ... ) == 0x0
 01549   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01550   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 01551   484   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01552   484   NtClose  (208, ... ) == 0x0
 01553   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 01554   484   NtClose  (204, ... ) == 0x0
 01555   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01556   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1236752, ... ) }, 1236752, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1236752, ... ) }, 1236752, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01558   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1236752, ... ) }, 1236752, ... ) == 0x0
 01559   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01560   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01561   484   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01562   484   NtClose  (204, ... ) == 0x0
 01563   484   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01564   484   NtClose  (208, ... ) == 0x0
 01565   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 208, ) }, ... 208, ) == 0x0
 01566   484   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01567   484   NtClose  (208, ... ) == 0x0
 01568   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01571   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237556, ... ) }, 1237556, ... ) == 0x0
 01572   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01573   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 01574   484   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01575   484   NtClose  (208, ... ) == 0x0
 01576   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01577   484   NtClose  (204, ... ) == 0x0
 01578   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01580   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01582   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01583   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01584   484   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01585   484   NtClose  (204, ... ) == 0x0
 01586   484   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 01587   484   NtClose  (208, ... ) == 0x0
 01588   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SAMLIB.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01592   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01593   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 01594   484   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01595   484   NtClose  (208, ... ) == 0x0
 01596   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 01597   484   NtClose  (204, ... ) == 0x0
 01598   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01602   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01603   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01604   484   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01605   484   NtClose  (204, ... ) == 0x0
 01606   484   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01607   484   NtClose  (208, ... ) == 0x0
 01608   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01609   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 1239164, ... ) }, 1239164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01610   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.dll"}, 1239164, ... ) }, 1239164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01611   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 1239164, ... ) }, 1239164, ... ) == 0x0
 01612   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01613   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 01614   484   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01615   484   NtClose  (208, ... ) == 0x0
 01616   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 01617   484   NtClose  (204, ... ) == 0x0
 01618   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01619   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01620   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01621   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01622   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01623   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01624   484   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01625   484   NtClose  (204, ... ) == 0x0
 01626   484   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 01627   484   NtClose  (208, ... ) == 0x0
 01628   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01629   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01630   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01632   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01633   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 01634   484   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01635   484   NtClose  (208, ... ) == 0x0
 01636   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 01637   484   NtClose  (204, ... ) == 0x0
 01638   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01639   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01640   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01641   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 1237556, ... ) }, 1237556, ... ) == 0x0
 01642   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01643   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01644   484   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01645   484   NtClose  (204, ... ) == 0x0
 01646   484   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 01647   484   NtClose  (208, ... ) == 0x0
 01648   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01649   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 1239164, ... ) }, 1239164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01650   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WZCSvc.DLL"}, 1239164, ... ) }, 1239164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01651   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 1239164, ... ) }, 1239164, ... ) == 0x0
 01652   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01653   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 01654   484   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01655   484   NtClose  (208, ... ) == 0x0
 01656   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 01657   484   NtClose  (204, ... ) == 0x0
 01658   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01659   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01660   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WMI.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01661   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01662   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01663   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01664   484   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01665   484   NtClose  (204, ... ) == 0x0
 01666   484   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 01667   484   NtClose  (208, ... ) == 0x0
 01668   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01669   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DHCPCSVC.DLL"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01671   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01672   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01673   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 01674   484   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01675   484   NtClose  (208, ... ) == 0x0
 01676   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 01677   484   NtClose  (204, ... ) == 0x0
 01678   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01679   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01680   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01681   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1237556, ... ) }, 1237556, ... ) == 0x0
 01682   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01683   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01684   484   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01685   484   NtClose  (204, ... ) == 0x0
 01686   484   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01687   484   NtClose  (208, ... ) == 0x0
 01688   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01689   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01690   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01691   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01692   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01693   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 01694   484   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01695   484   NtClose  (208, ... ) == 0x0
 01696   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01697   484   NtClose  (204, ... ) == 0x0
 01698   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01699   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01700   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01701   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1237556, ... ) }, 1237556, ... ) == 0x0
 01702   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01703   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01704   484   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01705   484   NtClose  (204, ... ) == 0x0
 01706   484   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 01707   484   NtClose  (208, ... ) == 0x0
 01708   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 208, ) == 0x0
 01709   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 204, ) }, ... 204, ) == 0x0
 01710   484   NtQueryValueKey  (204,  (204, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01711   484   NtClose  (204, ... ) == 0x0
 01712   484   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01713   484   NtQueryDefaultLocale  (1, 1241416, ... ) == 0x0
 01714   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01715   484   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 27983872, 262144, ) == 0x0
 01716   484   NtAllocateVirtualMemory  (-1, 27983872, 0, 4096, 4096, 4, ... 27983872, 4096, ) == 0x0
 01717   484   NtAllocateVirtualMemory  (-1, 27987968, 0, 8192, 4096, 4, ... 27987968, 8192, ) == 0x0
 01718   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01719   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01720   484   NtQueryDefaultLocale  (1, 1241376, ... ) == 0x0
 01721   484   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01722   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 204, ) }, ... 204, ) == 0x0
 01723   484   NtQueryValueKey  (204,  (204, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01724   484   NtClose  (204, ... ) == 0x0
 01725   484   NtUserGetProcessWindowStation  (... ) == 0x2c
 01726   484   NtUserGetObjectInformation  (44, 1, 1241048, 12, 1241060, ... ) == 0x1
 01727   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 204, ) }, ... 204, ) == 0x0
 01728   484   NtQueryValueKey  (204,  (204, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01729   484   NtClose  (204, ... ) == 0x0
 01730   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 204, ) }, ... 204, ) == 0x0
 01731   484   NtQueryValueKey  (204,  (204, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01732   484   NtQueryValueKey  (204,  (204, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01733   484   NtClose  (204, ... ) == 0x0
 01734   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 204, ) }, ... 204, ) == 0x0
 01735   484   NtQueryValueKey  (204,  (204, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01736   484   NtQueryValueKey  (204,  (204, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01737   484   NtClose  (204, ... ) == 0x0
 01738   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 204, ) }, ... 204, ) == 0x0
 01739   484   NtQueryValueKey  (204,  (204, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01740   484   NtQueryValueKey  (204,  (204, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01741   484   NtClose  (204, ... ) == 0x0
 01742   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 204, ) }, ... 204, ) == 0x0
 01743   484   NtQueryValueKey  (204,  (204, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01744   484   NtQueryValueKey  (204,  (204, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01745   484   NtClose  (204, ... ) == 0x0
 01746   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 204, ) }, ... 204, ) == 0x0
 01747   484   NtQueryValueKey  (204,  (204, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01748   484   NtQueryValueKey  (204,  (204, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01749   484   NtClose  (204, ... ) == 0x0
 01750   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 204, ) }, ... 204, ) == 0x0
 01751   484   NtQueryValueKey  (204,  (204, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01752   484   NtClose  (204, ... ) == 0x0
 01753   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01754   484   NtCreateMutant  (0x1f0001, 0x0, 0, ... 212, ) == 0x0
 01755   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 216, ) == 0x0
 01756   484   NtCreateMutant  (0x1f0001, 0x0, 0, ... 220, ) == 0x0
 01757   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 01758   484   NtCreateMutant  (0x1f0001, 0x0, 0, ... 228, ) == 0x0
 01759   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 232, ) }, ... 232, ) == 0x0
 01760   484   NtQueryValueKey  (232,  (232, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01761   484   NtQueryValueKey  (232,  (232, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01762   484   NtOpenKey  (0x1, {24, 232, 0x40, 0, 0,  (0x1, {24, 232, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01763   484   NtClose  (232, ... ) == 0x0
 01764   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1240968, ... ) }, 1240968, ... ) == 0x0
 01765   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 232, ) }, ... 232, ) == 0x0
 01766   484   NtQueryValueKey  (232,  (232, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (232, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (232, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01767   484   NtClose  (232, ... ) == 0x0
 01768   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 232, ) }, ... 232, ) == 0x0
 01769   484   NtQueryValueKey  (232,  (232, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (232, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (232, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01770   484   NtClose  (232, ... ) == 0x0
 01771   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01772   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 232, ) }, ... 232, ) == 0x0
 01773   484   NtQueryValueKey  (232,  (232, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (232, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (232, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01774   484   NtClose  (232, ... ) == 0x0
 01775   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 232, ) == 0x0
 01776   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 236, ) == 0x0
 01777   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 240, ) == 0x0
 01778   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 244, ) }, ... 244, ) == 0x0
 01779   484   NtQueryValueKey  (244,  (244, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01780   484   NtQueryValueKey  (244,  (244, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01781   484   NtQueryValueKey  (244,  (244, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01782   484   NtQueryValueKey  (244,  (244, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01783   484   NtQueryValueKey  (244,  (244, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01784   484   NtQueryValueKey  (244,  (244, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01785   484   NtQueryValueKey  (244,  (244, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01786   484   NtQueryValueKey  (244,  (244, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01787   484   NtQueryValueKey  (244,  (244, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01788   484   NtQueryValueKey  (244,  (244, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01789   484   NtQueryValueKey  (244,  (244, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01790   484   NtQueryValueKey  (244,  (244, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01791   484   NtQueryValueKey  (244,  (244, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01792   484   NtQueryValueKey  (244,  (244, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793   484   NtQueryValueKey  (244,  (244, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01794   484   NtQueryValueKey  (244,  (244, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01795   484   NtQueryValueKey  (244,  (244, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01796   484   NtQueryValueKey  (244,  (244, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01797   484   NtQueryValueKey  (244,  (244, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   484   NtQueryValueKey  (244,  (244, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01799   484   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 01800   484   NtQueryValueKey  (244,  (244, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01801   484   NtQueryValueKey  (244,  (244, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01802   484   NtQueryValueKey  (244,  (244, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01803   484   NtQueryValueKey  (244,  (244, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01804   484   NtQueryValueKey  (244,  (244, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01805   484   NtQueryValueKey  (244,  (244, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01806   484   NtQueryValueKey  (244,  (244, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01807   484   NtQueryValueKey  (244,  (244, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   484   NtQueryValueKey  (244,  (244, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01809   484   NtQueryValueKey  (244,  (244, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01810   484   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 01811   484   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 248, ) }, ... 248, ) == 0x0
 01812   484   NtQueryValueKey  (248,  (248, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (248, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01813   484   NtClose  (248, ... ) == 0x0
 01814   484   NtCreateEvent  (0x1f0003, {24, 76, 0x80, 0, 0,  (0x1f0003, {24, 76, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01815   484   NtQueryValueKey  (244,  (244, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01816   484   NtQueryValueKey  (244,  (244, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01817   484   NtQueryValueKey  (244,  (244, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01818   484   NtQueryValueKey  (244,  (244, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01819   484   NtQueryValueKey  (244,  (244, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01820   484   NtQueryValueKey  (244,  (244, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01821   484   NtQueryValueKey  (244,  (244, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01822   484   NtQueryValueKey  (244,  (244, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01823   484   NtQueryValueKey  (244,  (244, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01824   484   NtQueryValueKey  (244,  (244, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01825   484   NtQueryDefaultUILanguage  (1239936, ...
