Summary:


NtAddAtom(>)  1 
NtUserGetObjectInformation(>)  1 
NtEnumerateKey(>)  6 
NtOpenProcessTokenEx(>)  26 

NtAdjustPrivilegesToken(>)  1 
NtUserGetProcessWindowStation(>)  1 
NtOpenProcessToken(>)  6 
NtOpenThreadTokenEx(>)  26 

NtCallbackReturn(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetEvent(>)  6 
NtCreateEvent(>)  29 

NtConnectPort(>)  1 
NtAccessCheck(>)  2 
NtCreateMutant(>)  7 
NtQueryInformationToken(>)  32 

NtContinue(>)  1 
NtCreateIoCompletion(>)  2 
NtOpenThreadToken(>)  7 
NtQuerySection(>)  33 

NtCreateProcessEx(>)  1 
NtCreateThread(>)  2 
NtCreateKey(>)  9 
NtFreeVirtualMemory(>)  36 

NtDelayExecution(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryDirectoryFile(>)  9 
NtQuerySystemInformation(>)  37 

NtDuplicateToken(>)  1 
NtOpenDirectoryObject(>)  2 
NtCreateSemaphore(>)  10 
NtUnmapViewOfSection(>)  43 

NtEnumerateValueKey(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtOpenMutant(>)  10 
NtUserUnregisterClass(>)  46 

NtGdiCreateBitmap(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtCreateSection(>)  47 

NtGdiInit(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtReleaseMutant(>)  10 
NtUserFindExistingCursorIcon(>)  48 

NtGdiQueryFontAssocInfo(>)  1 
NtReadVirtualMemory(>)  2 
NtUserSystemParametersInfo(>)  10 
NtFlushInstructionCache(>)  51 

NtGdiSelectBitmap(>)  1 
NtResumeThread(>)  2 
NtRequestWaitReplyPort(>)  11 
NtQueryVirtualMemory(>)  52 

NtOpenKeyedEvent(>)  1 
NtTerminateProcess(>)  2 
NtQueryVolumeInformationFile(>)  12 
NtWriteVirtualMemory(>)  58 

NtQueryEvent(>)  1 
NtClearEvent(>)  3 
NtSetInformationProcess(>)  12 
NtUserRegisterClassExWOW(>)  63 

NtQueryInformationJobObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetValueKey(>)  13 
NtOpenSection(>)  75 

NtQueryObject(>)  1 
NtNotifyChangeKey(>)  3 
NtSetInformationThread(>)  16 
NtOpenFile(>)  80 

NtQuerySystemTime(>)  1 
NtOpenEvent(>)  3 
NtWaitForSingleObject(>)  18 
NtUserGetClassInfo(>)  82 

NtQueryTimerResolution(>)  1 
NtReleaseSemaphore(>)  3 
NtOpenProcess(>)  19 
NtMapViewOfSection(>)  114 

NtReadFile(>)  1 
NtSetInformationObject(>)  3 
NtQueryInformationProcess(>)  20 
NtAllocateVirtualMemory(>)  131 

NtRegisterThreadTerminatePort(>)  1 
NtWaitForMultipleObjects(>)  3 
NtUserRegisterWindowMessage(>)  20 
NtQueryAttributesFile(>)  141 

NtSecureConnectPort(>)  1 
NtDuplicateObject(>)  4 
NtQueryDefaultLocale(>)  21 
NtOpenKey(>)  198 

NtTestAlert(>)  1 
NtFsControlFile(>)  4 
NtSetInformationFile(>)  22 
NtQueryValueKey(>)  341 

NtUserCallNoParam(>)  1 
NtWriteFile(>)  4 
NtCreateFile(>)  23 
NtClose(>)  383 

NtUserCallOneParam(>)  1 
NtGdiGetStockObject(>)  5 
NtQueryDebugFilterState(>)  23 
NtProtectVirtualMemory(>)  1120 