 01826   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01827   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482036, ) == 0x0
 01828   484   NtQueryInformationToken  (-2147482036, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01829   484   NtClose  (-2147482036, ... ) == 0x0
 01830   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 01831   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832   484   NtOpenKey  (0x80000000, {24, -2147482036, 0x640, 0, 0,  (0x80000000, {24, -2147482036, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01833   484   NtQueryValueKey  (-2147482020,  (-2147482020, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01834   484   NtClose  (-2147482020, ... ) == 0x0
 01835   484   NtClose  (-2147482036, ... ) == 0x0
 01825   484   NtQueryDefaultUILanguage  ... ) == 0x0
 01836   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01837   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 248, {status=0x0, info=1}, ) }, 1, 96, ... 248, {status=0x0, info=1}, ) == 0x0
 01838   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 248, ... 252, ) == 0x0
 01839   484   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1b10000), 0x0, 163840, ) == 0x0
 01840   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01841   484   NtQueryDefaultLocale  (1, 1237972, ... ) == 0x0
 01842   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01843   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238828, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238828, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\370\0\0\0\377\377\377\377\0\0\0\0\360Z\263\1\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0,\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 484, 1528, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\370\0\0\0\377\377\377\377\0\0\0\0\360Z\263\1\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0,\356\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 484, 1528, 0}  (24, {128, 156, new_msg, 0, 1238828, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\370\0\0\0\377\377\377\377\0\0\0\0\360Z\263\1\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0,\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 484, 1528, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\370\0\0\0\377\377\377\377\0\0\0\0\360Z\263\1\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0,\356\22\0\0\0\0\0" )  ) == 0x0
 01844   484   NtClose  (248, ... ) == 0x0
 01845   484   NtClose  (252, ... ) == 0x0
 01846   484   NtUnmapViewOfSection  (-1, 0x1b10000, ... ) == 0x0
 01847   484   NtUnmapViewOfSection  (-1, 0x12ee2c, ... ) == STATUS_NOT_MAPPED_VIEW
 01848   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01849   484   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01850   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01851   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01852   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237056, ... ) }, 1237056, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01853   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01854   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01855   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01856   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237648, ... ) }, 1237648, ... ) == 0x0
 01857   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 252, {status=0x0, info=1}, ) }, 3, 33, ... 252, {status=0x0, info=1}, ) == 0x0
 01858   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01859   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 248, ) }, ... 248, ) == 0x0
 01860   484   NtQueryValueKey  (248,  (248, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01861   484   NtQueryValueKey  (248,  (248, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01862   484   NtClose  (248, ... ) == 0x0
 01863   484   NtCreateMutant  (0x1f0001, 0x0, 0, ... 248, ) == 0x0
 01864   484   NtCreateMutant  (0x1f0001, {24, 76, 0x80, 1391616, 0,  (0x1f0001, {24, 76, 0x80, 1391616, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 01865   484   NtOpenMutant  (0x100000, {24, 76, 0x0, 0, 0,  (0x100000, {24, 76, 0x0, 0, 0, "RasPbFile"}, ... 256, ) }, ... 256, ) == 0x0
 01866   484   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 260, ) == 0x0
 01867   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 264, ) == 0x0
 01868   484   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 268, ) == 0x0
 01869   484   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 272, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 272, 2, ) , 0, ... 272, 2, ) == 0x0
 01870   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 276, ) }, ... 276, ) == 0x0
 01871   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01872   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01873   484   NtQueryValueKey  (276,  (276, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01874   484   NtQueryValueKey  (272,  (272, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01875   484   NtQueryValueKey  (276,  (276, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01876   484   NtQueryValueKey  (272,  (272, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01877   484   NtQueryValueKey  (276,  (276, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01878   484   NtQueryValueKey  (272,  (272, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01879   484   NtQueryValueKey  (276,  (276, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01880   484   NtQueryValueKey  (272,  (272, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01881   484   NtQueryValueKey  (276,  (276, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01882   484   NtQueryValueKey  (276,  (276, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01883   484   NtQueryValueKey  (276,  (276, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01884   484   NtQueryValueKey  (276,  (276, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01885   484   NtQueryValueKey  (276,  (276, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01886   484   NtQueryValueKey  (276,  (276, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01887   484   NtQueryValueKey  (276,  (276, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01888   484   NtQueryValueKey  (272,  (272, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01889   484   NtQueryValueKey  (276,  (276, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01890   484   NtQueryValueKey  (276,  (276, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01891   484   NtQueryValueKey  (272,  (272, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01892   484   NtQueryValueKey  (276,  (276, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01893   484   NtQueryValueKey  (272,  (272, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01894   484   NtQueryValueKey  (276,  (276, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01895   484   NtQueryValueKey  (272,  (272, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01896   484   NtQueryValueKey  (276,  (276, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01897   484   NtQueryValueKey  (272,  (272, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01898   484   NtQueryValueKey  (276,  (276, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01899   484   NtQueryValueKey  (272,  (272, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01900   484   NtQueryValueKey  (276,  (276, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01901   484   NtQueryValueKey  (272,  (272, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01902   484   NtQueryValueKey  (276,  (276, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01903   484   NtQueryValueKey  (272,  (272, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01904   484   NtQueryValueKey  (276,  (276, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01905   484   NtQueryValueKey  (272,  (272, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01906   484   NtQueryValueKey  (276,  (276, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01907   484   NtQueryValueKey  (276,  (276, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01908   484   NtQueryValueKey  (276,  (276, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01909   484   NtQueryValueKey  (276,  (276, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01910   484   NtQueryValueKey  (276,  (276, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01911   484   NtQueryValueKey  (276,  (276, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01912   484   NtQueryValueKey  (276,  (276, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01913   484   NtQueryValueKey  (276,  (276, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01914   484   NtQueryValueKey  (276,  (276, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01915   484   NtQueryValueKey  (276,  (276, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01916   484   NtQueryValueKey  (276,  (276, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01917   484   NtQueryValueKey  (276,  (276, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01918   484   NtQueryValueKey  (276,  (276, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01919   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 280, ) }, ... 280, ) == 0x0
 01920   484   NtQueryValueKey  (280,  (280, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (280, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01921   484   NtClose  (280, ... ) == 0x0
 01922   484   NtClose  (272, ... ) == 0x0
 01923   484   NtClose  (276, ... ) == 0x0
 01924   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 276, ) }, ... 276, ) == 0x0
 01925   484   NtQueryValueKey  (276,  (276, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01926   484   NtQueryValueKey  (276,  (276, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01927   484   NtQueryValueKey  (276,  (276, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01928   484   NtClose  (276, ... ) == 0x0
 01929   484   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 01930   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 276, ) == 0x0
 01931   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 272, ) == 0x0
 01932   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 280, ) == 0x0
 01933   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01934   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28377088, 65536, ) == 0x0
 01935   484   NtAllocateVirtualMemory  (-1, 28377088, 0, 4096, 4096, 4, ... 28377088, 4096, ) == 0x0
 01936   484   NtAllocateVirtualMemory  (-1, 28381184, 0, 8192, 4096, 4, ... 28381184, 8192, ) == 0x0
 01937   484   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 284, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 284, {status=0x0, info=0}, ) == 0x0
 01938   484   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 288, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 288, {status=0x0, info=0}, ) == 0x0
 01939   484   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 292, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 292, {status=0x0, info=0}, ) == 0x0
 01940   484   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 296, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 296, {status=0x0, info=0}, ) == 0x0
 01941   484   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1241500,  (0x20100080, {24, 0, 0x40, 0, 1241500, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 300, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 300, {status=0x0, info=0}, ) == 0x0
 01942   484   NtAllocateVirtualMemory  (-1, 28389376, 0, 36864, 4096, 4, ... 28389376, 36864, ) == 0x0
 01943   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 304, ) == 0x0
 01944   484   NtDeviceIoControlFile  (284, 304, 0x0, 0x0, 0x120003,  (284, 304, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (284, 304, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01945   484   NtClose  (304, ... ) == 0x0
 01946   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 304, ) == 0x0
 01947   484   NtDeviceIoControlFile  (284, 304, 0x0, 0x0, 0x120003,  (284, 304, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0~\363\274\310\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (284, 304, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0~\363\274\310\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01948   484   NtClose  (304, ... ) == 0x0
 01949   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 304, ) == 0x0
 01950   484   NtDeviceIoControlFile  (284, 304, 0x0, 0x0, 0x120003,  (284, 304, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0\236\363\274\310\324\277\4\0N\1\0\01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0T\214\0\0\365\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (284, 304, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0\236\363\274\310\324\277\4\0N\1\0\01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0T\214\0\0\365\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01951   484   NtClose  (304, ... ) == 0x0
 01952   484   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01953   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 304, ) == 0x0
 01954   484   NtDeviceIoControlFile  (284, 304, 0x0, 0x0, 0x120003,  (284, 304, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (284, 304, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01955   484   NtClose  (304, ... ) == 0x0
 01956   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 304, ) == 0x0
 01957   484   NtDeviceIoControlFile  (284, 304, 0x0, 0x0, 0x120003,  (284, 304, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (284, 304, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01958   484   NtClose  (304, ... ) == 0x0
 01959   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 304, ) == 0x0
 01960   484   NtDeviceIoControlFile  (284, 304, 0x0, 0x0, 0x120003,  (284, 304, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (284, 304, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01961   484   NtClose  (304, ... ) == 0x0
 01962   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 01963   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01964   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 01965   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01966   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 01967   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 01968   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01969   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 01970   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01971   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 01972   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 01973   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01974   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 01975   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01976   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 01977   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 01978   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01979   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 01980   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01981   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 01982   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 01983   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01984   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 01985   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01986   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 01987   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 01988   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01989   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 01990   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01991   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 01992   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 01993   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01994   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 01995   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01996   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 01997   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 01998   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01999   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02000   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02001   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02002   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02003   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02004   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02005   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02006   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02007   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02008   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02009   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02010   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02011   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02012   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02013   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02014   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02015   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02016   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02017   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02018   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02019   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02020   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02021   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02022   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02023   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02024   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02025   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02026   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02027   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02028   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02029   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02030   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02031   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02032   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02033   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02034   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02035   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02036   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02037   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02038   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02039   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02040   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02041   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02042   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02043   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02044   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02045   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02046   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02047   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02048   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02049   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02050   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02051   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02052   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02053   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02054   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02055   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02056   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02057   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02058   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02059   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02060   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02061   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02062   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02063   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02064   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02065   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02066   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02067   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02068   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02069   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02070   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02071   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02072   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02073   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02074   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02075   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02076   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02077   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02078   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02079   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02080   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02081   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02082   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 28442624, 65536, ) == 0x0
 02083   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02084   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 1, 4096, 4, ... 28442624, 4096, ) == 0x0
 02085   484   NtQueryVirtualMemory  (-1, 0x1b20000, Basic, 28, ... {BaseAddress=0x1b20000,AllocationBase=0x1b20000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02086   484   NtFreeVirtualMemory  (-1, (0x1b20000), 0, 32768, ... (0x1b20000), 65536, ) == 0x0
 02087   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 304, ) }, ... 304, ) == 0x0
 02088   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 308, ) }, ... 308, ) == 0x0
 02089   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 312, ) }, ... 312, ) == 0x0
 02090   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 316, ) }, ... 316, ) == 0x0
 02091   484   NtQueryDefaultLocale  (1, 1241436, ... ) == 0x0
 02092   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02093   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\odbc32.dll"}, 1240308, ... ) }, 1240308, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02094   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "odbc32.dll"}, 1240308, ... ) }, 1240308, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 1240308, ... ) }, 1240308, ... ) == 0x0
 02096   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02097   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 324, ) == 0x0
 02098   484   NtQuerySection  (324, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02099   484   NtClose  (320, ... ) == 0x0
 02100   484   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 02101   484   NtClose  (324, ... ) == 0x0
 02102   484   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 02103   484   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 02104   484   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 02105   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 324, ) }, ... 324, ) == 0x0
 02106   484   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02107   484   NtClose  (324, ... ) == 0x0
 02108   484   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02109   484   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02110   484   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02111   484   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02112   484   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02113   484   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02114   484   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02115   484   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02116   484   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02117   484   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02118   484   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02119   484   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02120   484   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02121   484   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02122   484   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02123   484   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02124   484   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02125   484   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02126   484   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02127   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02128   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02129   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02130   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02131   484   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 28442624, 262144, ) == 0x0
 02132   484   NtAllocateVirtualMemory  (-1, 28442624, 0, 4096, 4096, 4, ... 28442624, 4096, ) == 0x0
 02133   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02134   484   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 28704768, 262144, ) == 0x0
 02135   484   NtAllocateVirtualMemory  (-1, 28704768, 0, 4096, 4096, 4, ... 28704768, 4096, ) == 0x0
 02136   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02137   484   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 28966912, 262144, ) == 0x0
 02138   484   NtAllocateVirtualMemory  (-1, 28966912, 0, 4096, 4096, 4, ... 28966912, 4096, ) == 0x0
 02139   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02140   484   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 29229056, 262144, ) == 0x0
 02141   484   NtAllocateVirtualMemory  (-1, 29229056, 0, 4096, 4096, 4, ... 29229056, 4096, ) == 0x0
 02142   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02143   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02144   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02145   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02146   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1236280, ... ) }, 1236280, ... ) == 0x0
 02147   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02148   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 324, ... 320, ) == 0x0
 02149   484   NtClose  (324, ... ) == 0x0
 02150   484   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1c20000), 0x0, 90112, ) == 0x0
 02151   484   NtClose  (320, ... ) == 0x0
 02152   484   NtUnmapViewOfSection  (-1, 0x1c20000, ... ) == 0x0
 02153   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1236596, ... ) }, 1236596, ... ) == 0x0
 02154   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02155   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 324, ) == 0x0
 02156   484   NtQuerySection  (324, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02157   484   NtClose  (320, ... ) == 0x0