NtUserGetDC(>)  1 
NtDeviceIoControlFile(>)  6 
NtQueryInformationFile(>)  23 

Trace:
 00001   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   392   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   392   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   392   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   392   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   392   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   392   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   392   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   392   NtClose  (12, ... ) == 0x0
 00014   392   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   392   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   392   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   392   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   392   NtClose  (16, ... ) == 0x0
 00021   392   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   392   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   392   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   392   NtClose  (16, ... ) == 0x0
 00026   392   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   392   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   392   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   392   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 316, 392, 1473, 0} "@P\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 316, 392, 1473, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 316, 392, 1473, 0} "@P\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   392   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   392   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   392   NtClose  (16, ... ) == 0x0
 00036   392   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   392   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   392   NtClose  (28, ... ) == 0x0
 00041   392   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   392   NtClose  (28, ... ) == 0x0
 00045   392   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   392   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   392   NtClose  (28, ... ) == 0x0
 00049   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   392   NtClose  (28, ... ) == 0x0
 00052   392   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 316, 392, 1476, 0} "8G\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 316, 392, 1476, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 316, 392, 1476, 0} "8G\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   392   NtProtectVirtualMemory  (-1, (0x49f000), 92, 4, ... (0x49f000), 4096, 128, ) == 0x0
 00057   392   NtProtectVirtualMemory  (-1, (0x49f000), 4096, 128, ... (0x49f000), 4096, 4, ) == 0x0
 00058   392   NtFlushInstructionCache  (-1, 4845568, 92, ... ) == 0x0
 00059   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   392   NtClose  (28, ... ) == 0x0
 00062   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   392   NtClose  (28, ... ) == 0x0
 00065   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   392   NtClose  (28, ... ) == 0x0
 00068   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   392   NtClose  (28, ... ) == 0x0
 00071   392   NtProtectVirtualMemory  (-1, (0x49f000), 92, 4, ... (0x49f000), 4096, 64, ) == 0x0
 00072   392   NtProtectVirtualMemory  (-1, (0x49f000), 4096, 64, ... (0x49f000), 4096, 4, ) == 0x0
 00073   392   NtFlushInstructionCache  (-1, 4845568, 92, ... ) == 0x0
 00074   392   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   392   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   392   NtClose  (28, ... ) == 0x0
 00077   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   392   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   392   NtClose  (28, ... ) == 0x0
 00080   392   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00081   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   392   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   392   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   392   NtClose  (28, ... ) == 0x0
 00085   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   392   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   392   NtClose  (28, ... ) == 0x0
 00088   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   392   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\35\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 316, 392, 1479, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 316, 392, 1479, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\35\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 316, 392, 1479, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00093   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   392   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4b0000), 0x0, 1060864, ) == 0x0
 00095   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   392   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   392   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   392   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   392   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   392   NtClose  (-2147482020, ... ) == 0x0
 00101   392   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00102   392   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00103   392   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   392   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   392   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   392   NtClose  (-2147482020, ... ) == 0x0
 00107   392   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   392   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   392   NtClose  (-2147482020, ... ) == 0x0
 00110   392   NtQueryDefaultLocale  (0, -130905588, ... ) == 0x0
 00111   392   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   392   NtUserCallNoParam  (24, ... ) == 0x0
 00113   392   NtGdiCreateCompatibleDC  (0, ...
 00114   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00113   392   NtGdiCreateCompatibleDC  ... ) == 0x100103cf
 00115   392   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   392   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   392   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050401
 00118   392   NtGdiCreateSolidBrush  (0, 0, ...
 00119   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9175040, 4096, ) == 0x0
 00118   392   NtGdiCreateSolidBrush  ... ) == 0x13100404
 00120   392   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   392   NtGdiCreateCompatibleDC  (0, ... ) == 0x83010384
 00122   392   NtGdiSelectBitmap  (-2097085564, 319095809, ... ) == 0x185000f
 00123   392   NtUserGetThreadDesktop  (392, 0, ... ) == 0x2c
 00124   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   392   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   392   NtClose  (52, ... ) == 0x0
 00127   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   392   NtAllocateVirtualMemory  (-1, 6123520, 0, 4096, 4096, 32, ... 6123520, 4096, ) == 0x0
 00142   392   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   392   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   392   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   392   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   392   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   392   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   392   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   392   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   392   NtCallbackReturn  (0, 0, 0, ...
 00152   392   NtGdiInit  (... ) == 0x1
 00153   392   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   392   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   392   NtTestAlert  (... ) == 0x0
 00156   392   NtContinue  (1244464, 1, ...
 00157   392   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4a1c00,}, 4, ... ) == 0x0
 00158   392   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00159   392   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1245092, 0,  (0x1f0003, {24, 52, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 56, ) }, 1, 0, ... 56, ) == 0x0
 00160   392   NtCreateSection  (0xf0007, {24, 52, 0x80, 1245092, 0,  (0xf0007, {24, 52, 0x80, 1245092, 0, "W32_Virtu"}, {22585, 0}, 4, 134217728, 0, ... 60, ) }, {22585, 0}, 4, 134217728, 0, ... 60, ) == 0x0
 00161   392   NtMapViewOfSection  (60, -1, (0x0), 0, 22585, 0x0, 22585, 2, 0, 4, ... (0x8d0000), 0x0, 24576, ) == 0x0
 00162   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00163   392   NtQueryValueKey  (64,  (64, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   392   NtClose  (64, ... ) == 0x0
 00165   392   NtOpenProcessToken  (-1, 0x20, ... 64, ) == 0x0
 00166   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00167   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 68, ) }, ... 68, ) == 0x0
 00169   392   NtQueryValueKey  (68,  (68, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00170   392   NtClose  (68, ... ) == 0x0
 00171   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00172   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 68, ) == 0x0
 00173   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 72, ) == 0x0
 00174   392   NtQuerySystemTime  (... {-827180994, 29873113}, ) == 0x0
 00175   392   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00176   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 76, ) == 0x0
 00177   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178   392   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00179   392   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00180   392   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00181   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 80, ) == 0x0
 00182   392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00183   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 88, ) }, ... 88, ) == 0x0
 00184   392   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "ActiveComputerName"}, ... 92, ) }, ... 92, ) == 0x0
 00185   392   NtQueryValueKey  (92,  (92, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (92, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (92, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00186   392   NtClose  (92, ... ) == 0x0
 00187   392   NtClose  (88, ... ) == 0x0
 00188   392   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 88, ) == 0x0
 00189   392   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 92, ) == 0x0
 00190   392   NtDuplicateObject  (-1, 88, -1, 0x0, 0, 2, ... 96, ) == 0x0
 00191   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00192   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 100, ) == 0x0
 00193   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00194   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00195   392   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00196   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243268,  (0xc0100080, {24, 0, 0x40, 0, 1243268, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 00197   392   NtSetInformationFile  (104, 1243324, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00198   392   NtSetInformationFile  (104, 1243316, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00199   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00200   392   NtWriteFile  (104, 81, 0, 0,  (104, 81, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00201   392   NtReadFile  (104, 81, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (104, 81, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20Q \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00202   392   NtFsControlFile  (104, 81, 0x0, 0x0, 0x11c017,  (104, 81, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20Q \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (104, 81, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20Q \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00203   392   NtFsControlFile  (104, 81, 0x0, 0x0, 0x11c017,  (104, 81, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\214\377\304\7\315?\334\21\261\310\0\14)\371\246\305 \0"\0@:\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\214\377\304\7\315?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0@:\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (104, 81, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\214\377\304\7\315?\334\21\261\310\0\14)\371\246\305 \0"\0@:\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\214\377\304\7\315?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\214\377\304\7\315?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 00204   392   NtFsControlFile  (104, 81, 0x0, 0x0, 0x11c017,  (104, 81, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\214\377\304\7\315?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (104, 81, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\214\377\304\7\315?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00205   392   NtClose  (100, ... ) == 0x0
 00206   392   NtClose  (104, ... ) == 0x0
 00207   392   NtAdjustPrivilegesToken  (64, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00208   392   NtClose  (64, ... ) == 0x0
 00209   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 9306112, 65536, ) == 0x0
 00210   392   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00211   392   NtCreateSection  (0xf0007, 0x0, {11728, 0}, 4, 134217728, 0, ... 64, ) == 0x0
 00212   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8f0000), {0, 0}, 12288, ) == 0x0
 00213   392   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00214   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8f0000), {0, 0}, 12288, ) == 0x0
 00215   392   NtFreeVirtualMemory  (-1, (0x8e0000), 0, 32768, ... (0x8e0000), 65536, ) == 0x0
 00216   392   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00217   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00218   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00219   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00220   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00221   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00222   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00223   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00224   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00225   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00226   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00227   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 104, ) == 0x0
 00228   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 100, ) }, ... 100, ) == 0x0
 00229   392   NtMapViewOfSection  (100, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00230   392   NtClose  (100, ... ) == 0x0
 00231   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00232   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00233   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00234   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00235   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00236   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00237   392   NtAllocateVirtualMemory  (104, 0, 0, 1048576, 8192, 4, ... 22740992, 1048576, ) == 0x0
 00238   392   NtAllocateVirtualMemory  (104, 23781376, 0, 8192, 4096, 4, ... 23781376, 8192, ) == 0x0
 00239   392   NtProtectVirtualMemory  (104, (0x16ae000), 4096, 260, ... (0x16ae000), 4096, 4, ) == 0x0
 00240   392   NtCreateThread  (0x1f03ff, 0x0, 104, 1244008, 1244724, 1, ... 100, {616, 560}, ) == 0x0
 00241   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\24\0\0\0\0\0d\0\0\0h\2\0\00\2\0\0" ... {28, 56, reply, 0, 316, 392, 1491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0d\0\0\0h\2\0\00\2\0\0" )  ... {28, 56, reply, 0, 316, 392, 1491, 0}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\24\0\0\0\0\0d\0\0\0h\2\0\00\2\0\0" ... {28, 56, reply, 0, 316, 392, 1491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0d\0\0\0h\2\0\00\2\0\0" )  ) == 0x0
 00242   392   NtResumeThread  (100, ... 1, ) == 0x0
 00243   392   NtClose  (104, ... ) == 0x0
 00244   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00245   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00246   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {660, 0}, ... 104, ) == 0x0
 00247   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00248   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00249   392   NtClose  (108, ... ) == 0x0
 00250   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00251   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00252   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00253   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00254   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00255   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00256   392   NtClose  (104, ... ) == 0x0