 02158   484   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 02159   484   NtClose  (324, ... ) == 0x0
 02160   484   NtQueryDefaultLocale  (1, 1238284, ... ) == 0x0
 02161   484   NtAllocateVirtualMemory  (-1, 28446720, 0, 4096, 4096, 4, ... 28446720, 4096, ) == 0x0
 02162   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 324, ) }, ... 324, ) == 0x0
 02163   484   NtClose  (324, ... ) == 0x0
 02164   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02165   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02166   484   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02167   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02168   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02169   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02170   484   NtCreateMutant  (0x1f0001, {24, 76, 0x80, 0, 0,  (0x1f0001, {24, 76, 0x80, 0, 0, "Bot018"}, 0, ... 324, ) }, 0, ... 324, ) == 0x0
 02171   484   NtWaitForSingleObject  (324, 0, {-300000000, -1}, ... ) == 0x0
 02172   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tgfokac32.exe"}, 1242252, ... ) }, 1242252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02173   484   NtDelayExecution  (0, {-20000000, -1}, ... ) == 0x0
 02174   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241168,  (0x80100080, {24, 0, 0x40, 0, 1241168, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 02175   484   NtQueryInformationFile  (320, 1242104, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 02176   484   NtQueryInformationFile  (320, 1242076, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02177   484   NtQueryInformationFile  (320, 1242028, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02178   484   NtAllocateVirtualMemory  (-1, 1396736, 0, 8192, 4096, 4, ... 1396736, 8192, ) == 0x0
 02179   484   NtQueryInformationFile  (320, 1395680, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 02180   484   NtQueryInformationFile  (320, 1240572, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02181   484   NtQueryInformationFile  (320, 1240416, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 02182   484   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240424,  (0x40110080, {24, 0, 0x40, 0, 1240424, "\??\C:\WINDOWS\System32\tgfokac32.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 02183   484   NtClose  (-2147482036, ... ) == 0x0
 02182   484   NtCreateFile  ... 328, {status=0x0, info=2}, ) == 0x0
 02184   484   NtQueryVolumeInformationFile  (328, 1239796, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 02185   484   NtQueryInformationFile  (328, 1239756, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02186   484   NtQueryVolumeInformationFile  (320, 1239796, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02187   484   NtQueryVolumeInformationFile  (320, 1239480, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02188   484   NtSetInformationFile  (328, 1239584, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02189   484   NtAllocateVirtualMemory  (-1, 1404928, 0, 65536, 4096, 4, ... 1404928, 65536, ) == 0x0
 02190   484   NtReadFile  (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0,\354.\261h\215@\342h\215@\342h\215@\342\242\256g\342i\215@\342\222\251\0\342v\215@\342\222\251\\342\344\215@\342\222\256Y\342m\215@\342h\215A\342\344\215@\342\222\251]\342-\215@\342\222\251}\342i\215@\342Richh\215@\342\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\247\25{C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\332\1\0\0\274\5\0\0\0\0\0\0\340\7\0\0\20\0\0\0\360\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\7\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\334\3\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\300\7\0\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\304\330\1\0\0\20\0\0\0\16\1\0\0\4\0\0\0\0\0\0", ) , ) == 0x0
 02191   484   NtWriteFile  (328, 0, 0, 0,  (328, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0,\354.\261h\215@\342h\215@\342h\215@\342\242\256g\342i\215@\342\222\251\0\342v\215@\342\222\251\\342\344\215@\342\222\256Y\342m\215@\342h\215A\342\344\215@\342\222\251]\342-\215@\342\222\251}\342i\215@\342Richh\215@\342\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\247\25{C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\332\1\0\0\274\5\0\0\0\0\0\0\340\7\0\0\20\0\0\0\360\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\7\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\334\3\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\300\7\0\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\304\330\1\0\0\20\0\0\0\16\1\0\0\4\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02192   484   NtReadFile  (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "J$\230\340\235\362\222\357\23\20\13\327\200yt8\251\250^\21\212\5\16:\17uXR\323\324~\305\301N\222\16@\278\321uE\360N\241\357W\3176\25;4\322e\306\6\350\2\265\343_^\361d%\220\270+\363H\247\201~HN\3179W\347M\20G\365F\14.\357\315\352\353 \35\2\267.b\24\314\13_\203\330\330\16\210\204\304\213r\26\24\178\312\307@f\34\362\356\362\336\240\11\23\201H\341\302\235\224\342\63;r\311j+\312\240\177\2508\246\231B\14\201\361\215F\377&\232H\320\205;\15\365 \3\376s%\232\301G\6>FJ\274+\236\326<\350\227-6l\316\2645\237\24\237\36\222\351\7\36\20I7\10?a\23Sj\3641\276\223\12\365\30\276\12\366\377%\250\245&\7\372\20\4\232'[\360\237/\230\305\224\343{\226\205 \304\215|\21X\255*%\371\2\117\2038a\3002nsQ\37\25\266+\310\177\210PN\260\236\241\302\203\14\215\263J\220\377\31\342\276\276\33Ps\36\225\25\30\262\6\201\242w\3\213\360`+\326\304C\236\324\341HA\215SVv\260q}W\215\34\250<\2133\240\305\300\301P\347\267\367\274?D9\352\302\340(\177\10\332\15\37Y\222#\362g\304\352\3d\206\25E-r\260\367\221J\33/\31s\37c\10\213\270\13\27D8\14\355?\222\3524\307Ps\254\274D|\201\235\323*\234QAUj\13\203\315\370\3504\332\211\301Uy\217-!!\13\350\240\211'3\333\361\201\11\24\277L\2577'\205\366Q.\211\215\206\331\12\37^\324F\367\24uN\275\310-\210k\260Q\27\16#-\212tm\261\302\262\257 \215^\14S\254\256\200Ct\33\373X\223\213\325\337\217;\306(\5`\3;\360r\236\353\34\362\16_\300{+\7-", ) , ) == 0x0
 02193   484   NtWriteFile  (328, 0, 0, 0,  (328, 0, 0, 0, "J$\230\340\235\362\222\357\23\20\13\327\200yt8\251\250^\21\212\5\16:\17uXR\323\324~\305\301N\222\16@\278\321uE\360N\241\357W\3176\25;4\322e\306\6\350\2\265\343_^\361d%\220\270+\363H\247\201~HN\3179W\347M\20G\365F\14.\357\315\352\353 \35\2\267.b\24\314\13_\203\330\330\16\210\204\304\213r\26\24\178\312\307@f\34\362\356\362\336\240\11\23\201H\341\302\235\224\342\63;r\311j+\312\240\177\2508\246\231B\14\201\361\215F\377&\232H\320\205;\15\365 \3\376s%\232\301G\6>FJ\274+\236\326<\350\227-6l\316\2645\237\24\237\36\222\351\7\36\20I7\10?a\23Sj\3641\276\223\12\365\30\276\12\366\377%\250\245&\7\372\20\4\232'[\360\237/\230\305\224\343{\226\205 \304\215|\21X\255*%\371\2\117\2038a\3002nsQ\37\25\266+\310\177\210PN\260\236\241\302\203\14\215\263J\220\377\31\342\276\276\33Ps\36\225\25\30\262\6\201\242w\3\213\360`+\326\304C\236\324\341HA\215SVv\260q}W\215\34\250<\2133\240\305\300\301P\347\267\367\274?D9\352\302\340(\177\10\332\15\37Y\222#\362g\304\352\3d\206\25E-r\260\367\221J\33/\31s\37c\10\213\270\13\27D8\14\355?\222\3524\307Ps\254\274D|\201\235\323*\234QAUj\13\203\315\370\3504\332\211\301Uy\217-!!\13\350\240\211'3\333\361\201\11\24\277L\2577'\205\366Q.\211\215\206\331\12\37^\324F\367\24uN\275\310-\210k\260Q\27\16#-\212tm\261\302\262\257 \215^\14S\254\256\200Ct\33\373X\223\213\325\337\217;\306(\5`\3;\360r\236\353\34\362\16_\300{+\7-", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02194   484   NtReadFile  (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\351|*Y\203{\350\0\337k\21T\335DKd\226Bf6\351@\343\345\35E\30!\341H#\226\316\266\0\14\371P^\35D@\271z\361\25\12@\247\241\352C\235\h\301\362\245\346\235\26@\25\20#P\311\363\264\213$%\237\250~9\246\244b\274\212\253\3649\27a\376\14\5O2\323r\327X\276\245\2525\10\267\360\69{f\3113'i\247\256\25\374%\4tL7]:$44~fm\306;bf\270#\314f\5\201nw>\211\2678V\275V\320\310g\246O\366\210+\362K\315x\261\13\37\247'?\206P\261k"\15\231\2211\304\272\257\271\350s\367\214\16\212\27if\23l\376\247\34\31i\243!T\377U\27\1\243#\372\4\342\325C\322\7pdD\235"E\304\10^\371w\266\21\273\212\305c6\10q\3370\267\322 z\215\370/\371|\205'C\300\7.IJqU\305~,{\374\\207\322n\16{\343\255\237\304U\220o\326\213\203\371\232`V\16\214\31\212~P\205\25\5\240\344I\200\265\7}M\211{\211\302\377\304\367\257\342\227\315\202\371\217\373\321\204Ay\212\312\252X\201}r\234\356l\337\255\177V\252*c\31\252,\12\10{!o\341\l\13\2338\375\36\200\31\206\355\200\336*\32\15\307\2559F\334\305\0\3021j\33\370\314\237\355\273"\303 \32\313\272?\15\305\255:;\340\237\355\227\313\220\35\7Lh\221\34180\305\37\337\260\11u\3079u}\257\321:\6\37\301\4\15\37w\266\320\203u\203\os\267\202\322\215\255'\2278\20\367'\214\261\377+\5\15\202\237\273\3\307\374\330\5\261\347\215\321\3\372\215Bh\256K\1L\252s\200v"\0\12\363\365\4\307c'vr\217&\1\37\236Sb\4\7-\320\0\267\245W\226 \225|O\322CM\14", ) \15\231\2211\304\272\257\271\350s\367\214\16\212\27if\23l\376\247\34\31i\243!T\377U\27\1\243#\372\4\342\325C\322\7pdD\235 (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\351|*Y\203{\350\0\337k\21T\335DKd\226Bf6\351@\343\345\35E\30!\341H#\226\316\266\0\14\371P^\35D@\271z\361\25\12@\247\241\352C\235\h\301\362\245\346\235\26@\25\20#P\311\363\264\213$%\237\250~9\246\244b\274\212\253\3649\27a\376\14\5O2\323r\327X\276\245\2525\10\267\360\69{f\3113'i\247\256\25\374%\4tL7]:$44~fm\306;bf\270#\314f\5\201nw>\211\2678V\275V\320\310g\246O\366\210+\362K\315x\261\13\37\247'?\206P\261k"\15\231\2211\304\272\257\271\350s\367\214\16\212\27if\23l\376\247\34\31i\243!T\377U\27\1\243#\372\4\342\325C\322\7pdD\235"E\304\10^\371w\266\21\273\212\305c6\10q\3370\267\322 z\215\370/\371|\205'C\300\7.IJqU\305~,{\374\\207\322n\16{\343\255\237\304U\220o\326\213\203\371\232`V\16\214\31\212~P\205\25\5\240\344I\200\265\7}M\211{\211\302\377\304\367\257\342\227\315\202\371\217\373\321\204Ay\212\312\252X\201}r\234\356l\337\255\177V\252*c\31\252,\12\10{!o\341\l\13\2338\375\36\200\31\206\355\200\336*\32\15\307\2559F\334\305\0\3021j\33\370\314\237\355\273"\303 \32\313\272?\15\305\255:;\340\237\355\227\313\220\35\7Lh\221\34180\305\37\337\260\11u\3079u}\257\321:\6\37\301\4\15\37w\266\320\203u\203\os\267\202\322\215\255'\2278\20\367'\214\261\377+\5\15\202\237\273\3\307\374\330\5\261\347\215\321\3\372\215Bh\256K\1L\252s\200v"\0\12\363\365\4\307c'vr\217&\1\37\236Sb\4\7-\320\0\267\245W\226 \225|O\322CM\14", ) \303 \32\313\272?\15\305\255:;\340\237\355\227\313\220\35\7Lh\221\34180\305\37\337\260\11u\3079u}\257\321:\6\37\301\4\15\37w\266\320\203u\203\os\267\202\322\215\255'\2278\20\367'\214\261\377+\5\15\202\237\273\3\307\374\330\5\261\347\215\321\3\372\215Bh\256K\1L\252s\200v (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\351|*Y\203{\350\0\337k\21T\335DKd\226Bf6\351@\343\345\35E\30!\341H#\226\316\266\0\14\371P^\35D@\271z\361\25\12@\247\241\352C\235\h\301\362\245\346\235\26@\25\20#P\311\363\264\213$%\237\250~9\246\244b\274\212\253\3649\27a\376\14\5O2\323r\327X\276\245\2525\10\267\360\69{f\3113'i\247\256\25\374%\4tL7]:$44~fm\306;bf\270#\314f\5\201nw>\211\2678V\275V\320\310g\246O\366\210+\362K\315x\261\13\37\247'?\206P\261k"\15\231\2211\304\272\257\271\350s\367\214\16\212\27if\23l\376\247\34\31i\243!T\377U\27\1\243#\372\4\342\325C\322\7pdD\235"E\304\10^\371w\266\21\273\212\305c6\10q\3370\267\322 z\215\370/\371|\205'C\300\7.IJqU\305~,{\374\\207\322n\16{\343\255\237\304U\220o\326\213\203\371\232`V\16\214\31\212~P\205\25\5\240\344I\200\265\7}M\211{\211\302\377\304\367\257\342\227\315\202\371\217\373\321\204Ay\212\312\252X\201}r\234\356l\337\255\177V\252*c\31\252,\12\10{!o\341\l\13\2338\375\36\200\31\206\355\200\336*\32\15\307\2559F\334\305\0\3021j\33\370\314\237\355\273"\303 \32\313\272?\15\305\255:;\340\237\355\227\313\220\35\7Lh\221\34180\305\37\337\260\11u\3079u}\257\321:\6\37\301\4\15\37w\266\320\203u\203\os\267\202\322\215\255'\2278\20\367'\214\261\377+\5\15\202\237\273\3\307\374\330\5\261\347\215\321\3\372\215Bh\256K\1L\252s\200v"\0\12\363\365\4\307c'vr\217&\1\37\236Sb\4\7-\320\0\267\245W\226 \225|O\322CM\14", ) , ) == 0x0
 02195   484   NtWriteFile  (328, 0, 0, 0,  (328, 0, 0, 0, "\351|*Y\203{\350\0\337k\21T\335DKd\226Bf6\351@\343\345\35E\30!\341H#\226\316\266\0\14\371P^\35D@\271z\361\25\12@\247\241\352C\235\h\301\362\245\346\235\26@\25\20#P\311\363\264\213$%\237\250~9\246\244b\274\212\253\3649\27a\376\14\5O2\323r\327X\276\245\2525\10\267\360\69{f\3113'i\247\256\25\374%\4tL7]:$44~fm\306;bf\270#\314f\5\201nw>\211\2678V\275V\320\310g\246O\366\210+\362K\315x\261\13\37\247'?\206P\261k"\15\231\2211\304\272\257\271\350s\367\214\16\212\27if\23l\376\247\34\31i\243!T\377U\27\1\243#\372\4\342\325C\322\7pdD\235"E\304\10^\371w\266\21\273\212\305c6\10q\3370\267\322 z\215\370/\371|\205'C\300\7.IJqU\305~,{\374\\207\322n\16{\343\255\237\304U\220o\326\213\203\371\232`V\16\214\31\212~P\205\25\5\240\344I\200\265\7}M\211{\211\302\377\304\367\257\342\227\315\202\371\217\373\321\204Ay\212\312\252X\201}r\234\356l\337\255\177V\252*c\31\252,\12\10{!o\341\l\13\2338\375\36\200\31\206\355\200\336*\32\15\307\2559F\334\305\0\3021j\33\370\314\237\355\273"\303 \32\313\272?\15\305\255:;\340\237\355\227\313\220\35\7Lh\221\34180\305\37\337\260\11u\3079u}\257\321:\6\37\301\4\15\37w\266\320\203u\203\os\267\202\322\215\255'\2278\20\367'\214\261\377+\5\15\202\237\273\3\307\374\330\5\261\347\215\321\3\372\215Bh\256K\1L\252s\200v"\0\12\363\365\4\307c'vr\217&\1\37\236Sb\4\7-\320\0\267\245W\226 \225|O\322CM\14", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \15\231\2211\304\272\257\271\350s\367\214\16\212\27if\23l\376\247\34\31i\243!T\377U\27\1\243#\372\4\342\325C\322\7pdD\235 (328, 0, 0, 0, "\351|*Y\203{\350\0\337k\21T\335DKd\226Bf6\351@\343\345\35E\30!\341H#\226\316\266\0\14\371P^\35D@\271z\361\25\12@\247\241\352C\235\h\301\362\245\346\235\26@\25\20#P\311\363\264\213$%\237\250~9\246\244b\274\212\253\3649\27a\376\14\5O2\323r\327X\276\245\2525\10\267\360\69{f\3113'i\247\256\25\374%\4tL7]:$44~fm\306;bf\270#\314f\5\201nw>\211\2678V\275V\320\310g\246O\366\210+\362K\315x\261\13\37\247'?\206P\261k"\15\231\2211\304\272\257\271\350s\367\214\16\212\27if\23l\376\247\34\31i\243!T\377U\27\1\243#\372\4\342\325C\322\7pdD\235"E\304\10^\371w\266\21\273\212\305c6\10q\3370\267\322 z\215\370/\371|\205'C\300\7.IJqU\305~,{\374\\207\322n\16{\343\255\237\304U\220o\326\213\203\371\232`V\16\214\31\212~P\205\25\5\240\344I\200\265\7}M\211{\211\302\377\304\367\257\342\227\315\202\371\217\373\321\204Ay\212\312\252X\201}r\234\356l\337\255\177V\252*c\31\252,\12\10{!o\341\l\13\2338\375\36\200\31\206\355\200\336*\32\15\307\2559F\334\305\0\3021j\33\370\314\237\355\273"\303 \32\313\272?\15\305\255:;\340\237\355\227\313\220\35\7Lh\221\34180\305\37\337\260\11u\3079u}\257\321:\6\37\301\4\15\37w\266\320\203u\203\os\267\202\322\215\255'\2278\20\367'\214\261\377+\5\15\202\237\273\3\307\374\330\5\261\347\215\321\3\372\215Bh\256K\1L\252s\200v"\0\12\363\365\4\307c'vr\217&\1\37\236Sb\4\7-\320\0\267\245W\226 \225|O\322CM\14", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \303 \32\313\272?\15\305\255:;\340\237\355\227\313\220\35\7Lh\221\34180\305\37\337\260\11u\3079u}\257\321:\6\37\301\4\15\37w\266\320\203u\203\os\267\202\322\215\255'\2278\20\367'\214\261\377+\5\15\202\237\273\3\307\374\330\5\261\347\215\321\3\372\215Bh\256K\1L\252s\200v (328, 0, 0, 0, "\351|*Y\203{\350\0\337k\21T\335DKd\226Bf6\351@\343\345\35E\30!\341H#\226\316\266\0\14\371P^\35D@\271z\361\25\12@\247\241\352C\235\h\301\362\245\346\235\26@\25\20#P\311\363\264\213$%\237\250~9\246\244b\274\212\253\3649\27a\376\14\5O2\323r\327X\276\245\2525\10\267\360\69{f\3113'i\247\256\25\374%\4tL7]:$44~fm\306;bf\270#\314f\5\201nw>\211\2678V\275V\320\310g\246O\366\210+\362K\315x\261\13\37\247'?\206P\261k"\15\231\2211\304\272\257\271\350s\367\214\16\212\27if\23l\376\247\34\31i\243!T\377U\27\1\243#\372\4\342\325C\322\7pdD\235"E\304\10^\371w\266\21\273\212\305c6\10q\3370\267\322 z\215\370/\371|\205'C\300\7.IJqU\305~,{\374\\207\322n\16{\343\255\237\304U\220o\326\213\203\371\232`V\16\214\31\212~P\205\25\5\240\344I\200\265\7}M\211{\211\302\377\304\367\257\342\227\315\202\371\217\373\321\204Ay\212\312\252X\201}r\234\356l\337\255\177V\252*c\31\252,\12\10{!o\341\l\13\2338\375\36\200\31\206\355\200\336*\32\15\307\2559F\334\305\0\3021j\33\370\314\237\355\273"\303 \32\313\272?\15\305\255:;\340\237\355\227\313\220\35\7Lh\221\34180\305\37\337\260\11u\3079u}\257\321:\6\37\301\4\15\37w\266\320\203u\203\os\267\202\322\215\255'\2278\20\367'\214\261\377+\5\15\202\237\273\3\307\374\330\5\261\347\215\321\3\372\215Bh\256K\1L\252s\200v"\0\12\363\365\4\307c'vr\217&\1\37\236Sb\4\7-\320\0\267\245W\226 \225|O\322CM\14", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02196   484   NtReadFile  (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "o)\36\1\211\237> ;t~\360\274'\210\17\307l\330~\255;\351l\324X\233P\306<|\212R\352;\25q\274HP\334S\245\16\234!p\216\2ig\4.\3\12\203\230 \325\322\21\10q0\256Cy|\221\246}8C'b\213\310\320\362\0\241\276\316\235]\246H\363\345o \330\320\250\25\34\22\310d\366`l\325\353\362\206Y\205"\342C\203\31q\4\210k\330`\377\23\262\303\353\314i\311XM\302h),g<\37u\254\222o0jIV\356\4\11\15\341X\336\340\202\327_=8R\206\201h6\3\5\351y\211\333\31\244\23\316Z 1\35\251?\354FX\236\205]\263\372\[:5`\311\317s1\226\262 \350\31\20\236E\343\373R\1\212^\11\321\301!\34z5\21\226\27\374B6K\372\365\372L\224$B\37y\0R\200q"\245\25\305\341\220\262_b&\27\2030fh\330\112\0F\26\207$\233\216\371\1_\320\206zL;y\200\312$\3279\237(\222%\240\320\226\200\3711\326\344Z0\242\204\212\362\2001t\235\2\214He\13\244z\203=u\375\300\375\7q\364\246\12\265\352\14\341q^\331\323\313\177\16\2716\302\252\2372\15G\266\220\271V\267\340&\300\312a\362\200\206\340\237\214\210\254bfu\216\204t", ) \342C\203\31q\4\210k\330`\377\23\262\303\353\314i\311XM\302h),g<\37u\254\222o0jIV\356\4\11\15\341X\336\340\202\327_=8R\206\201h6\3\5\351y\211\333\31\244\23\316Z 1\35\251?\354FX\236\205]\263\372\[:5`\311\317s1\226\262 \350\31\20\236E\343\373R\1\212^\11\321\301!\34z5\21\226\27\374B6K\372\365\372L\224$B\37y\0R\200q (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "o)\36\1\211\237> ;t~\360\274'\210\17\307l\330~\255;\351l\324X\233P\306<|\212R\352;\25q\274HP\334S\245\16\234!p\216\2ig\4.\3\12\203\230 \325\322\21\10q0\256Cy|\221\246}8C'b\213\310\320\362\0\241\276\316\235]\246H\363\345o \330\320\250\25\34\22\310d\366`l\325\353\362\206Y\205"\342C\203\31q\4\210k\330`\377\23\262\303\353\314i\311XM\302h),g<\37u\254\222o0jIV\356\4\11\15\341X\336\340\202\327_=8R\206\201h6\3\5\351y\211\333\31\244\23\316Z 1\35\251?\354FX\236\205]\263\372\[:5`\311\317s1\226\262 \350\31\20\236E\343\373R\1\212^\11\321\301!\34z5\21\226\27\374B6K\372\365\372L\224$B\37y\0R\200q"\245\25\305\341\220\262_b&\27\2030fh\330\112\0F\26\207$\233\216\371\1_\320\206zL;y\200\312$\3279\237(\222%\240\320\226\200\3711\326\344Z0\242\204\212\362\2001t\235\2\214He\13\244z\203=u\375\300\375\7q\364\246\12\265\352\14\341q^\331\323\313\177\16\2716\302\252\2372\15G\266\220\271V\267\340&\300\312a\362\200\206\340\237\214\210\254bfu\216\204t", ) 0\242\204\212\362\2001t\235\2\214He\13\244z\203=u\375\300\375\7q\364\246\12\265\352\14\341q^\331\323\313\177\16\2716\302\252\2372\15G\266\220\271V\267\340&\300\312a\362\200\206\340\237\214\210\254bfu\216\204t", ) == 0x0
 02197   484   NtWriteFile  (328, 0, 0, 0,  (328, 0, 0, 0, "o)\36\1\211\237> ;t~\360\274'\210\17\307l\330~\255;\351l\324X\233P\306<|\212R\352;\25q\274HP\334S\245\16\234!p\216\2ig\4.\3\12\203\230 \325\322\21\10q0\256Cy|\221\246}8C'b\213\310\320\362\0\241\276\316\235]\246H\363\345o \330\320\250\25\34\22\310d\366`l\325\353\362\206Y\205"\342C\203\31q\4\210k\330`\377\23\262\303\353\314i\311XM\302h),g<\37u\254\222o0jIV\356\4\11\15\341X\336\340\202\327_=8R\206\201h6\3\5\351y\211\333\31\244\23\316Z 1\35\251?\354FX\236\205]\263\372\[:5`\311\317s1\226\262 \350\31\20\236E\343\373R\1\212^\11\321\301!\34z5\21\226\27\374B6K\372\365\372L\224$B\37y\0R\200q"\245\25\305\341\220\262_b&\27\2030fh\330\112\0F\26\207$\233\216\371\1_\320\206zL;y\200\312$\3279\237(\222%\240\320\226\200\3711\326\344Z0\242\204\212\362\2001t\235\2\214He\13\244z\203=u\375\300\375\7q\364\246\12\265\352\14\341q^\331\323\313\177\16\2716\302\252\2372\15G\266\220\271V\267\340&\300\312a\362\200\206\340\237\214\210\254bfu\216\204t", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \342C\203\31q\4\210k\330`\377\23\262\303\353\314i\311XM\302h),g<\37u\254\222o0jIV\356\4\11\15\341X\336\340\202\327_=8R\206\201h6\3\5\351y\211\333\31\244\23\316Z 1\35\251?\354FX\236\205]\263\372\[:5`\311\317s1\226\262 \350\31\20\236E\343\373R\1\212^\11\321\301!\34z5\21\226\27\374B6K\372\365\372L\224$B\37y\0R\200q (328, 0, 0, 0, "o)\36\1\211\237> ;t~\360\274'\210\17\307l\330~\255;\351l\324X\233P\306<|\212R\352;\25q\274HP\334S\245\16\234!p\216\2ig\4.\3\12\203\230 \325\322\21\10q0\256Cy|\221\246}8C'b\213\310\320\362\0\241\276\316\235]\246H\363\345o \330\320\250\25\34\22\310d\366`l\325\353\362\206Y\205"\342C\203\31q\4\210k\330`\377\23\262\303\353\314i\311XM\302h),g<\37u\254\222o0jIV\356\4\11\15\341X\336\340\202\327_=8R\206\201h6\3\5\351y\211\333\31\244\23\316Z 1\35\251?\354FX\236\205]\263\372\[:5`\311\317s1\226\262 \350\31\20\236E\343\373R\1\212^\11\321\301!\34z5\21\226\27\374B6K\372\365\372L\224$B\37y\0R\200q"\245\25\305\341\220\262_b&\27\2030fh\330\112\0F\26\207$\233\216\371\1_\320\206zL;y\200\312$\3279\237(\222%\240\320\226\200\3711\326\344Z0\242\204\212\362\2001t\235\2\214He\13\244z\203=u\375\300\375\7q\364\246\12\265\352\14\341q^\331\323\313\177\16\2716\302\252\2372\15G\266\220\271V\267\340&\300\312a\362\200\206\340\237\214\210\254bfu\216\204t", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) 0\242\204\212\362\2001t\235\2\214He\13\244z\203=u\375\300\375\7q\364\246\12\265\352\14\341q^\331\323\313\177\16\2716\302\252\2372\15G\266\220\271V\267\340&\300\312a\362\200\206\340\237\214\210\254bfu\216\204t", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02198   484   NtReadFile  (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=32728},  (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=32728}, "\372\202\17\31=1o\353vV\235\377\341\337u\16\255\202\347\12\266m\212\177\35#J\0\215\221\7\2139r\211xDx\2770QG3`f\321\254\5\205\227_\227i\246\356\231(\310\242\16I8\304\375u'\232\13\371\10kW\230}\331\200\232d\377_\211n\310\24m\26X\32Guj\24D9\312?\277\33E|gO\335\330j\241\362\14U0\222\202\355\361\340\330vJt\304\201\224\224olM\345\267\16\337\237h\314]w\55zt\15wy\327\32u\311`\17\6\23,N\311\242\353\350\324\321\212\226\34\240\306\36=\304\302\17\247\240\5\30\236\243\16\223Bv\21\201\317_\233t\313 o\247\245\240\363\21.\365y\14\366\15\251\213\225q%\341\263em\237\333\347\241\364\262\21\331w:\261%\3\251\337\177~X\345j_\276\13&\2241\35L\301\33/\361%1B\354\360\253\2443\13\214j\353\3\237 \2736\231\330#n*\210\343\12\307O\217\336\312\223p\316\236\235\177\22\2358H\2373\15Q\367\370\353\235\363(j\35\370\305\232\347\34./\203k\220\202cm\21\324#\303\342"w\346\221p!a\302\320\362n\375\335[\376/\331b\1Gr3\301s\354\333"\3551\212\273\11Ar,\5\263q\370\370\21\200\243\320p#\351&@\261\202\236DJ\213G\232jO\2058s\346\324x&2\15\211\274\370\331\222\242\262\237\230\240\22\232\24e(\232\13\202\323iy\262c\333$\21\17\213\23\345DN\224y\260%\246*x\3365"\376V!\363{\32\255n\224\310's\1\3606\357|\251\14\232\0\371\253@]\347<4\354\234\324X\361Vc\265kbVq\\236\251\352G\310%\351\360\250#L\34\251\37|*\310\262s;\333/B\14\5\232+%\236\26I}\200\253\262\201\212\13!\370", ) w\346\221p!a\302\320\362n\375\335[\376/\331b\1Gr3\301s\354\333 (320, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=32728}, "\372\202\17\31=1o\353vV\235\377\341\337u\16\255\202\347\12\266m\212\177\35#J\0\215\221\7\2139r\211xDx\2770QG3`f\321\254\5\205\227_\227i\246\356\231(\310\242\16I8\304\375u'\232\13\371\10kW\230}\331\200\232d\377_\211n\310\24m\26X\32Guj\24D9\312?\277\33E|gO\335\330j\241\362\14U0\222\202\355\361\340\330vJt\304\201\224\224olM\345\267\16\337\237h\314]w\55zt\15wy\327\32u\311`\17\6\23,N\311\242\353\350\324\321\212\226\34\240\306\36=\304\302\17\247\240\5\30\236\243\16\223Bv\21\201\317_\233t\313 o\247\245\240\363\21.\365y\14\366\15\251\213\225q%\341\263em\237\333\347\241\364\262\21\331w:\261%\3\251\337\177~X\345j_\276\13&\2241\35L\301\33/\361%1B\354\360\253\2443\13\214j\353\3\237 \2736\231\330#n*\210\343\12\307O\217\336\312\223p\316\236\235\177\22\2358H\2373\15Q\367\370\353\235\363(j\35\370\305\232\347\34./\203k\220\202cm\21\324#\303\342"w\346\221p!a\302\320\362n\375\335[\376/\331b\1Gr3\301s\354\333"\3551\212\273\11Ar,\5\263q\370\370\21\200\243\320p#\351&@\261\202\236DJ\213G\232jO\2058s\346\324x&2\15\211\274\370\331\222\242\262\237\230\240\22\232\24e(\232\13\202\323iy\262c\333$\21\17\213\23\345DN\224y\260%\246*x\3365"\376V!\363{\32\255n\224\310's\1\3606\357|\251\14\232\0\371\253@]\347<4\354\234\324X\361Vc\265kbVq\\236\251\352G\310%\351\360\250#L\34\251\37|*\310\262s;\333/B\14\5\232+%\236\26I}\200\253\262\201\212\13!\370", ) \376V!\363{\32\255n\224\310's\1\3606\357|\251\14\232\0\371\253@]\347<4\354\234\324X\361Vc\265kbVq\\236\251\352G\310%\351\360\250#L\34\251\37|*\310\262s;\333/B\14\5\232+%\236\26I}\200\253\262\201\212\13!\370", ) == 0x0
 02199   484   NtWriteFile  (328, 0, 0, 0,  (328, 0, 0, 0, "\372\202\17\31=1o\353vV\235\377\341\337u\16\255\202\347\12\266m\212\177\35#J\0\215\221\7\2139r\211xDx\2770QG3`f\321\254\5\205\227_\227i\246\356\231(\310\242\16I8\304\375u'\232\13\371\10kW\230}\331\200\232d\377_\211n\310\24m\26X\32Guj\24D9\312?\277\33E|gO\335\330j\241\362\14U0\222\202\355\361\340\330vJt\304\201\224\224olM\345\267\16\337\237h\314]w\55zt\15wy\327\32u\311`\17\6\23,N\311\242\353\350\324\321\212\226\34\240\306\36=\304\302\17\247\240\5\30\236\243\16\223Bv\21\201\317_\233t\313 o\247\245\240\363\21.\365y\14\366\15\251\213\225q%\341\263em\237\333\347\241\364\262\21\331w:\261%\3\251\337\177~X\345j_\276\13&\2241\35L\301\33/\361%1B\354\360\253\2443\13\214j\353\3\237 \2736\231\330#n*\210\343\12\307O\217\336\312\223p\316\236\235\177\22\2358H\2373\15Q\367\370\353\235\363(j\35\370\305\232\347\34./\203k\220\202cm\21\324#\303\342"w\346\221p!a\302\320\362n\375\335[\376/\331b\1Gr3\301s\354\333"\3551\212\273\11Ar,\5\263q\370\370\21\200\243\320p#\351&@\261\202\236DJ\213G\232jO\2058s\346\324x&2\15\211\274\370\331\222\242\262\237\230\240\22\232\24e(\232\13\202\323iy\262c\333$\21\17\213\23\345DN\224y\260%\246*x\3365"\376V!\363{\32\255n\224\310's\1\3606\357|\251\14\232\0\371\253@]\347<4\354\234\324X\361Vc\265kbVq\\236\251\352G\310%\351\360\250#L\34\251\37|*\310\262s;\333/B\14\5\232+%\236\26I}\200\253\262\201\212\13!\370", 32728, 0x0, 0, ... {status=0x0, info=32728}, ) w\346\221p!a\302\320\362n\375\335[\376/\331b\1Gr3\301s\354\333 (328, 0, 0, 0, "\372\202\17\31=1o\353vV\235\377\341\337u\16\255\202\347\12\266m\212\177\35#J\0\215\221\7\2139r\211xDx\2770QG3`f\321\254\5\205\227_\227i\246\356\231(\310\242\16I8\304\375u'\232\13\371\10kW\230}\331\200\232d\377_\211n\310\24m\26X\32Guj\24D9\312?\277\33E|gO\335\330j\241\362\14U0\222\202\355\361\340\330vJt\304\201\224\224olM\345\267\16\337\237h\314]w\55zt\15wy\327\32u\311`\17\6\23,N\311\242\353\350\324\321\212\226\34\240\306\36=\304\302\17\247\240\5\30\236\243\16\223Bv\21\201\317_\233t\313 o\247\245\240\363\21.\365y\14\366\15\251\213\225q%\341\263em\237\333\347\241\364\262\21\331w:\261%\3\251\337\177~X\345j_\276\13&\2241\35L\301\33/\361%1B\354\360\253\2443\13\214j\353\3\237 \2736\231\330#n*\210\343\12\307O\217\336\312\223p\316\236\235\177\22\2358H\2373\15Q\367\370\353\235\363(j\35\370\305\232\347\34./\203k\220\202cm\21\324#\303\342"w\346\221p!a\302\320\362n\375\335[\376/\331b\1Gr3\301s\354\333"\3551\212\273\11Ar,\5\263q\370\370\21\200\243\320p#\351&@\261\202\236DJ\213G\232jO\2058s\346\324x&2\15\211\274\370\331\222\242\262\237\230\240\22\232\24e(\232\13\202\323iy\262c\333$\21\17\213\23\345DN\224y\260%\246*x\3365"\376V!\363{\32\255n\224\310's\1\3606\357|\251\14\232\0\371\253@]\347<4\354\234\324X\361Vc\265kbVq\\236\251\352G\310%\351\360\250#L\34\251\37|*\310\262s;\333/B\14\5\232+%\236\26I}\200\253\262\201\212\13!\370", 32728, 0x0, 0, ... {status=0x0, info=32728}, ) \376V!\363{\32\255n\224\310's\1\3606\357|\251\14\232\0\371\253@]\347<4\354\234\324X\361Vc\265kbVq\\236\251\352G\310%\351\360\250#L\34\251\37|*\310\262s;\333/B\14\5\232+%\236\26I}\200\253\262\201\212\13!\370", 32728, 0x0, 0, ... {status=0x0, info=32728}, ) == 0x0