 00257   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00258   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00259   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {672, 0}, ... 104, ) == 0x0
 00260   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00261   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00262   392   NtClose  (108, ... ) == 0x0
 00263   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00264   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00265   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00266   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00267   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00268   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00269   392   NtClose  (104, ... ) == 0x0
 00270   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00271   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00272   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {832, 0}, ... 104, ) == 0x0
 00273   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00274   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00275   392   NtClose  (108, ... ) == 0x0
 00276   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00277   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00278   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00279   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00280   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00281   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00282   392   NtClose  (104, ... ) == 0x0
 00283   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00284   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00285   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {952, 0}, ... 104, ) == 0x0
 00286   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00287   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff70000), 0x0, 24576, ) == 0x0
 00288   392   NtClose  (108, ... ) == 0x0
 00289   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00290   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00291   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00292   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00293   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00294   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00295   392   NtClose  (104, ... ) == 0x0
 00296   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00297   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00298   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1048, 0}, ... 104, ) == 0x0
 00299   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00300   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00301   392   NtClose  (108, ... ) == 0x0
 00302   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00303   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00304   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00305   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00306   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00307   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00308   392   NtClose  (104, ... ) == 0x0
 00309   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00310   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00311   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1116, 0}, ... 104, ) == 0x0
 00312   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00313   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00314   392   NtClose  (108, ... ) == 0x0
 00315   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00316   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00317   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00318   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00319   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00320   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00321   392   NtClose  (104, ... ) == 0x0
 00322   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00323   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00324   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1360, 0}, ... 104, ) == 0x0
 00325   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00326   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00327   392   NtClose  (108, ... ) == 0x0
 00328   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00329   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00330   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00331   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00332   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00333   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00334   392   NtClose  (104, ... ) == 0x0
 00335   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00336   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00337   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1632, 0}, ... 104, ) == 0x0
 00338   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00339   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00340   392   NtClose  (108, ... ) == 0x0
 00341   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00342   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00343   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00344   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00345   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00346   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00347   392   NtClose  (104, ... ) == 0x0
 00348   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00349   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00350   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1864, 0}, ... 104, ) == 0x0
 00351   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00352   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00353   392   NtClose  (108, ... ) == 0x0
 00354   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00355   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00356   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00357   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00358   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00359   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00360   392   NtClose  (104, ... ) == 0x0
 00361   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00362   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00363   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1912, 0}, ... 104, ) == 0x0
 00364   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00365   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00366   392   NtClose  (108, ... ) == 0x0
 00367   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00368   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00369   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00370   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00371   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00372   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00373   392   NtClose  (104, ... ) == 0x0
 00374   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00375   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00376   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2008, 0}, ... 104, ) == 0x0
 00377   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00378   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00379   392   NtClose  (108, ... ) == 0x0
 00380   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00381   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00382   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00383   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00384   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00385   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00386   392   NtClose  (104, ... ) == 0x0
 00387   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00388   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00389   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2016, 0}, ... 104, ) == 0x0
 00390   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00391   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00392   392   NtClose  (108, ... ) == 0x0
 00393   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00394   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00395   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00396   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00397   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00398   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00399   392   NtClose  (104, ... ) == 0x0
 00400   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00401   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00402   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 104, ) == 0x0
 00403   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00404   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00405   392   NtClose  (108, ... ) == 0x0
 00406   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00407   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00408   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00409   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00410   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00411   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00412   392   NtClose  (104, ... ) == 0x0
 00413   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00414   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00415   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2036, 0}, ... 104, ) == 0x0
 00416   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00417   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00418   392   NtClose  (108, ... ) == 0x0
 00419   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00420   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00421   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00422   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00423   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00424   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00425   392   NtClose  (104, ... ) == 0x0
 00426   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00427   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00428   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {180, 0}, ... 104, ) == 0x0
 00429   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00430   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00431   392   NtClose  (108, ... ) == 0x0
 00432   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00433   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00434   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00435   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00436   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00437   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00438   392   NtClose  (104, ... ) == 0x0
 00439   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00440   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00441   392   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 104, ) == 0x0
 00442   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 108, ) }, ... 108, ) == 0x0
 00443   392   NtMapViewOfSection  (108, 104, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00444   392   NtClose  (108, ... ) == 0x0
 00445   392   NtProtectVirtualMemory  (104, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00446   392   NtWriteVirtualMemory  (104, 0x77f7e603,  (104, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00447   392   NtProtectVirtualMemory  (104, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00448   392   NtWriteVirtualMemory  (104, 0x77f7e6a3,  (104, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00449   392   NtProtectVirtualMemory  (104, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00450   392   NtWriteVirtualMemory  (104, 0x77f7e6b3,  (104, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00451   392   NtClose  (104, ... ) == 0x0
 00452   392   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8e0000), {0, 0}, 12288, ) == 0x0
 00453   392   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 00454   392   NtClose  (64, ... ) == 0x0
 00455   392   NtClose  (56, ... ) == 0x0
 00456   392   NtAllocateVirtualMemory  (-1, 1335296, 0, 57344, 4096, 4, ... 1335296, 57344, ) == 0x0
 00457   392   NtAllocateVirtualMemory  (-1, 1392640, 0, 8192, 4096, 4, ... 1392640, 8192, ) == 0x0
 00458   392   NtAllocateVirtualMemory  (-1, 1400832, 0, 40960, 4096, 4, ... 1400832, 40960, ) == 0x0
 00459   392   NtFlushInstructionCache  (-1, 4778898, 65646, ... ) == 0x0
 00460   392   NtFreeVirtualMemory  (-1, (0x146000), 106496, 16384, ... (0x146000), 106496, ) == 0x0
 00461   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00462   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9306112, 65536, ) == 0x0
 00463   392   NtAllocateVirtualMemory  (-1, 9306112, 0, 65536, 4096, 4, ... 9306112, 65536, ) == 0x0
 00464   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 9371648, 4096, ) == 0x0
 00465   392   NtAllocateVirtualMemory  (-1, 0, 0, 28015, 8192, 4, ... 9437184, 28672, ) == 0x0
 00466   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00467   392   NtFlushInstructionCache  (-1, 4779838, 46, ... ) == 0x0
 00468   392   NtFlushInstructionCache  (-1, 4779838, 80, ... ) == 0x0
 00469   392   NtFlushInstructionCache  (-1, 4779884, 175, ... ) == 0x0
 00470   392   NtFlushInstructionCache  (-1, 4779943, 27, ... ) == 0x0
 00471   392   NtFlushInstructionCache  (-1, 4779943, 60, ... ) == 0x0
 00472   392   NtFlushInstructionCache  (-1, 4779970, 71, ... ) == 0x0
 00473   392   NtFlushInstructionCache  (-1, 4780003, 38, ... ) == 0x0
 00474   392   NtFlushInstructionCache  (-1, 4779918, 178, ... ) == 0x0
 00475   392   NtFlushInstructionCache  (-1, 4780059, 37, ... ) == 0x0
 00476   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00477   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00478   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1242784, ... ) }, 1242784, ... ) == 0x0
 00479   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 56, {status=0x0, info=1}, ) }, 3, 16417, ... 56, {status=0x0, info=1}, ) == 0x0
 00480   392   NtQueryDirectoryFile  (56, 0, 0, 0, 1242144, 616, BothDirectory, 1,  (56, 0, 0, 0, 1242144, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 00481   392   NtClose  (56, ... ) == 0x0
 00482   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 56, {status=0x0, info=1}, ) }, 3, 16417, ... 56, {status=0x0, info=1}, ) == 0x0
 00483   392   NtQueryDirectoryFile  (56, 0, 0, 0, 1242144, 616, BothDirectory, 1,  (56, 0, 0, 0, 1242144, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 00484   392   NtClose  (56, ... ) == 0x0
 00485   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00486   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00487   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00488   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00489   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1242772, ... ) }, 1242772, ... ) == 0x0
 00490   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00491   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00492   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9568256, 1048576, ) == 0x0
 00493   392   NtAllocateVirtualMemory  (-1, 9568256, 0, 69704, 4096, 4, ... 9568256, 73728, ) == 0x0
 00494   392   NtAllocateVirtualMemory  (-1, 9641984, 0, 69632, 4096, 4, ... 9641984, 69632, ) == 0x0
 00495   392   NtAllocateVirtualMemory  (-1, 9711616, 0, 69632, 4096, 4, ... 9711616, 69632, ) == 0x0
 00496   392   NtAllocateVirtualMemory  (-1, 9781248, 0, 69632, 4096, 4, ... 9781248, 69632, ) == 0x0
 00497   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00498   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00499   392   NtClose  (56, ... ) == 0x0
 00500   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00501   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00502   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00503   392   NtQueryValueKey  (56,  (56, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00504   392   NtClose  (56, ... ) == 0x0
 00505   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00506   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00507   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00508   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00509   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 56, ) }, ... 56, ) == 0x0