 02200   484   NtReadFile  (320, 0, 0, 0, 61440, 0x0, 0, ... ) == STATUS_END_OF_FILE
 02201   484   NtFreeVirtualMemory  (-1, (0x156000), 69632, 16384, ... (0x156000), 69632, ) == 0x0
 02202   484   NtSetInformationFile  (328, 1242028, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02203   484   NtClose  (320, ... ) == 0x0
 02204   484   NtClose  (328, ... ) == 0x0
 02205   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\explorer.exe"}, 1241176, ... ) }, 1241176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02206   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "explorer.exe"}, 1241176, ... ) }, 1241176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02207   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 1241176, ... ) }, 1241176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02208   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\explorer.exe"}, 1241176, ... ) }, 1241176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe"}, 1241176, ... ) }, 1241176, ... ) == 0x0
 02210   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241924,  (0x80100080, {24, 0, 0x40, 0, 1241924, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02211   484   NtQueryInformationFile  (328, 1241976, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02212   484   NtClose  (328, ... ) == 0x0
 02213   484   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1241924,  (0x40100080, {24, 0, 0x40, 0, 1241924, "\??\C:\WINDOWS\System32\tgfokac32.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02214   484   NtSetInformationFile  (328, 1241976, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02215   484   NtClose  (328, ... ) == 0x0
 02216   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tgfokac32.exe"}, 7, 2113568, ... 328, {status=0x0, info=1}, ) }, 7, 2113568, ... 328, {status=0x0, info=1}, ) == 0x0
 02217   484   NtSetInformationFile  (328, 1242228, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02218   484   NtClose  (328, ... ) == 0x0
 02219   484   NtOpenProcess  (0x100000, {24, 0, 0x2, 0, 0, 0x0}, {464, 0}, ... 328, ) == 0x0
 02220   484   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02221   484   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tgfokac32.exe"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02222   484   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 320, ... 332, ) == 0x0
 02223   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02224   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 336, ) }, ... 336, ) == 0x0
 02225   484   NtQueryValueKey  (336,  (336, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02226   484   NtClose  (336, ... ) == 0x0
 02227   484   NtQueryVolumeInformationFile  (320, 1238724, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02228   484   NtOpenMutant  (0x120001, {24, 76, 0x0, 0, 0,  (0x120001, {24, 76, 0x0, 0, 0, "ShimCacheMutex"}, ... 336, ) }, ... 336, ) == 0x0
 02229   484   NtWaitForSingleObject  (336, 0, {-1000000, -1}, ... ) == 0x0
 02230   484   NtOpenSection  (0x2, {24, 76, 0x0, 0, 0,  (0x2, {24, 76, 0x0, 0, 0, "ShimSharedMemory"}, ... 340, ) }, ... 340, ) == 0x0
 02231   484   NtMapViewOfSection  (340, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1c20000), {0, 0}, 57344, ) == 0x0
 02232   484   NtReleaseMutant  (336, ... 0x0, ) == 0x0
 02233   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1236708, ... ) }, 1236708, ... ) == 0x0
 02234   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02235   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 344, ... 348, ) == 0x0
 02236   484   NtClose  (344, ... ) == 0x0
 02237   484   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1c30000), 0x0, 106496, ) == 0x0
 02238   484   NtClose  (348, ... ) == 0x0
 02239   484   NtUnmapViewOfSection  (-1, 0x1c30000, ... ) == 0x0
 02240   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237024, ... ) }, 1237024, ... ) == 0x0
 02241   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02242   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 348, ... 344, ) == 0x0
 02243   484   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02244   484   NtClose  (348, ... ) == 0x0
 02245   484   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 02246   484   NtClose  (344, ... ) == 0x0
 02247   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 344, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 344, {status=0x0, info=1}, ) == 0x0
 02248   484   NtQueryInformationFile  (344, 1237312, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02249   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 344, ... 348, ) == 0x0
 02250   484   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1c30000), 0x0, 1028096, ) == 0x0
 02251   484   NtQueryInformationFile  (344, 1237408, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02252   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02253   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02254   484   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02255   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 352, {status=0x0, info=1}, ) }, 3, 16417, ... 352, {status=0x0, info=1}, ) == 0x0
 02256   484   NtQueryDirectoryFile  (352, 0, 0, 0, 1234972, 616, BothDirectory, 1,  (352, 0, 0, 0, 1234972, 616, BothDirectory, 1, "tgfokac32.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 02257   484   NtClose  (352, ... ) == 0x0
 02258   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02259   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02260   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tgfokac32.exe"}, 1234360, ... ) }, 1234360, ... ) == 0x0
 02261   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 352, {status=0x0, info=1}, ) }, 3, 16417, ... 352, {status=0x0, info=1}, ) == 0x0
 02262   484   NtQueryDirectoryFile  (352, 0, 0, 0, 1233720, 616, BothDirectory, 1,  (352, 0, 0, 0, 1233720, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02263   484   NtClose  (352, ... ) == 0x0
 02264   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 352, {status=0x0, info=1}, ) }, 3, 16417, ... 352, {status=0x0, info=1}, ) == 0x0
 02265   484   NtQueryDirectoryFile  (352, 0, 0, 0, 1233720, 616, BothDirectory, 1,  (352, 0, 0, 0, 1233720, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02266   484   NtClose  (352, ... ) == 0x0
 02267   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02268   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02269   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02270   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02271   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02272   484   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02273   484   NtClose  (352, ... ) == 0x0
 02274   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02275   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\tgfokac32.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02276   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02277   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02278   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tgfokac32.exe"}, 1236640, ... ) }, 1236640, ... ) == 0x0
 02279   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 352, {status=0x0, info=1}, ) }, 3, 16417, ... 352, {status=0x0, info=1}, ) == 0x0
 02280   484   NtQueryDirectoryFile  (352, 0, 0, 0, 1236000, 616, BothDirectory, 1,  (352, 0, 0, 0, 1236000, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02281   484   NtClose  (352, ... ) == 0x0
 02282   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 352, {status=0x0, info=1}, ) }, 3, 16417, ... 352, {status=0x0, info=1}, ) == 0x0
 02283   484   NtQueryDirectoryFile  (352, 0, 0, 0, 1236000, 616, BothDirectory, 1,  (352, 0, 0, 0, 1236000, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02284   484   NtClose  (352, ... ) == 0x0
 02285   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02286   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02287   484   NtWaitForSingleObject  (336, 0, {-1000000, -1}, ... ) == 0x0
 02288   484   NtQueryVolumeInformationFile  (320, 1237284, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02289   484   NtQueryInformationFile  (320, 1237264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02290   484   NtQueryInformationFile  (320, 1237304, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02291   484   NtReleaseMutant  (336, ... 0x0, ) == 0x0
 02292   484   NtUnmapViewOfSection  (-1, 0x1c30000, ... ) == 0x0
 02293   484   NtClose  (348, ... ) == 0x0
 02294   484   NtClose  (344, ... ) == 0x0
 02295   484   NtQuerySection  (332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02296   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tgfokac32.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02297   484   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02298   484   NtOpenProcessToken  (-1, 0xa, ... 344, ) == 0x0
 02299   484   NtQueryInformationToken  (344, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 02300   484   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02301   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 348, ) }, ... 348, ) == 0x0
 02302   484   NtQueryValueKey  (348,  (348, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (348, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02303   484   NtQueryValueKey  (348,  (348, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (348, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02304   484   NtClose  (348, ... ) == 0x0
 02305   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 348, ) }, ... 348, ) == 0x0
 02306   484   NtQueryValueKey  (348,  (348, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02307   484   NtQueryValueKey  (348,  (348, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (348, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 02308   484   NtClose  (348, ... ) == 0x0
 02309   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02310   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 348, ) }, ... 348, ) == 0x0
 02311   484   NtQueryValueKey  (348,  (348, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02312   484   NtClose  (348, ... ) == 0x0
 02313   484   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 02314   484   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 02315   484   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 02316   484   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 02317   484   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 02318   484   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 02319   484   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 02320   484   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 02321   484   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 02322   484   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 02323   484   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 02324   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 348, ) }, ... 348, ) == 0x0
 02325   484   NtEnumerateKey  (348, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (348, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02326   484   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 352, ) }, ... 352, ) == 0x0
 02327   484   NtQueryValueKey  (352,  (352, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (352, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02328   484   NtQueryValueKey  (352,  (352, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (352, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02329   484   NtClose  (352, ... ) == 0x0
 02330   484   NtEnumerateKey  (348, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02331   484   NtClose  (348, ... ) == 0x0
 02332   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02333   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02334   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02335   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02336   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02337   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02338   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02339   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02340   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02341   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02342   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02343   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02344   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02345   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02346   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02347   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02348   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02349   484   NtClose  (348, ... ) == 0x0