 00510   392   NtQueryValueKey  (56,  (56, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00511   392   NtQueryValueKey  (56,  (56, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00512   392   NtQueryValueKey  (56,  (56, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   392   NtClose  (56, ... ) == 0x0
 00514   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 56, ) }, ... 56, ) == 0x0
 00515   392   NtQueryValueKey  (56,  (56, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00516   392   NtQueryValueKey  (56,  (56, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517   392   NtClose  (56, ... ) == 0x0
 00518   392   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00519   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00520   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00521   392   NtClose  (56, ... ) == 0x0
 00522   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.DLL"}, ... 56, ) }, ... 56, ) == 0x0
 00523   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00524   392   NtClose  (56, ... ) == 0x0
 00525   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00526   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10616832, 65536, ) == 0x0
 00527   392   NtAllocateVirtualMemory  (-1, 10616832, 0, 4096, 4096, 4, ... 10616832, 4096, ) == 0x0
 00528   392   NtAllocateVirtualMemory  (-1, 10620928, 0, 8192, 4096, 4, ... 10620928, 8192, ) == 0x0
 00529   392   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00530   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 56, ) }, ... 56, ) == 0x0
 00531   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa30000), 0x0, 12288, ) == 0x0
 00532   392   NtClose  (56, ... ) == 0x0
 00533   392   NtAllocateVirtualMemory  (-1, 10629120, 0, 4096, 4096, 4, ... 10629120, 4096, ) == 0x0
 00534   392   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00535   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00536   392   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00537   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   392   NtProtectVirtualMemory  (-1, (0x400000), 400, 4, ... (0x400000), 4096, 2, ) == 0x0
 00539   392   NtFlushInstructionCache  (-1, 4806880, 48, ... ) == 0x0
 00540   392   NtFlushInstructionCache  (-1, 4806880, 80, ... ) == 0x0
 00541   392   NtFlushInstructionCache  (-1, 4806928, 71, ... ) == 0x0
 00542   392   NtFlushInstructionCache  (-1, 4806960, 82, ... ) == 0x0
 00543   392   NtFlushInstructionCache  (-1, 4806999, 43, ... ) == 0x0
 00544   392   NtFlushInstructionCache  (-1, 4807080, 95, ... ) == 0x0
 00545   392   NtAllocateVirtualMemory  (-1, 9850880, 0, 81920, 4096, 4, ... 9850880, 81920, ) == 0x0
 00546   392   NtFlushInstructionCache  (-1, 4807080, 210, ... ) == 0x0
 00547   392   NtFreeVirtualMemory  (-1, (0x975000), 8192, 16384, ... (0x975000), 8192, ) == 0x0
 00548   392   NtFlushInstructionCache  (-1, 4807175, 115, ... ) == 0x0
 00549   392   NtFreeVirtualMemory  (-1, (0x961000), 77824, 16384, ... (0x961000), 77824, ) == 0x0
 00550   392   NtFlushInstructionCache  (-1, 4806880, 48, ... ) == 0x0
 00551   392   NtFlushInstructionCache  (-1, 4806880, 80, ... ) == 0x0
 00552   392   NtFlushInstructionCache  (-1, 4806928, 71, ... ) == 0x0
 00553   392   NtFlushInstructionCache  (-1, 4806960, 82, ... ) == 0x0
 00554   392   NtFlushInstructionCache  (-1, 4806999, 43, ... ) == 0x0
 00555   392   NtFlushInstructionCache  (-1, 4807080, 95, ... ) == 0x0
 00556   392   NtFlushInstructionCache  (-1, 4807080, 210, ... ) == 0x0
 00557   392   NtFlushInstructionCache  (-1, 4807175, 115, ... ) == 0x0
 00558   392   NtFlushInstructionCache  (-1, 4806880, 48, ... ) == 0x0
 00559   392   NtFlushInstructionCache  (-1, 4806880, 80, ... ) == 0x0
 00560   392   NtFlushInstructionCache  (-1, 4806928, 71, ... ) == 0x0
 00561   392   NtFlushInstructionCache  (-1, 4806960, 82, ... ) == 0x0
 00562   392   NtFlushInstructionCache  (-1, 4806999, 43, ... ) == 0x0
 00563   392   NtFlushInstructionCache  (-1, 4807080, 95, ... ) == 0x0
 00564   392   NtFlushInstructionCache  (-1, 4807080, 210, ... ) == 0x0
 00565   392   NtAllocateVirtualMemory  (-1, 9834496, 0, 36864, 4096, 4, ... 9834496, 36864, ) == 0x0
 00566   392   NtFreeVirtualMemory  (-1, (0x8eb000), 20480, 16384, ... (0x8eb000), 20480, ) == 0x0
 00567   392   NtFlushInstructionCache  (-1, 4807175, 115, ... ) == 0x0
 00568   392   NtFreeVirtualMemory  (-1, (0x8e4000), 28672, 16384, ... (0x8e4000), 28672, ) == 0x0
 00569   392   NtFlushInstructionCache  (-1, 4806880, 48, ... ) == 0x0
 00570   392   NtFlushInstructionCache  (-1, 4806880, 80, ... ) == 0x0
 00571   392   NtFlushInstructionCache  (-1, 4806928, 71, ... ) == 0x0
 00572   392   NtFlushInstructionCache  (-1, 4806960, 82, ... ) == 0x0
 00573   392   NtFlushInstructionCache  (-1, 4806999, 43, ... ) == 0x0
 00574   392   NtProtectVirtualMemory  (-1, (0x400000), 400, 2, ... (0x400000), 4096, 4, ) == 0x0
 00575   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00576   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00577   392   NtClose  (56, ... ) == 0x0
 00578   392   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 56, ) == 0x0
 00579   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00580   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 104, ) }, ... 104, ) == 0x0
 00581   392   NtNotifyChangeKey  (104, 64, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00582   392   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00583   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 108, ) == 0x0
 00584   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 112, ) == 0x0
 00585   392   NtProtectVirtualMemory  (-1, (0x77dd1418), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00586   392   NtProtectVirtualMemory  (-1, (0x77dd1418), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00587   392   NtProtectVirtualMemory  (-1, (0x77dd1434), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00588   392   NtProtectVirtualMemory  (-1, (0x77dd1434), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00589   392   NtProtectVirtualMemory  (-1, (0x77dd143c), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00590   392   NtProtectVirtualMemory  (-1, (0x77dd143c), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00591   392   NtProtectVirtualMemory  (-1, (0x77dd1440), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00592   392   NtProtectVirtualMemory  (-1, (0x77dd1440), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00593   392   NtProtectVirtualMemory  (-1, (0x77dd144c), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00594   392   NtProtectVirtualMemory  (-1, (0x77dd144c), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00595   392   NtProtectVirtualMemory  (-1, (0x77dd14cc), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00596   392   NtProtectVirtualMemory  (-1, (0x77dd14cc), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00597   392   NtProtectVirtualMemory  (-1, (0x77dd14d8), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00598   392   NtProtectVirtualMemory  (-1, (0x77dd14d8), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00599   392   NtProtectVirtualMemory  (-1, (0x77dd14e4), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00600   392   NtProtectVirtualMemory  (-1, (0x77dd14e4), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00601   392   NtProtectVirtualMemory  (-1, (0x77dd14ec), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00602   392   NtProtectVirtualMemory  (-1, (0x77dd14ec), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00603   392   NtProtectVirtualMemory  (-1, (0x77dd1554), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00604   392   NtProtectVirtualMemory  (-1, (0x77dd1554), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00605   392   NtProtectVirtualMemory  (-1, (0x77dd155c), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00606   392   NtProtectVirtualMemory  (-1, (0x77dd155c), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00607   392   NtProtectVirtualMemory  (-1, (0x77dd1564), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00608   392   NtProtectVirtualMemory  (-1, (0x77dd1564), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00609   392   NtProtectVirtualMemory  (-1, (0x77dd1568), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00610   392   NtProtectVirtualMemory  (-1, (0x77dd1568), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00611   392   NtProtectVirtualMemory  (-1, (0x77dd156c), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00612   392   NtProtectVirtualMemory  (-1, (0x77dd156c), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00613   392   NtProtectVirtualMemory  (-1, (0x77dd1570), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00614   392   NtProtectVirtualMemory  (-1, (0x77dd1570), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00615   392   NtProtectVirtualMemory  (-1, (0x77dd1574), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00616   392   NtProtectVirtualMemory  (-1, (0x77dd1574), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00617   392   NtProtectVirtualMemory  (-1, (0x77dd1578), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00618   392   NtProtectVirtualMemory  (-1, (0x77dd1578), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00619   392   NtProtectVirtualMemory  (-1, (0x77dd1590), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00620   392   NtProtectVirtualMemory  (-1, (0x77dd1590), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00621   392   NtProtectVirtualMemory  (-1, (0x77dd15a8), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00622   392   NtProtectVirtualMemory  (-1, (0x77dd15a8), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00623   392   NtProtectVirtualMemory  (-1, (0x77dd15b4), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00624   392   NtProtectVirtualMemory  (-1, (0x77dd15b4), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00625   392   NtProtectVirtualMemory  (-1, (0x77dd15b8), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00626   392   NtProtectVirtualMemory  (-1, (0x77dd15b8), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00627   392   NtProtectVirtualMemory  (-1, (0x77dd15bc), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00628   392   NtProtectVirtualMemory  (-1, (0x77dd15bc), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00629   392   NtProtectVirtualMemory  (-1, (0x77dd15c0), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00630   392   NtProtectVirtualMemory  (-1, (0x77dd15c0), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00631   392   NtProtectVirtualMemory  (-1, (0x77dd15c4), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00632   392   NtProtectVirtualMemory  (-1, (0x77dd15c4), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00633   392   NtProtectVirtualMemory  (-1, (0x77dd15c8), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00634   392   NtProtectVirtualMemory  (-1, (0x77dd15c8), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00635   392   NtProtectVirtualMemory  (-1, (0x77dd15e0), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00636   392   NtProtectVirtualMemory  (-1, (0x77dd15e0), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00637   392   NtProtectVirtualMemory  (-1, (0x77dd15e4), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00638   392   NtProtectVirtualMemory  (-1, (0x77dd15e4), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00639   392   NtProtectVirtualMemory  (-1, (0x77dd15e8), 4, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00640   392   NtProtectVirtualMemory  (-1, (0x77dd15e8), 4, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00641   392   NtProtectVirtualMemory  (-1, (0x77cc114c), 4, 4, ... (0x77cc1000), 4096, 32, ) == 0x0
 00642   392   NtProtectVirtualMemory  (-1, (0x77cc114c), 4, 32, ... (0x77cc1000), 4096, 4, ) == 0x0
 00643   392   NtProtectVirtualMemory  (-1, (0x77cc11a4), 4, 4, ... (0x77cc1000), 4096, 32, ) == 0x0
 00644   392   NtProtectVirtualMemory  (-1, (0x77cc11a4), 4, 32, ... (0x77cc1000), 4096, 4, ) == 0x0
 00645   392   NtProtectVirtualMemory  (-1, (0x77cc11ac), 4, 4, ... (0x77cc1000), 4096, 32, ) == 0x0
 00646   392   NtProtectVirtualMemory  (-1, (0x77cc11ac), 4, 32, ... (0x77cc1000), 4096, 4, ) == 0x0
 00647   392   NtProtectVirtualMemory  (-1, (0x77cc11b0), 4, 4, ... (0x77cc1000), 4096, 32, ) == 0x0
 00648   392   NtProtectVirtualMemory  (-1, (0x77cc11b0), 4, 32, ... (0x77cc1000), 4096, 4, ) == 0x0
 00649   392   NtProtectVirtualMemory  (-1, (0x77cc11dc), 4, 4, ... (0x77cc1000), 4096, 32, ) == 0x0
 00650   392   NtProtectVirtualMemory  (-1, (0x77cc11dc), 4, 32, ... (0x77cc1000), 4096, 4, ) == 0x0
 00651   392   NtProtectVirtualMemory  (-1, (0x77cc11e8), 4, 4, ... (0x77cc1000), 4096, 32, ) == 0x0
 00652   392   NtProtectVirtualMemory  (-1, (0x77cc11e8), 4, 32, ... (0x77cc1000), 4096, 4, ) == 0x0
 00653   392   NtProtectVirtualMemory  (-1, (0x77cc1214), 4, 4, ... (0x77cc1000), 4096, 32, ) == 0x0
 00654   392   NtProtectVirtualMemory  (-1, (0x77cc1214), 4, 32, ... (0x77cc1000), 4096, 4, ) == 0x0
 00655   392   NtProtectVirtualMemory  (-1, (0x77cc1218), 4, 4, ... (0x77cc1000), 4096, 32, ) == 0x0
 00656   392   NtProtectVirtualMemory  (-1, (0x77cc1218), 4, 32, ... (0x77cc1000), 4096, 4, ) == 0x0
 00657   392   NtProtectVirtualMemory  (-1, (0x77cc1278), 4, 4, ... (0x77cc1000), 4096, 32, ) == 0x0
 00658   392   NtProtectVirtualMemory  (-1, (0x77cc1278), 4, 32, ... (0x77cc1000), 4096, 4, ) == 0x0
 00659   392   NtProtectVirtualMemory  (-1, (0x71b210fc), 4, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00660   392   NtProtectVirtualMemory  (-1, (0x71b210fc), 4, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00661   392   NtProtectVirtualMemory  (-1, (0x71b21100), 4, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00662   392   NtProtectVirtualMemory  (-1, (0x71b21100), 4, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00663   392   NtProtectVirtualMemory  (-1, (0x71b21144), 4, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00664   392   NtProtectVirtualMemory  (-1, (0x71b21144), 4, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00665   392   NtProtectVirtualMemory  (-1, (0x71b21168), 4, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00666   392   NtProtectVirtualMemory  (-1, (0x71b21168), 4, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00667   392   NtProtectVirtualMemory  (-1, (0x71b2117c), 4, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00668   392   NtProtectVirtualMemory  (-1, (0x71b2117c), 4, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00669   392   NtProtectVirtualMemory  (-1, (0x77d41140), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00670   392   NtProtectVirtualMemory  (-1, (0x77d41140), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00671   392   NtProtectVirtualMemory  (-1, (0x77d41150), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00672   392   NtProtectVirtualMemory  (-1, (0x77d41150), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00673   392   NtProtectVirtualMemory  (-1, (0x77d41158), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00674   392   NtProtectVirtualMemory  (-1, (0x77d41158), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00675   392   NtProtectVirtualMemory  (-1, (0x77d4119c), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00676   392   NtProtectVirtualMemory  (-1, (0x77d4119c), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00677   392   NtProtectVirtualMemory  (-1, (0x77d411a0), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00678   392   NtProtectVirtualMemory  (-1, (0x77d411a0), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00679   392   NtProtectVirtualMemory  (-1, (0x77d411a4), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00680   392   NtProtectVirtualMemory  (-1, (0x77d411a4), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00681   392   NtProtectVirtualMemory  (-1, (0x77d411a8), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00682   392   NtProtectVirtualMemory  (-1, (0x77d411a8), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00683   392   NtProtectVirtualMemory  (-1, (0x77d411ac), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00684   392   NtProtectVirtualMemory  (-1, (0x77d411ac), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00685   392   NtProtectVirtualMemory  (-1, (0x77d411b0), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00686   392   NtProtectVirtualMemory  (-1, (0x77d411b0), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00687   392   NtProtectVirtualMemory  (-1, (0x77d411fc), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00688   392   NtProtectVirtualMemory  (-1, (0x77d411fc), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00689   392   NtProtectVirtualMemory  (-1, (0x77d41200), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00690   392   NtProtectVirtualMemory  (-1, (0x77d41200), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00691   392   NtProtectVirtualMemory  (-1, (0x77d41204), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00692   392   NtProtectVirtualMemory  (-1, (0x77d41204), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00693   392   NtProtectVirtualMemory  (-1, (0x77d41238), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00694   392   NtProtectVirtualMemory  (-1, (0x77d41238), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00695   392   NtProtectVirtualMemory  (-1, (0x77d4123c), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00696   392   NtProtectVirtualMemory  (-1, (0x77d4123c), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00697   392   NtProtectVirtualMemory  (-1, (0x77d41248), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00698   392   NtProtectVirtualMemory  (-1, (0x77d41248), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00699   392   NtProtectVirtualMemory  (-1, (0x77d4127c), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00700   392   NtProtectVirtualMemory  (-1, (0x77d4127c), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00701   392   NtProtectVirtualMemory  (-1, (0x77d41280), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00702   392   NtProtectVirtualMemory  (-1, (0x77d41280), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00703   392   NtProtectVirtualMemory  (-1, (0x77d41284), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00704   392   NtProtectVirtualMemory  (-1, (0x77d41284), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00705   392   NtProtectVirtualMemory  (-1, (0x77d4128c), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00706   392   NtProtectVirtualMemory  (-1, (0x77d4128c), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00707   392   NtProtectVirtualMemory  (-1, (0x77d412b0), 4, 4, ... (0x77d41000), 4096, 32, ) == 0x0
 00708   392   NtProtectVirtualMemory  (-1, (0x77d412b0), 4, 32, ... (0x77d41000), 4096, 4, ) == 0x0
 00709   392   NtProtectVirtualMemory  (-1, (0x77c710dc), 4, 4, ... (0x77c71000), 4096, 32, ) == 0x0
 00710   392   NtProtectVirtualMemory  (-1, (0x77c710dc), 4, 32, ... (0x77c71000), 4096, 4, ) == 0x0
 00711   392   NtProtectVirtualMemory  (-1, (0x77c710e0), 4, 4, ... (0x77c71000), 4096, 32, ) == 0x0
 00712   392   NtProtectVirtualMemory  (-1, (0x77c710e0), 4, 32, ... (0x77c71000), 4096, 4, ) == 0x0
 00713   392   NtProtectVirtualMemory  (-1, (0x77c710f8), 4, 4, ... (0x77c71000), 4096, 32, ) == 0x0
 00714   392   NtProtectVirtualMemory  (-1, (0x77c710f8), 4, 32, ... (0x77c71000), 4096, 4, ) == 0x0
 00715   392   NtProtectVirtualMemory  (-1, (0x77c71100), 4, 4, ... (0x77c71000), 4096, 32, ) == 0x0
 00716   392   NtProtectVirtualMemory  (-1, (0x77c71100), 4, 32, ... (0x77c71000), 4096, 4, ) == 0x0
 00717   392   NtProtectVirtualMemory  (-1, (0x77c71104), 4, 4, ... (0x77c71000), 4096, 32, ) == 0x0
 00718   392   NtProtectVirtualMemory  (-1, (0x77c71104), 4, 32, ... (0x77c71000), 4096, 4, ) == 0x0
 00719   392   NtProtectVirtualMemory  (-1, (0x77c71108), 4, 4, ... (0x77c71000), 4096, 32, ) == 0x0
 00720   392   NtProtectVirtualMemory  (-1, (0x77c71108), 4, 32, ... (0x77c71000), 4096, 4, ) == 0x0
 00721   392   NtProtectVirtualMemory  (-1, (0x77c71148), 4, 4, ... (0x77c71000), 4096, 32, ) == 0x0
 00722   392   NtProtectVirtualMemory  (-1, (0x77c71148), 4, 32, ... (0x77c71000), 4096, 4, ) == 0x0
 00723   392   NtProtectVirtualMemory  (-1, (0x77c7114c), 4, 4, ... (0x77c71000), 4096, 32, ) == 0x0
 00724   392   NtProtectVirtualMemory  (-1, (0x77c7114c), 4, 32, ... (0x77c71000), 4096, 4, ) == 0x0
 00725   392   NtProtectVirtualMemory  (-1, (0x77c71150), 4, 4, ... (0x77c71000), 4096, 32, ) == 0x0
 00726   392   NtProtectVirtualMemory  (-1, (0x77c71150), 4, 32, ... (0x77c71000), 4096, 4, ) == 0x0
 00727   392   NtProtectVirtualMemory  (-1, (0x77c71170), 4, 4, ... (0x77c71000), 4096, 32, ) == 0x0
 00728   392   NtProtectVirtualMemory  (-1, (0x77c71170), 4, 32, ... (0x77c71000), 4096, 4, ) == 0x0
 00729   392   NtProtectVirtualMemory  (-1, (0x77c71174), 4, 4, ... (0x77c71000), 4096, 32, ) == 0x0
 00730   392   NtProtectVirtualMemory  (-1, (0x77c71174), 4, 32, ... (0x77c71000), 4096, 4, ) == 0x0
 00731   392   NtProtectVirtualMemory  (-1, (0x77c71184), 4, 4, ... (0x77c71000), 4096, 32, ) == 0x0
 00732   392   NtProtectVirtualMemory  (-1, (0x77c71184), 4, 32, ... (0x77c71000), 4096, 4, ) == 0x0
 00733   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00734   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242232, ... ) }, 1242232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00735   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242232, ... ) }, 1242232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00736   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242232, ... ) }, 1242232, ... ) == 0x0
 00737   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00738   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 120, ) == 0x0
 00739   392   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00740   392   NtOpenProcessToken  (-1, 0x8, ... 124, ) == 0x0
 00741   392   NtQueryInformationToken  (124, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00742   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00743   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 128, ) }, ... 128, ) == 0x0
 00744   392   NtQueryValueKey  (128,  (128, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (128, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00745   392   NtClose  (128, ... ) == 0x0
 00746   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00747   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 00748   392   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00749   392   NtClose  (128, ... ) == 0x0
 00750   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00751   392   NtClose  (124, ... ) == 0x0
 00752   392   NtClose  (116, ... ) == 0x0
 00753   392   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00754   392   NtClose  (120, ... ) == 0x0
 00755   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00756   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241428, ... ) }, 1241428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00757   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241428, ... ) }, 1241428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00758   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241428, ... ) }, 1241428, ... ) == 0x0
 00759   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00760   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 120, ... 116, ) == 0x0
 00761   392   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00762   392   NtClose  (120, ... ) == 0x0
 00763   392   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00764   392   NtClose  (116, ... ) == 0x0
 00765   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00766   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00767   392   NtProtectVirtualMemory  (-1, (0x77c11014), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00768   392   NtProtectVirtualMemory  (-1, (0x77c11014), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00769   392   NtProtectVirtualMemory  (-1, (0x77c11020), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00770   392   NtProtectVirtualMemory  (-1, (0x77c11020), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00771   392   NtProtectVirtualMemory  (-1, (0x77c11024), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00772   392   NtProtectVirtualMemory  (-1, (0x77c11024), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00773   392   NtProtectVirtualMemory  (-1, (0x77c11034), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00774   392   NtProtectVirtualMemory  (-1, (0x77c11034), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00775   392   NtProtectVirtualMemory  (-1, (0x77c11038), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00776   392   NtProtectVirtualMemory  (-1, (0x77c11038), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00777   392   NtProtectVirtualMemory  (-1, (0x77c1104c), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00778   392   NtProtectVirtualMemory  (-1, (0x77c1104c), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00779   392   NtProtectVirtualMemory  (-1, (0x77c11078), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00780   392   NtProtectVirtualMemory  (-1, (0x77c11078), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00781   392   NtProtectVirtualMemory  (-1, (0x77c110b4), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00782   392   NtProtectVirtualMemory  (-1, (0x77c110b4), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00783   392   NtProtectVirtualMemory  (-1, (0x77c110c0), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00784   392   NtProtectVirtualMemory  (-1, (0x77c110c0), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00785   392   NtProtectVirtualMemory  (-1, (0x77c110cc), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00786   392   NtProtectVirtualMemory  (-1, (0x77c110cc), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00787   392   NtProtectVirtualMemory  (-1, (0x77c110d0), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00788   392   NtProtectVirtualMemory  (-1, (0x77c110d0), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00789   392   NtProtectVirtualMemory  (-1, (0x77c110d4), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00790   392   NtProtectVirtualMemory  (-1, (0x77c110d4), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00791   392   NtProtectVirtualMemory  (-1, (0x77c11110), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00792   392   NtProtectVirtualMemory  (-1, (0x77c11110), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00793   392   NtProtectVirtualMemory  (-1, (0x77c11114), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00794   392   NtProtectVirtualMemory  (-1, (0x77c11114), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00795   392   NtProtectVirtualMemory  (-1, (0x77c11170), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00796   392   NtProtectVirtualMemory  (-1, (0x77c11170), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00797   392   NtProtectVirtualMemory  (-1, (0x77c11194), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00798   392   NtProtectVirtualMemory  (-1, (0x77c11194), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00799   392   NtProtectVirtualMemory  (-1, (0x77c11198), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00800   392   NtProtectVirtualMemory  (-1, (0x77c11198), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00801   392   NtProtectVirtualMemory  (-1, (0x77c1119c), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00802   392   NtProtectVirtualMemory  (-1, (0x77c1119c), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00803   392   NtProtectVirtualMemory  (-1, (0x77c111a0), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00804   392   NtProtectVirtualMemory  (-1, (0x77c111a0), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00805   392   NtProtectVirtualMemory  (-1, (0x77c111a8), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00806   392   NtProtectVirtualMemory  (-1, (0x77c111a8), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00807   392   NtProtectVirtualMemory  (-1, (0x77c111ac), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00808   392   NtProtectVirtualMemory  (-1, (0x77c111ac), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00809   392   NtProtectVirtualMemory  (-1, (0x77c11214), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00810   392   NtProtectVirtualMemory  (-1, (0x77c11214), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00811   392   NtProtectVirtualMemory  (-1, (0x77c11234), 4, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00812   392   NtProtectVirtualMemory  (-1, (0x77c11234), 4, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00813   392   NtProtectVirtualMemory  (-1, (0x71aa10d0), 4, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00814   392   NtProtectVirtualMemory  (-1, (0x71aa10d0), 4, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00815   392   NtProtectVirtualMemory  (-1, (0x71aa10d4), 4, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00816   392   NtProtectVirtualMemory  (-1, (0x71aa10d4), 4, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00817   392   NtProtectVirtualMemory  (-1, (0x71aa1104), 4, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00818   392   NtProtectVirtualMemory  (-1, (0x71aa1104), 4, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00819   392   NtProtectVirtualMemory  (-1, (0x71aa1120), 4, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00820   392   NtProtectVirtualMemory  (-1, (0x71aa1120), 4, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00821   392   NtProtectVirtualMemory  (-1, (0x71aa1138), 4, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00822   392   NtProtectVirtualMemory  (-1, (0x71aa1138), 4, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00823   392   NtProtectVirtualMemory  (-1, (0x71aa113c), 4, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00824   392   NtProtectVirtualMemory  (-1, (0x71aa113c), 4, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00825   392   NtProtectVirtualMemory  (-1, (0x71ab1120), 4, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00826   392   NtProtectVirtualMemory  (-1, (0x71ab1120), 4, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00827   392   NtProtectVirtualMemory  (-1, (0x71ab1128), 4, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00828   392   NtProtectVirtualMemory  (-1, (0x71ab1128), 4, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00829   392   NtProtectVirtualMemory  (-1, (0x71ab112c), 4, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00830   392   NtProtectVirtualMemory  (-1, (0x71ab112c), 4, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00831   392   NtProtectVirtualMemory  (-1, (0x71ab1134), 4, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00832   392   NtProtectVirtualMemory  (-1, (0x71ab1134), 4, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00833   392   NtProtectVirtualMemory  (-1, (0x71ab113c), 4, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00834   392   NtProtectVirtualMemory  (-1, (0x71ab113c), 4, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00835   392   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00836   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1242184, ... ) }, 1242184, ... ) == 0x0