 02350   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02351   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02352   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02353   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02354   484   NtClose  (348, ... ) == 0x0
 02355   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02356   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02357   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02358   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02359   484   NtClose  (348, ... ) == 0x0
 02360   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02361   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02362   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02363   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02364   484   NtClose  (348, ... ) == 0x0
 02365   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02366   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02367   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02368   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02369   484   NtClose  (348, ... ) == 0x0
 02370   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02371   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02372   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02373   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02374   484   NtClose  (348, ... ) == 0x0
 02375   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02376   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02377   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02378   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02379   484   NtClose  (348, ... ) == 0x0
 02380   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02381   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02382   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02383   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02384   484   NtClose  (348, ... ) == 0x0
 02385   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02386   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02387   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02388   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02389   484   NtClose  (348, ... ) == 0x0
 02390   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02391   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02392   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02393   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02394   484   NtClose  (348, ... ) == 0x0
 02395   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02396   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02397   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02398   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02399   484   NtClose  (348, ... ) == 0x0
 02400   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02401   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02402   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02403   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02404   484   NtClose  (348, ... ) == 0x0
 02405   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02406   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02407   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02408   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02409   484   NtClose  (348, ... ) == 0x0
 02410   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02411   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02412   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02413   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02414   484   NtClose  (348, ... ) == 0x0
 02415   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02416   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02417   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02418   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02419   484   NtClose  (348, ... ) == 0x0
 02420   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02421   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 348, ) }, ... 348, ) == 0x0
 02422   484   NtQueryValueKey  (348,  (348, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (348, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (348, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02423   484   NtClose  (348, ... ) == 0x0
 02424   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02425   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02426   484   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02427   484   NtClose  (348, ... ) == 0x0
 02428   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02429   484   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02430   484   NtOpenProcessToken  (-1, 0xa, ... 348, ) == 0x0
 02431   484   NtDuplicateToken  (348, 0xc, {24, 0, 0x0, 0, 1238616, 0x0}, 0, 2, ... 352, ) == 0x0
 02432   484   NtClose  (348, ... ) == 0x0
 02433   484   NtAccessCheck  (1402384, 352, 0x1, 1238744, 1238688, 56, 1238772, ... (0x1), ) == 0x0
 02434   484   NtClose  (352, ... ) == 0x0
 02435   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 352, ) }, ... 352, ) == 0x0
 02436   484   NtQueryValueKey  (352,  (352, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (352, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02437   484   NtClose  (352, ... ) == 0x0
 02438   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 352, ) }, ... 352, ) == 0x0
 02439   484   NtQuerySymbolicLinkObject  (352, ...  (352, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02440   484   NtClose  (352, ... ) == 0x0
 02441   484   NtQueryInformationFile  (320, 1237076, 528, Name, ... {status=0x0, info=66}, ) == 0x0
 02442   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02443   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02444   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tgfokac32.exe"}, 1235756, ... ) }, 1235756, ... ) == 0x0
 02445   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 352, {status=0x0, info=1}, ) }, 3, 16417, ... 352, {status=0x0, info=1}, ) == 0x0
 02446   484   NtQueryDirectoryFile  (352, 0, 0, 0, 1235116, 616, BothDirectory, 1,  (352, 0, 0, 0, 1235116, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02447   484   NtClose  (352, ... ) == 0x0
 02448   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 352, {status=0x0, info=1}, ) }, 3, 16417, ... 352, {status=0x0, info=1}, ) == 0x0
 02449   484   NtQueryDirectoryFile  (352, 0, 0, 0, 1235116, 616, BothDirectory, 1,  (352, 0, 0, 0, 1235116, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02450   484   NtClose  (352, ... ) == 0x0
 02451   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02452   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02453   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02454   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02455   484   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02456   484   NtClose  (352, ... ) == 0x0
 02457   484   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 352, ) }, ... 352, ) == 0x0
 02458   484   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 348, ) }, ... 348, ) == 0x0
 02459   484   NtClose  (352, ... ) == 0x0
 02460   484   NtQueryValueKey  (348,  (348, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02461   484   NtQueryValueKey  (348,  (348, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (348, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02462   484   NtClose  (348, ... ) == 0x0
 02463   484   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 29556736, 4096, ) == 0x0
 02464   484   NtAllocateVirtualMemory  (-1, 29556736, 0, 4096, 4096, 4, ... 29556736, 4096, ) == 0x0
 02465   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 348, ) }, ... 348, ) == 0x0
 02466   484   NtQueryValueKey  (348,  (348, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02467   484   NtClose  (348, ... ) == 0x0
 02468   484   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02469   484   NtQueryInformationToken  (344, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02470   484   NtQueryInformationToken  (344, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02471   484   NtClose  (344, ... ) == 0x0
 02472   484   NtCreateProcessEx  (1241352, 2035711, 0, -1, 4, 332, 0, 0, 0, ... ) == 0x0
 02473   484   NtSetInformationProcess  (344, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 02474   484   NtQueryInformationProcess  (344, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=996,ParentPid=464,}, 0x0, ) == 0x0
 02475   484   NtReadVirtualMemory  (344, 0x7ffdf008, 4, ...  (344, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02476   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tgfokac32.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02477   484   NtAllocateVirtualMemory  (-1, 1404928, 0, 8192, 4096, 4, ... 1404928, 8192, ) == 0x0
 02478   484   NtReadVirtualMemory  (344, 0x400000, 4096, ...  (344, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0,\354.\261h\215@\342h\215@\342h\215@\342\242\256g\342i\215@\342\222\251\0\342v\215@\342\222\251\\342\344\215@\342\222\256Y\342m\215@\342h\215A\342\344\215@\342\222\251]\342-\215@\342\222\251}\342i\215@\342Richh\215@\342\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\247\25{C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\332\1\0\0\274\5\0\0\0\0\0\0\340\7\0\0\20\0\0\0\360\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\7\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\334\3\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\300\7\0\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\304\330\1\0\0\20\0\0\0\16\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02479   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02480   484   NtQueryInformationProcess  (344, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=996,ParentPid=464,}, 0x0, ) == 0x0
 02481   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1239416, ... ) }, 1239416, ... ) == 0x0
 02482   484   NtAllocateVirtualMemory  (-1, 0, 0, 1660, 4096, 4, ... 29622272, 4096, ) == 0x0
 02483   484   NtAllocateVirtualMemory  (344, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02484   484   NtWriteVirtualMemory  (344, 0x10000,  (344, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02485   484   NtAllocateVirtualMemory  (344, 0, 0, 1660, 4096, 4, ... 131072, 4096, ) == 0x0
 02486   484   NtWriteVirtualMemory  (344, 0x20000,  (344, 0x20000, "\0\20\0\0|\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\374\0\376\0\230\4\0\0B\0D\0\230\5\0\0t\0v\0\334\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\2\0T\6\0\0\36\0 \0X\6\0\0\0\0\2\0x\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1660, ... 0x0, ) , 1660, ... 0x0, ) == 0x0
 02487   484   NtWriteVirtualMemory  (344, 0x7ffdf010,  (344, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02488   484   NtWriteVirtualMemory  (344, 0x7ffdf1e8,  (344, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02489   484   NtFreeVirtualMemory  (-1, (0x1c40000), 0, 32768, ... (0x1c40000), 4096, ) == 0x0
 02490   484   NtAllocateVirtualMemory  (344, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02491   484   NtAllocateVirtualMemory  (344, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 02492   484   NtProtectVirtualMemory  (344, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 02493   484   NtCreateThread  (0x1f03ff, 0x0, 344, 1239616, 1240336, 1, ... 348, {996, 1024}, ) == 0x0
 02494   484   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1394184, 1241436}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1394184, 1241436} "\0\0\0\0\0\0\1\0\2$\370w U\367w[\1\0\0\\1\0\0\344\3\0\0\0\4\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0s\0t\0e\0" ... {168, 196, reply, 0, 464, 484, 1530, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wX\1\0\0\\1\0\0\344\3\0\0\0\4\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0s\0t\0e\0" )  ... {168, 196, reply, 0, 464, 484, 1530, 0}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1394184, 1241436} "\0\0\0\0\0\0\1\0\2$\370w U\367w[\1\0\0\\1\0\0\344\3\0\0\0\4\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0s\0t\0e\0" ... {168, 196, reply, 0, 464, 484, 1530, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wX\1\0\0\\1\0\0\344\3\0\0\0\4\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0s\0t\0e\0" )  ) == 0x0
 02495   484   NtResumeThread  (348, ... 1, ) == 0x0
 02496   484   NtClose  (320, ... ) == 0x0
 02497   484   NtClose  (332, ... ) == 0x0
 02498   484   NtDelayExecution  (0, {-2000000, -1}, ... ) == 0x0
 02499   484   NtClose  (344, ... ) == 0x0
 02500   484   NtClose  (348, ... ) == 0x0
 02501   484   NtTerminateProcess  (0, 0, ... ) == 0x0
 02502   484   NtFreeVirtualMemory  (-1, (0x1b10000), 0, 32768, ... (0x1b10000), 65536, ) == 0x0
 02503   484   NtClose  (284, ... ) == 0x0
 02504   484   NtClose  (288, ... ) == 0x0
 02505   484   NtClose  (296, ... ) == 0x0
 02506   484   NtClose  (292, ... ) == 0x0
 02507   484   NtClose  (300, ... ) == 0x0
 02508   484   NtClose  (272, ... ) == 0x0
 02509   484   NtClose  (280, ... ) == 0x0
 02510   484   NtClose  (316, ... ) == 0x0
 02511   484   NtClose  (312, ... ) == 0x0
 02512   484   NtClose  (308, ... ) == 0x0
 02513   484   NtClose  (304, ... ) == 0x0
 02514   484   NtClose  (276, ... ) == 0x0
 02515   484   NtClose  (260, ... ) == 0x0
 02516   484   NtClose  (256, ... ) == 0x0
 02517   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02518   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 02519   484   NtClose  (248, ... ) == 0x0
 02520   484   NtUnmapViewOfSection  (-1, 0x1af0000, ... ) == 0x0
 02521   484   NtClose  (252, ... ) == 0x0
 02522   484   NtClose  (244, ... ) == 0x0
 02523   484   NtClose  (232, ... ) == 0x0
 02524   484   NtClose  (236, ... ) == 0x0
 02525   484   NtClose  (240, ... ) == 0x0
 02526   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02527   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 02528   484   NtWaitForMultipleObjects  (2, (204, 212, ), 1, 0, 0x0, ... ) == 0x1
 02529   484   NtClose  (212, ... ) == 0x0
 02530   484   NtSetEvent  (204, ... 0x0, ) == 0x0
 02531   484   NtClose  (204, ... ) == 0x0
 02532   484   NtWaitForMultipleObjects  (2, (216, 220, ), 1, 0, 0x0, ... ) == 0x1
 02533   484   NtClose  (220, ... ) == 0x0
 02534   484   NtSetEvent  (216, ... 0x0, ) == 0x0
 02535   484   NtClose  (216, ... ) == 0x0
 02536   484   NtWaitForMultipleObjects  (2, (224, 228, ), 1, 0, 0x0, ... ) == 0x1
 02537   484   NtClose  (228, ... ) == 0x0
 02538   484   NtSetEvent  (224, ... 0x0, ) == 0x0
 02539   484   NtClose  (224, ... ) == 0x0
 02540   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 02541   484   NtFreeVirtualMemory  (-1, (0x1ab0000), 0, 32768, ... (0x1ab0000), 262144, ) == 0x0
 02542   484   NtUserUnregisterClass  (1241736, 1991376896, 1241724, ... ) == 0x0
 02543   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 02544   484   NtClose  (132, ... ) == 0x0
 02545   484   NtUnmapViewOfSection  (-1, 0x1a60000, ... ) == 0x0
 02546   484   NtClose  (136, ... ) == 0x0
 02547   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 02548   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02549   484   NtClose  (104, ... ) == 0x0
 02550   484   NtClose  (92, ... ) == 0x0
 02551   484   NtClose  (108, ... ) == 0x0
 02552   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc03b
 02553   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02554   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc03d
 02555   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02556   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc03f
 02557   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02558   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc041
 02559   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02560   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc043
 02561   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02562   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc045
 02563   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02564   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc047
 02565   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02566   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc049
 02567   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02568   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc04b
 02569   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02570   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc04d
 02571   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02572   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc04f
 02573   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02574   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc051
 02575   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02576   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc053
 02577   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02578   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc057
 02579   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02580   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc059
 02581   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02582   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc05b
 02583   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02584   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc05d
 02585   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02586   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc05f
 02587   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02588   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc017
 02589   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02590   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc019
 02591   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02592   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc018
 02593   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02594   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc01a
 02595   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02596   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc01c
 02597   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02598   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc01e
 02599   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02600   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc01b
 02601   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02602   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc068
 02603   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02604   484   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc06a
 02605   484   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02606   484   NtUnmapViewOfSection  (-1, 0x1a70000, ... ) == 0x0
 02607   484   NtClose  (100, ... ) == 0x0
 02608   484   NtClose  (88, ... ) == 0x0
 02609   484   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 02610   484   NtClearEvent  (156, ... ) == 0x0
 02611   484   NtSetEvent  (156, ... 0x0, ) == 0x0
 02612   484   NtClose  (156, ... ) == 0x0
 02613   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02614   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02615   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 02616   484   NtQueryVirtualMemory  (-1, 0x356d20, Basic, 28, ... {BaseAddress=0x356000,AllocationBase=0x320000,AllocationProtect=0x80,RegionSize=0x12000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 02617   484   NtQueryVirtualMemory  (-1, 0x35762c, Basic, 28, ... {BaseAddress=0x357000,AllocationBase=0x320000,AllocationProtect=0x80,RegionSize=0x11000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 02618   484   NtQueryVirtualMemory  (-1, 0x32cef4, Basic, 28, ... {BaseAddress=0x32c000,AllocationBase=0x320000,AllocationProtect=0x80,RegionSize=0x3c000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 02619   484   NtGdiDeleteObjectApp  (252314596, ... ) == 0x1
 02620   484   NtGdiDeleteObjectApp  (336200672, ... ) == 0x1
 02621   484   NtGdiDeleteObjectApp  (906625978, ... ) == 0x1
 02622   484   NtUserDestroyCursor  (65687, 1, ... ) == 0x1
 02623   484   NtUserDestroyCursor  (131221, 1, ... ) == 0x1
 02624   484   NtUserDestroyCursor  (262253, 1, ... ) == 0x1
 02625   484   NtUserDestroyCursor  (131219, 1, ... ) == 0x1
 02626   484   NtUserDestroyCursor  (131179, 1, ... ) == 0x1
 02627   484   NtUserDestroyCursor  (131177, 1, ... ) == 0x1
 02628   484   NtUserDestroyCursor  (196719, 1, ... ) == 0x1
 02629   484   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 02630   484   NtDeleteAtom  (49180, ... ) == 0x0
 02631   484   NtDeleteAtom  (49181, ... ) == 0x0
 02632   484   NtGdiDeleteObjectApp  (369623937, ... ) == 0x1
 02633   484   NtClose  (80, ... ) == 0x0
 02634   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02635   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 02636   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc03b
 02637   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02638   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc03d
 02639   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02640   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc03f
 02641   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02642   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc041
 02643   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02644   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc043
 02645   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02646   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc045
 02647   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02648   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc047
 02649   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02650   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc049
 02651   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02652   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc04b
 02653   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02654   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc04d
 02655   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02656   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc04f
 02657   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02658   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc051
 02659   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02660   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc053
 02661   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02662   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc057
 02663   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02664   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc059
 02665   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02666   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc05b
 02667   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02668   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc05d
 02669   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02670   484   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc05f
 02671   484   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02672   484   NtFreeVirtualMemory  (-1, (0x1c30000), 4096, 32768, ... (0x1c30000), 4096, ) == 0x0
 02673   484   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 65536, 4323958, 1, 68}  (24, {20, 48, new_msg, 0, 65536, 4323958, 1, 68} "\0\0\0\0\3\0\1\0\250=\25\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 464, 484, 1542, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 464, 484, 1542, 0}  (24, {20, 48, new_msg, 0, 65536, 4323958, 1, 68} "\0\0\0\0\3\0\1\0\250=\25\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 464, 484, 1542, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02674   484   NtTerminateProcess  (-1, 0, ...
 02675   484   NtClose  (48, ... ) == 0x0
NtCallbackReturn(>)	1	NtDuplicateObject(>)	2	NtGdiSaveDC(>)	7	NtQueryDebugFilterState(>)	23
NtConnectPort(>)	1	NtGdiCreateSolidBrush(>)	2	NtGdiSetDIBitsToDeviceInternal(>)	7	NtWriteFile(>)	23
NtCreateProcessEx(>)	1	NtOpenDirectoryObject(>)	2	NtQueryDirectoryFile(>)	7	NtCreateEvent(>)	24
NtCreateThread(>)	1	NtOpenProcess(>)	2	NtUserDestroyCursor(>)	7	NtCreateFile(>)	24
NtDuplicateToken(>)	1	NtOpenSymbolicLinkObject(>)	2	NtUserSetCursorIconData(>)	7	NtReadFile(>)	24
NtEnumerateValueKey(>)	1	NtQueryInstallUILanguage(>)	2	NtGdiCreateBitmap(>)	8	NtOpenProcessTokenEx(>)	26
NtFsControlFile(>)	1	NtQuerySymbolicLinkObject(>)	2	NtSetInformationProcess(>)	8	NtOpenThreadTokenEx(>)	26
NtGdiCreatePaletteInternal(>)	1	NtReadVirtualMemory(>)	2	NtCreateKey(>)	9	NtFreeVirtualMemory(>)	31
NtGdiInit(>)	1	NtTerminateProcess(>)	2	NtCreateSemaphore(>)	10	NtQuerySection(>)	32
NtGdiQueryFontAssocInfo(>)	1	NtAddAtom(>)	3	NtGdiCreateCompatibleDC(>)	10	NtQueryInformationToken(>)	33
NtOpenKeyedEvent(>)	1	NtClearEvent(>)	3	NtGdiExtGetObjectW(>)	10	NtQuerySystemInformation(>)	35
NtQueryEvent(>)	1	NtGdiHfontCreate(>)	3	NtQueryDefaultUILanguage(>)	10	NtWaitForSingleObject(>)	37
NtQueryInformationJobObject(>)	1	NtNotifyChangeKey(>)	3	NtOpenMutant(>)	11	NtProtectVirtualMemory(>)	41
NtQueryObject(>)	1	NtOpenEvent(>)	3	NtRequestWaitReplyPort(>)	11	NtCreateSection(>)	43
NtQueryPerformanceCounter(>)	1	NtReleaseSemaphore(>)	3	NtUserGetDC(>)	11	NtUserUnregisterClass(>)	46
NtQueryTimerResolution(>)	1	NtSetInformationObject(>)	3	NtQueryVolumeInformationFile(>)	12	NtReleaseMutant(>)	48
NtRegisterThreadTerminatePort(>)	1	NtWaitForMultipleObjects(>)	3	NtSetValueKey(>)	13	NtOpenSection(>)	54
NtResumeThread(>)	1	NtWriteVirtualMemory(>)	4	NtUserSystemParametersInfo(>)	13	NtQueryVirtualMemory(>)	56
NtSecureConnectPort(>)	1	NtOpenThreadToken(>)	5	NtQueryInformationProcess(>)	14	NtGdiSelectBitmap(>)	57
NtTestAlert(>)	1	NtDeviceIoControlFile(>)	6	NtSetInformationThread(>)	14	NtUserRegisterClassExWOW(>)	63
NtUserCallNoParam(>)	1	NtEnumerateKey(>)	6	NtUserSelectPalette(>)	14	NtMapViewOfSection(>)	69
NtUserEnumDisplayMonitors(>)	1	NtOpenProcessToken(>)	6	NtSetInformationFile(>)	15	NtUserFindExistingCursorIcon(>)	72
NtUserGetKeyboardLayoutList(>)	1	NtSetEvent(>)	6	NtGdiDeleteObjectApp(>)	18	NtOpenFile(>)	73
NtUserGetObjectInformation(>)	1	NtCreateMutant(>)	7	NtUnmapViewOfSection(>)	18	NtUserGetClassInfo(>)	82
NtUserGetProcessWindowStation(>)	1	NtGdiBitBlt(>)	7	NtQueryDefaultLocale(>)	19	NtAllocateVirtualMemory(>)	120
NtUserGetThreadDesktop(>)	1	NtGdiCreateDIBitmapInternal(>)	7	NtContinue(>)	20	NtQueryAttributesFile(>)	129
NtUserSetWindowsHookEx(>)	1	NtGdiGetDCObject(>)	7	NtFlushInstructionCache(>)	20	NtOpenKey(>)	195
NtAccessCheck(>)	2	NtGdiGetDCforBitmap(>)	7	NtUserCallOneParam(>)	20	NtClose(>)	336
NtDelayExecution(>)	2	NtGdiGetStockObject(>)	7	NtQueryInformationFile(>)	21	NtQueryValueKey(>)	340
NtDeleteAtom(>)	2	NtGdiRestoreDC(>)	7	NtUserRegisterWindowMessage(>)	22