 00837   392   NtProtectVirtualMemory  (-1, (0x424000), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00838   392   NtProtectVirtualMemory  (-1, (0x424000), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00839   392   NtProtectVirtualMemory  (-1, (0x42401c), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00840   392   NtProtectVirtualMemory  (-1, (0x42401c), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00841   392   NtProtectVirtualMemory  (-1, (0x424074), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00842   392   NtProtectVirtualMemory  (-1, (0x424074), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00843   392   NtProtectVirtualMemory  (-1, (0x424078), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00844   392   NtProtectVirtualMemory  (-1, (0x424078), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00845   392   NtProtectVirtualMemory  (-1, (0x424084), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00846   392   NtProtectVirtualMemory  (-1, (0x424084), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00847   392   NtProtectVirtualMemory  (-1, (0x424094), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00848   392   NtProtectVirtualMemory  (-1, (0x424094), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00849   392   NtProtectVirtualMemory  (-1, (0x4240a4), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00850   392   NtProtectVirtualMemory  (-1, (0x4240a4), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00851   392   NtProtectVirtualMemory  (-1, (0x4240a8), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00852   392   NtProtectVirtualMemory  (-1, (0x4240a8), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00853   392   NtProtectVirtualMemory  (-1, (0x4240ac), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00854   392   NtProtectVirtualMemory  (-1, (0x4240ac), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00855   392   NtProtectVirtualMemory  (-1, (0x4240b8), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00856   392   NtProtectVirtualMemory  (-1, (0x4240b8), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00857   392   NtProtectVirtualMemory  (-1, (0x4240bc), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00858   392   NtProtectVirtualMemory  (-1, (0x4240bc), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00859   392   NtProtectVirtualMemory  (-1, (0x4240c0), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00860   392   NtProtectVirtualMemory  (-1, (0x4240c0), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00861   392   NtProtectVirtualMemory  (-1, (0x4240d4), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00862   392   NtProtectVirtualMemory  (-1, (0x4240d4), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00863   392   NtProtectVirtualMemory  (-1, (0x4240dc), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00864   392   NtProtectVirtualMemory  (-1, (0x4240dc), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00865   392   NtProtectVirtualMemory  (-1, (0x4240e0), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00866   392   NtProtectVirtualMemory  (-1, (0x4240e0), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00867   392   NtProtectVirtualMemory  (-1, (0x424100), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00868   392   NtProtectVirtualMemory  (-1, (0x424100), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00869   392   NtProtectVirtualMemory  (-1, (0x424110), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00870   392   NtProtectVirtualMemory  (-1, (0x424110), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00871   392   NtProtectVirtualMemory  (-1, (0x424114), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00872   392   NtProtectVirtualMemory  (-1, (0x424114), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00873   392   NtProtectVirtualMemory  (-1, (0x42414c), 4, 4, ... (0x424000), 4096, 64, ) == 0x0
 00874   392   NtProtectVirtualMemory  (-1, (0x42414c), 4, 64, ... (0x424000), 4096, 4, ) == 0x0
 00875   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00876   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10747904, 65536, ) == 0x0
 00877   392   NtAllocateVirtualMemory  (-1, 10747904, 0, 4096, 4096, 4, ... 10747904, 4096, ) == 0x0
 00878   392   NtAllocateVirtualMemory  (-1, 10752000, 0, 4096, 4096, 4, ... 10752000, 4096, ) == 0x0
 00879   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\USER32.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 00880   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 00881   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00882   392   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00883   392   NtClose  (116, ... ) == 0x0
 00884   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00885   392   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00886   392   NtClose  (116, ... ) == 0x0
 00887   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00888   392   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00889   392   NtClose  (116, ... ) == 0x0
 00890   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00891   392   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00892   392   NtClose  (116, ... ) == 0x0
 00893   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   392   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00896   392   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00897   392   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00898   392   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1240240, 0,  (0x1f0003, {24, 52, 0x80, 1240240, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00899   392   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 116, ) }, ... 116, ) == 0x0
 00900   392   NtAllocateVirtualMemory  (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0
 00901   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00902   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00903   392   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00904   392   NtClose  (120, ... ) == 0x0
 00905   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 120, ) }, ... 120, ) == 0x0
 00906   392   NtSetInformationObject  (120, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00907   392   NtCreateKey  (0xf003f, {24, 120, 0x40, 0, 0,  (0xf003f, {24, 120, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 124, 2, ) }, 0, 0x0, 0, ... 124, 2, ) == 0x0
 00908   392   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00909   392   NtQueryDefaultUILanguage  (1238476, ...
 00910   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00911   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00912   392   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00913   392   NtClose  (-2147482020, ... ) == 0x0
 00914   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00915   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   392   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00917   392   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   392   NtClose  (-2147482032, ... ) == 0x0
 00919   392   NtClose  (-2147482020, ... ) == 0x0
 00909   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00920   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   392   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00922   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 128, {status=0x0, info=1}, ) }, 1, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00923   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 128, ... 132, ) == 0x0
 00924   392   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa50000), 0x0, 593920, ) == 0x0
 00925   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926   392   NtQueryDefaultUILanguage  (2013024600, ...
 00927   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00928   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00929   392   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00930   392   NtClose  (-2147482020, ... ) == 0x0
 00931   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00932   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   392   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00934   392   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   392   NtClose  (-2147482032, ... ) == 0x0
 00936   392   NtClose  (-2147482020, ... ) == 0x0
 00926   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00937   392   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00938   392   NtQueryDefaultLocale  (1, 1236512, ... ) == 0x0
 00939   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237368, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237368, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\344\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\200\0\0\0\377\377\377\377\0\0\0\0P\275\254\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0x\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1504, 0} " S\26\0\33\0\1\0\0\0\0\0\1\344\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\200\0\0\0\377\377\377\377\0\0\0\0P\275\254\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0x\350\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 392, 1504, 0}  (24, {128, 156, new_msg, 0, 1237368, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\344\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\200\0\0\0\377\377\377\377\0\0\0\0P\275\254\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0x\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1504, 0} " S\26\0\33\0\1\0\0\0\0\0\1\344\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\200\0\0\0\377\377\377\377\0\0\0\0P\275\254\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0x\350\22\0\0\0\0\0" )  ) == 0x0
 00941   392   NtClose  (128, ... ) == 0x0
 00942   392   NtClose  (132, ... ) == 0x0
 00943   392   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00944   392   NtUnmapViewOfSection  (-1, 0x12e878, ... ) == STATUS_NOT_MAPPED_VIEW
 00945   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00946   392   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00948   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00949   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1235052, ... ) }, 1235052, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00951   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00952   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00953   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1235644, ... ) }, 1235644, ... ) == 0x0
 00954   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 132, {status=0x0, info=1}, ) }, 3, 33, ... 132, {status=0x0, info=1}, ) == 0x0
 00955   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00956   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00957   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 136, ) == 0x0
 00958   392   NtClose  (128, ... ) == 0x0
 00959   392   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb00000), 0x0, 921600, ) == 0x0
 00960   392   NtClose  (136, ... ) == 0x0
 00961   392   NtUnmapViewOfSection  (-1, 0xb00000, ... ) == 0x0
 00962   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 00963   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 128, ) == 0x0
 00964   392   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00965   392   NtClose  (136, ... ) == 0x0
 00966   392   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00967   392   NtClose  (128, ... ) == 0x0
 00968   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00969   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00970   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00971   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00972   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00973   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00974   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00975   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00976   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00977   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00978   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00979   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00980   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00981   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00982   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00983   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00984   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00985   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00986   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00987   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00988   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00989   392   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1236828, ... ) , 42, 1236828, ... ) == 0x0
 00990   392   NtQueryDefaultUILanguage  (1235544, ...
 00991   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00992   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00993   392   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00994   392   NtClose  (-2147482020, ... ) == 0x0
 00995   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00996   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00997   392   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00998   392   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00999   392   NtClose  (-2147482032, ... ) == 0x0
 01000   392   NtClose  (-2147482020, ... ) == 0x0
 00990   392   NtQueryDefaultUILanguage  ... ) == 0x0
 01001   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234396, ... ) }, 1234396, ... ) == 0x0
 01003   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01004   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 136, ) == 0x0
 01005   392   NtClose  (128, ... ) == 0x0
 01006   392   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa50000), 0x0, 4096, ) == 0x0
 01007   392   NtClose  (136, ... ) == 0x0
 01008   392   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 01009   392   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01010   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234036, ... ) }, 1234036, ... ) == 0x0
 01011   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234736,  (0x80100080, {24, 0, 0x40, 0, 1234736, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 01012   392   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 136, ... 128, ) == 0x0
 01013   392   NtClose  (136, ... ) == 0x0
 01014   392   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa50000), {0, 0}, 4096, ) == 0x0
 01015   392   NtClose  (128, ... ) == 0x0
 01016   392   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 01017   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 128, {status=0x0, info=1}, ) }, 1, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01018   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 128, ... 136, ) == 0x0
 01019   392   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa50000), 0x0, 4096, ) == 0x0
 01020   392   NtQueryInformationFile  (128, 1234356, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 01021   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01022   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234436, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234436, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\200\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1505, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\200\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 392, 1505, 0}  (24, {128, 156, new_msg, 0, 1234436, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\200\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1505, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\200\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" )  ) == 0x0
 01023   392   NtClose  (128, ... ) == 0x0
 01024   392   NtClose  (136, ... ) == 0x0
 01025   392   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 01026   392   NtUnmapViewOfSection  (-1, 0x12dd04, ... ) == STATUS_NOT_MAPPED_VIEW
 01027   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01028   392   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01029   392   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 01030   392   NtUserGetDC  (0, ... ) == 0x1010052
 01031   392   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01032   392   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 01033   392   NtUserSystemParametersInfo  (66, 12, 1236848, 0, ... ) == 0x1
 01034   392   NtOpenProcessToken  (-1, 0x8, ... 136, ) == 0x0
 01035   392   NtAccessCheck  (1362096, 136, 0x1, 1236252, 1236196, 56, 1236280, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01036   392   NtClose  (136, ... ) == 0x0
 01037   392   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "Control Panel\Desktop"}, ... 136, ) }, ... 136, ) == 0x0
 01038   392   NtQueryValueKey  (136,  (136, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   392   NtClose  (136, ... ) == 0x0
 01040   392   NtUserSystemParametersInfo  (41, 500, 1236348, 0, ... ) == 0x1
 01041   392   NtOpenKey  (0x1, {24, 120, 0x40, 0, 0,  (0x1, {24, 120, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 136, ) }, ... 136, ) == 0x0
 01042   392   NtQueryValueKey  (136,  (136, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 128, ) }, ... 128, ) == 0x0
 01044   392   NtQueryValueKey  (128,  (128, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01045   392   NtClose  (128, ... ) == 0x0
 01046   392   NtClose  (136, ... ) == 0x0
 01047   392   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 01048   392   NtUserSystemParametersInfo  (4130, 0, 1236872, 0, ... ) == 0x1
 01049   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 136, ) }, ... 136, ) == 0x0
 01050   392   NtEnumerateValueKey  (136, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01051   392   NtClose  (136, ... ) == 0x0
 01052   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01053   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc03b
 01054   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc03d
 01055   392   NtUserFindExistingCursorIcon  (1236152, 1236168, 1236736, ... ) == 0x10011
 01056   392   NtUserRegisterClassExWOW  (1236604, 1236684, 1236668, 1236700, 0, 384, 0, ... ) == 0x810dc03f
 01057   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01058   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc041
 01059   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01060   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc043
 01061   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc045
 01062   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01063   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc047
 01064   392   NtUserFindExistingCursorIcon  (1236152, 1236168, 1236736, ... ) == 0x10011
 01065   392   NtUserRegisterClassExWOW  (1236604, 1236684, 1236668, 1236700, 0, 384, 0, ... ) == 0x810dc049
 01066   392   NtUserGetClassInfo  (1905590272, 1236768, 1236720, 1236796, 0, ... ) == 0xc049
 01067   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01068   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc04b
 01069   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01070   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc04d
 01071   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01072   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc04f
 01073   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc051
 01074   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01075   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc053
 01076   392   NtUserFindExistingCursorIcon  (1236152, 1236168, 1236736, ... ) == 0x10011
 01077   392   NtUserRegisterClassExWOW  (1236604, 1236684, 1236668, 1236700, 0, 384, 0, ... ) == 0x810dc055
 01078   392   NtUserRegisterClassExWOW  (1236604, 1236684, 1236668, 1236700, 0, 384, 0, ... ) == 0x810dc057
 01079   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01080   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc059
 01081   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10013
 01082   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc05b
 01083   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01084   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc05d
 01085   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01086   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc05f
 01087   392   NtUserFindExistingCursorIcon  (1236152, 1236168, 1236736, ... ) == 0x10011
 01088   392   NtUserRegisterClassExWOW  (1236604, 1236684, 1236668, 1236700, 0, 384, 0, ... ) == 0x810dc017
 01089   392   NtUserFindExistingCursorIcon  (1236152, 1236168, 1236736, ... ) == 0x10011
 01090   392   NtUserRegisterClassExWOW  (1236604, 1236684, 1236668, 1236700, 0, 384, 0, ... ) == 0x810dc019
 01091   392   NtUserFindExistingCursorIcon  (1236152, 1236168, 1236736, ... ) == 0x10013
 01092   392   NtUserRegisterClassExWOW  (1236604, 1236684, 1236668, 1236700, 0, 384, 0, ... ) == 0x810dc018
 01093   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01094   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc01a
 01095   392   NtUserFindExistingCursorIcon  (1236152, 1236168, 1236736, ... ) == 0x10011
 01096   392   NtUserRegisterClassExWOW  (1236604, 1236684, 1236668, 1236700, 0, 384, 0, ... ) == 0x810dc01c
 01097   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01098   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ...
 01099   392   NtAllocateVirtualMemory  (-1, 6127616, 0, 4096, 4096, 32, ... 6127616, 4096, ) == 0x0
 01098   392   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 01100   392   NtUserFindExistingCursorIcon  (1236152, 1236168, 1236736, ... ) == 0x10011
 01101   392   NtUserRegisterClassExWOW  (1236664, 1236744, 1236728, 1236760, 0, 384, 0, ... ) == 0x810dc01b
 01102   392   NtUserFindExistingCursorIcon  (1236148, 1236164, 1236732, ... ) == 0x10011
 01103   392   NtUserRegisterClassExWOW  (1236660, 1236740, 1236724, 1236756, 0, 384, 0, ... ) == 0x810dc068
 01104   392   NtUserFindExistingCursorIcon  (1236156, 1236172, 1236740, ... ) == 0x10011
 01105   392   NtUserRegisterClassExWOW  (1236608, 1236688, 1236672, 1236704, 0, 384, 0, ... ) == 0x810dc06a
 01106   392   NtCreateKey  (0x2001f, {24, 120, 0x40, 0, 0,  (0x2001f, {24, 120, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 01107   392   NtProtectVirtualMemory  (-1, (0x772d1114), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01108   392   NtProtectVirtualMemory  (-1, (0x772d1114), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01109   392   NtProtectVirtualMemory  (-1, (0x772d1120), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01110   392   NtProtectVirtualMemory  (-1, (0x772d1120), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01111   392   NtProtectVirtualMemory  (-1, (0x772d1124), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01112   392   NtProtectVirtualMemory  (-1, (0x772d1124), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01113   392   NtProtectVirtualMemory  (-1, (0x772d1128), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01114   392   NtProtectVirtualMemory  (-1, (0x772d1128), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01115   392   NtProtectVirtualMemory  (-1, (0x772d112c), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01116   392   NtProtectVirtualMemory  (-1, (0x772d112c), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01117   392   NtProtectVirtualMemory  (-1, (0x772d1150), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01118   392   NtProtectVirtualMemory  (-1, (0x772d1150), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01119   392   NtProtectVirtualMemory  (-1, (0x772d1184), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01120   392   NtProtectVirtualMemory  (-1, (0x772d1184), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01121   392   NtProtectVirtualMemory  (-1, (0x772d1190), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01122   392   NtProtectVirtualMemory  (-1, (0x772d1190), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01123   392   NtProtectVirtualMemory  (-1, (0x772d11a8), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01124   392   NtProtectVirtualMemory  (-1, (0x772d11a8), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01125   392   NtProtectVirtualMemory  (-1, (0x772d11b4), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01126   392   NtProtectVirtualMemory  (-1, (0x772d11b4), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01127   392   NtProtectVirtualMemory  (-1, (0x772d11bc), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01128   392   NtProtectVirtualMemory  (-1, (0x772d11bc), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01129   392   NtProtectVirtualMemory  (-1, (0x772d11c0), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01130   392   NtProtectVirtualMemory  (-1, (0x772d11c0), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01131   392   NtProtectVirtualMemory  (-1, (0x772d11c4), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01132   392   NtProtectVirtualMemory  (-1, (0x772d11c4), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01133   392   NtProtectVirtualMemory  (-1, (0x772d11e8), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01134   392   NtProtectVirtualMemory  (-1, (0x772d11e8), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01135   392   NtProtectVirtualMemory  (-1, (0x772d1200), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01136   392   NtProtectVirtualMemory  (-1, (0x772d1200), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01137   392   NtProtectVirtualMemory  (-1, (0x772d1210), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01138   392   NtProtectVirtualMemory  (-1, (0x772d1210), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01139   392   NtProtectVirtualMemory  (-1, (0x772d1214), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01140   392   NtProtectVirtualMemory  (-1, (0x772d1214), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01141   392   NtProtectVirtualMemory  (-1, (0x772d1260), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01142   392   NtProtectVirtualMemory  (-1, (0x772d1260), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01143   392   NtProtectVirtualMemory  (-1, (0x772d127c), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01144   392   NtProtectVirtualMemory  (-1, (0x772d127c), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01145   392   NtProtectVirtualMemory  (-1, (0x772d12c0), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01146   392   NtProtectVirtualMemory  (-1, (0x772d12c0), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01147   392   NtProtectVirtualMemory  (-1, (0x772d12d0), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01148   392   NtProtectVirtualMemory  (-1, (0x772d12d0), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01149   392   NtProtectVirtualMemory  (-1, (0x772d12d4), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01150   392   NtProtectVirtualMemory  (-1, (0x772d12d4), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01151   392   NtProtectVirtualMemory  (-1, (0x772d131c), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01152   392   NtProtectVirtualMemory  (-1, (0x772d131c), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01153   392   NtProtectVirtualMemory  (-1, (0x772d1370), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01154   392   NtProtectVirtualMemory  (-1, (0x772d1370), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01155   392   NtProtectVirtualMemory  (-1, (0x772d1374), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01156   392   NtProtectVirtualMemory  (-1, (0x772d1374), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01157   392   NtProtectVirtualMemory  (-1, (0x772d1380), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01158   392   NtProtectVirtualMemory  (-1, (0x772d1380), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01159   392   NtProtectVirtualMemory  (-1, (0x772d1384), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01160   392   NtProtectVirtualMemory  (-1, (0x772d1384), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01161   392   NtProtectVirtualMemory  (-1, (0x772d1388), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01162   392   NtProtectVirtualMemory  (-1, (0x772d1388), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01163   392   NtProtectVirtualMemory  (-1, (0x772d138c), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01164   392   NtProtectVirtualMemory  (-1, (0x772d138c), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01165   392   NtProtectVirtualMemory  (-1, (0x772d139c), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01166   392   NtProtectVirtualMemory  (-1, (0x772d139c), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01167   392   NtProtectVirtualMemory  (-1, (0x772d13ec), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01168   392   NtProtectVirtualMemory  (-1, (0x772d13ec), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01169   392   NtProtectVirtualMemory  (-1, (0x772d1460), 4, 4, ... (0x772d1000), 4096, 32, ) == 0x0
 01170   392   NtProtectVirtualMemory  (-1, (0x772d1460), 4, 32, ... (0x772d1000), 4096, 4, ) == 0x0
 01171   392   NtProtectVirtualMemory  (-1, (0x762c11f0), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01172   392   NtProtectVirtualMemory  (-1, (0x762c11f0), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01173   392   NtProtectVirtualMemory  (-1, (0x762c11f8), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01174   392   NtProtectVirtualMemory  (-1, (0x762c11f8), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01175   392   NtProtectVirtualMemory  (-1, (0x762c11fc), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01176   392   NtProtectVirtualMemory  (-1, (0x762c11fc), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01177   392   NtProtectVirtualMemory  (-1, (0x762c1204), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01178   392   NtProtectVirtualMemory  (-1, (0x762c1204), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01179   392   NtProtectVirtualMemory  (-1, (0x762c1208), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01180   392   NtProtectVirtualMemory  (-1, (0x762c1208), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01181   392   NtProtectVirtualMemory  (-1, (0x762c120c), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01182   392   NtProtectVirtualMemory  (-1, (0x762c120c), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01183   392   NtProtectVirtualMemory  (-1, (0x762c1218), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01184   392   NtProtectVirtualMemory  (-1, (0x762c1218), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01185   392   NtProtectVirtualMemory  (-1, (0x762c1220), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01186   392   NtProtectVirtualMemory  (-1, (0x762c1220), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01187   392   NtProtectVirtualMemory  (-1, (0x762c1244), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01188   392   NtProtectVirtualMemory  (-1, (0x762c1244), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01189   392   NtProtectVirtualMemory  (-1, (0x762c1248), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01190   392   NtProtectVirtualMemory  (-1, (0x762c1248), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01191   392   NtProtectVirtualMemory  (-1, (0x762c1258), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01192   392   NtProtectVirtualMemory  (-1, (0x762c1258), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01193   392   NtProtectVirtualMemory  (-1, (0x762c125c), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01194   392   NtProtectVirtualMemory  (-1, (0x762c125c), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01195   392   NtProtectVirtualMemory  (-1, (0x762c1260), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01196   392   NtProtectVirtualMemory  (-1, (0x762c1260), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01197   392   NtProtectVirtualMemory  (-1, (0x762c1264), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01198   392   NtProtectVirtualMemory  (-1, (0x762c1264), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01199   392   NtProtectVirtualMemory  (-1, (0x762c127c), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01200   392   NtProtectVirtualMemory  (-1, (0x762c127c), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01201   392   NtProtectVirtualMemory  (-1, (0x762c1298), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01202   392   NtProtectVirtualMemory  (-1, (0x762c1298), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01203   392   NtProtectVirtualMemory  (-1, (0x762c129c), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01204   392   NtProtectVirtualMemory  (-1, (0x762c129c), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01205   392   NtProtectVirtualMemory  (-1, (0x762c12d0), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01206   392   NtProtectVirtualMemory  (-1, (0x762c12d0), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01207   392   NtProtectVirtualMemory  (-1, (0x762c12fc), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01208   392   NtProtectVirtualMemory  (-1, (0x762c12fc), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01209   392   NtProtectVirtualMemory  (-1, (0x762c1324), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01210   392   NtProtectVirtualMemory  (-1, (0x762c1324), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01211   392   NtProtectVirtualMemory  (-1, (0x762c1328), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01212   392   NtProtectVirtualMemory  (-1, (0x762c1328), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01213   392   NtProtectVirtualMemory  (-1, (0x762c1330), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01214   392   NtProtectVirtualMemory  (-1, (0x762c1330), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01215   392   NtProtectVirtualMemory  (-1, (0x762c1334), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01216   392   NtProtectVirtualMemory  (-1, (0x762c1334), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01217   392   NtProtectVirtualMemory  (-1, (0x762c1350), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01218   392   NtProtectVirtualMemory  (-1, (0x762c1350), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01219   392   NtProtectVirtualMemory  (-1, (0x762c1358), 4, 4, ... (0x762c1000), 4096, 32, ) == 0x0
 01220   392   NtProtectVirtualMemory  (-1, (0x762c1358), 4, 32, ... (0x762c1000), 4096, 4, ) == 0x0
 01221   392   NtProtectVirtualMemory  (-1, (0x762012cc), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01222   392   NtProtectVirtualMemory  (-1, (0x762012cc), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01223   392   NtProtectVirtualMemory  (-1, (0x762012dc), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01224   392   NtProtectVirtualMemory  (-1, (0x762012dc), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01225   392   NtProtectVirtualMemory  (-1, (0x762012e0), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01226   392   NtProtectVirtualMemory  (-1, (0x762012e0), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01227   392   NtProtectVirtualMemory  (-1, (0x7620132c), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01228   392   NtProtectVirtualMemory  (-1, (0x7620132c), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01229   392   NtProtectVirtualMemory  (-1, (0x7620134c), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01230   392   NtProtectVirtualMemory  (-1, (0x7620134c), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01231   392   NtProtectVirtualMemory  (-1, (0x76201360), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01232   392   NtProtectVirtualMemory  (-1, (0x76201360), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01233   392   NtProtectVirtualMemory  (-1, (0x76201364), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01234   392   NtProtectVirtualMemory  (-1, (0x76201364), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01235   392   NtProtectVirtualMemory  (-1, (0x76201368), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01236   392   NtProtectVirtualMemory  (-1, (0x76201368), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01237   392   NtProtectVirtualMemory  (-1, (0x76201380), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01238   392   NtProtectVirtualMemory  (-1, (0x76201380), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01239   392   NtProtectVirtualMemory  (-1, (0x76201388), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01240   392   NtProtectVirtualMemory  (-1, (0x76201388), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01241   392   NtProtectVirtualMemory  (-1, (0x762013a8), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01242   392   NtProtectVirtualMemory  (-1, (0x762013a8), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01243   392   NtProtectVirtualMemory  (-1, (0x762013c0), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01244   392   NtProtectVirtualMemory  (-1, (0x762013c0), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01245   392   NtProtectVirtualMemory  (-1, (0x762013c4), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01246   392   NtProtectVirtualMemory  (-1, (0x762013c4), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01247   392   NtProtectVirtualMemory  (-1, (0x762013d0), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01248   392   NtProtectVirtualMemory  (-1, (0x762013d0), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01249   392   NtProtectVirtualMemory  (-1, (0x762013e4), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01250   392   NtProtectVirtualMemory  (-1, (0x762013e4), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01251   392   NtProtectVirtualMemory  (-1, (0x76201400), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01252   392   NtProtectVirtualMemory  (-1, (0x76201400), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01253   392   NtProtectVirtualMemory  (-1, (0x76201404), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01254   392   NtProtectVirtualMemory  (-1, (0x76201404), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01255   392   NtProtectVirtualMemory  (-1, (0x76201414), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01256   392   NtProtectVirtualMemory  (-1, (0x76201414), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01257   392   NtProtectVirtualMemory  (-1, (0x7620143c), 4, 4, ... (0x76201000), 4096, 32, ) == 0x0
 01258   392   NtProtectVirtualMemory  (-1, (0x7620143c), 4, 32, ... (0x76201000), 4096, 4, ) == 0x0
 01259   392   NtProtectVirtualMemory  (-1, (0x771b1124), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01260   392   NtProtectVirtualMemory  (-1, (0x771b1124), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01261   392   NtProtectVirtualMemory  (-1, (0x771b1150), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01262   392   NtProtectVirtualMemory  (-1, (0x771b1150), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01263   392   NtProtectVirtualMemory  (-1, (0x771b1154), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01264   392   NtProtectVirtualMemory  (-1, (0x771b1154), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01265   392   NtProtectVirtualMemory  (-1, (0x771b1164), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01266   392   NtProtectVirtualMemory  (-1, (0x771b1164), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01267   392   NtProtectVirtualMemory  (-1, (0x771b1168), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01268   392   NtProtectVirtualMemory  (-1, (0x771b1168), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01269   392   NtProtectVirtualMemory  (-1, (0x771b1170), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01270   392   NtProtectVirtualMemory  (-1, (0x771b1170), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01271   392   NtProtectVirtualMemory  (-1, (0x771b11e4), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01272   392   NtProtectVirtualMemory  (-1, (0x771b11e4), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01273   392   NtProtectVirtualMemory  (-1, (0x771b1228), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01274   392   NtProtectVirtualMemory  (-1, (0x771b1228), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01275   392   NtProtectVirtualMemory  (-1, (0x771b122c), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01276   392   NtProtectVirtualMemory  (-1, (0x771b122c), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01277   392   NtProtectVirtualMemory  (-1, (0x771b123c), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01278   392   NtProtectVirtualMemory  (-1, (0x771b123c), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01279   392   NtProtectVirtualMemory  (-1, (0x771b1260), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01280   392   NtProtectVirtualMemory  (-1, (0x771b1260), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01281   392   NtProtectVirtualMemory  (-1, (0x771b1274), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01282   392   NtProtectVirtualMemory  (-1, (0x771b1274), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01283   392   NtProtectVirtualMemory  (-1, (0x771b1280), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01284   392   NtProtectVirtualMemory  (-1, (0x771b1280), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01285   392   NtProtectVirtualMemory  (-1, (0x771b12a4), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01286   392   NtProtectVirtualMemory  (-1, (0x771b12a4), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01287   392   NtProtectVirtualMemory  (-1, (0x771b12a8), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01288   392   NtProtectVirtualMemory  (-1, (0x771b12a8), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01289   392   NtProtectVirtualMemory  (-1, (0x771b12ac), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01290   392   NtProtectVirtualMemory  (-1, (0x771b12ac), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01291   392   NtProtectVirtualMemory  (-1, (0x771b1314), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01292   392   NtProtectVirtualMemory  (-1, (0x771b1314), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01293   392   NtProtectVirtualMemory  (-1, (0x771b131c), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01294   392   NtProtectVirtualMemory  (-1, (0x771b131c), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01295   392   NtProtectVirtualMemory  (-1, (0x771b1320), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01296   392   NtProtectVirtualMemory  (-1, (0x771b1320), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01297   392   NtProtectVirtualMemory  (-1, (0x771b1324), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01298   392   NtProtectVirtualMemory  (-1, (0x771b1324), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01299   392   NtProtectVirtualMemory  (-1, (0x771b133c), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01300   392   NtProtectVirtualMemory  (-1, (0x771b133c), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01301   392   NtProtectVirtualMemory  (-1, (0x771b1340), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01302   392   NtProtectVirtualMemory  (-1, (0x771b1340), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01303   392   NtProtectVirtualMemory  (-1, (0x771b1350), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01304   392   NtProtectVirtualMemory  (-1, (0x771b1350), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01305   392   NtProtectVirtualMemory  (-1, (0x771b1364), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01306   392   NtProtectVirtualMemory  (-1, (0x771b1364), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01307   392   NtProtectVirtualMemory  (-1, (0x771b1368), 4, 4, ... (0x771b1000), 4096, 32, ) == 0x0
 01308   392   NtProtectVirtualMemory  (-1, (0x771b1368), 4, 32, ... (0x771b1000), 4096, 4, ) == 0x0
 01309   392   NtProtectVirtualMemory  (-1, (0x7712112c), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01310   392   NtProtectVirtualMemory  (-1, (0x7712112c), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01311   392   NtProtectVirtualMemory  (-1, (0x77121140), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01312   392   NtProtectVirtualMemory  (-1, (0x77121140), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01313   392   NtProtectVirtualMemory  (-1, (0x77121324), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01314   392   NtProtectVirtualMemory  (-1, (0x77121324), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01315   392   NtProtectVirtualMemory  (-1, (0x7712132c), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01316   392   NtProtectVirtualMemory  (-1, (0x7712132c), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01317   392   NtProtectVirtualMemory  (-1, (0x77121330), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01318   392   NtProtectVirtualMemory  (-1, (0x77121330), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01319   392   NtProtectVirtualMemory  (-1, (0x7712139c), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01320   392   NtProtectVirtualMemory  (-1, (0x7712139c), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01321   392   NtProtectVirtualMemory  (-1, (0x771213c4), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01322   392   NtProtectVirtualMemory  (-1, (0x771213c4), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01323   392   NtProtectVirtualMemory  (-1, (0x771213d4), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01324   392   NtProtectVirtualMemory  (-1, (0x771213d4), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01325   392   NtProtectVirtualMemory  (-1, (0x771213f4), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01326   392   NtProtectVirtualMemory  (-1, (0x771213f4), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01327   392   NtProtectVirtualMemory  (-1, (0x771213f8), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01328   392   NtProtectVirtualMemory  (-1, (0x771213f8), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01329   392   NtProtectVirtualMemory  (-1, (0x77121400), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01330   392   NtProtectVirtualMemory  (-1, (0x77121400), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01331   392   NtProtectVirtualMemory  (-1, (0x77121404), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01332   392   NtProtectVirtualMemory  (-1, (0x77121404), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01333   392   NtProtectVirtualMemory  (-1, (0x7712140c), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01334   392   NtProtectVirtualMemory  (-1, (0x7712140c), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01335   392   NtProtectVirtualMemory  (-1, (0x77121410), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01336   392   NtProtectVirtualMemory  (-1, (0x77121410), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01337   392   NtProtectVirtualMemory  (-1, (0x77121424), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01338   392   NtProtectVirtualMemory  (-1, (0x77121424), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01339   392   NtProtectVirtualMemory  (-1, (0x77121430), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01340   392   NtProtectVirtualMemory  (-1, (0x77121430), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01341   392   NtProtectVirtualMemory  (-1, (0x77121474), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01342   392   NtProtectVirtualMemory  (-1, (0x77121474), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01343   392   NtProtectVirtualMemory  (-1, (0x7712147c), 4, 4, ... (0x77121000), 4096, 32, ) == 0x0
 01344   392   NtProtectVirtualMemory  (-1, (0x7712147c), 4, 32, ... (0x77121000), 4096, 4, ) == 0x0
 01345   392   NtQueryValueKey  (136,  (136, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   392   NtQueryValueKey  (136,  (136, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01347   392   NtQueryValueKey  (136,  (136, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   392   NtQueryValueKey  (136,  (136, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   392   NtQueryValueKey  (136,  (136, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350   392   NtQueryValueKey  (136,  (136, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351   392   NtQueryValueKey  (136,  (136, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01352   392   NtQueryValueKey  (136,  (136, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353   392   NtQueryValueKey  (136,  (136, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01354   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01355   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1239580, ... ) }, 1239580, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01356   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1239580, ... ) }, 1239580, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01357   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1239580, ... ) }, 1239580, ... ) == 0x0
 01358   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01359   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 140, ) == 0x0
 01360   392   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01361   392   NtClose  (128, ... ) == 0x0
 01362   392   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 01363   392   NtClose  (140, ... ) == 0x0
 01364   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 140, ) == 0x0
 01365   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 128, ) == 0x0
 01366   392   NtProtectVirtualMemory  (-1, (0x76f910b8), 4, 4, ... (0x76f91000), 4096, 32, ) == 0x0
 01367   392   NtProtectVirtualMemory  (-1, (0x76f910b8), 4, 32, ... (0x76f91000), 4096, 4, ) == 0x0
 01368   392   NtProtectVirtualMemory  (-1, (0x76f910c4), 4, 4, ... (0x76f91000), 4096, 32, ) == 0x0
 01369   392   NtProtectVirtualMemory  (-1, (0x76f910c4), 4, 32, ... (0x76f91000), 4096, 4, ) == 0x0
 01370   392   NtProtectVirtualMemory  (-1, (0x76f910dc), 4, 4, ... (0x76f91000), 4096, 32, ) == 0x0
 01371   392   NtProtectVirtualMemory  (-1, (0x76f910dc), 4, 32, ... (0x76f91000), 4096, 4, ) == 0x0
 01372   392   NtProtectVirtualMemory  (-1, (0x76f910e0), 4, 4, ... (0x76f91000), 4096, 32, ) == 0x0
 01373   392   NtProtectVirtualMemory  (-1, (0x76f910e0), 4, 32, ... (0x76f91000), 4096, 4, ) == 0x0
 01374   392   NtProtectVirtualMemory  (-1, (0x76f910e8), 4, 4, ... (0x76f91000), 4096, 32, ) == 0x0
 01375   392   NtProtectVirtualMemory  (-1, (0x76f910e8), 4, 32, ... (0x76f91000), 4096, 4, ) == 0x0
 01376   392   NtProtectVirtualMemory  (-1, (0x76f910f0), 4, 4, ... (0x76f91000), 4096, 32, ) == 0x0
 01377   392   NtProtectVirtualMemory  (-1, (0x76f910f0), 4, 32, ... (0x76f91000), 4096, 4, ) == 0x0
 01378   392   NtProtectVirtualMemory  (-1, (0x76f910f4), 4, 4, ... (0x76f91000), 4096, 32, ) == 0x0
 01379   392   NtProtectVirtualMemory  (-1, (0x76f910f4), 4, 32, ... (0x76f91000), 4096, 4, ) == 0x0
 01380   392   NtProtectVirtualMemory  (-1, (0x76f910f8), 4, 4, ... (0x76f91000), 4096, 32, ) == 0x0
 01381   392   NtProtectVirtualMemory  (-1, (0x76f910f8), 4, 32, ... (0x76f91000), 4096, 4, ) == 0x0
 01382   392   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 144, ) }, ... 144, ) == 0x0
 01383   392   NtQueryEvent  (144, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01384   392   NtClose  (144, ... ) == 0x0
 01385   392   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1241428, 140, ... 144, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241428, 140, ... 144, 0x0, 0x0, 256, 140, ) == 0x0
 01386   392   NtRequestWaitReplyPort  (144, {28, 52, new_msg, 0, 0, 0, 0, 0}  (144, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 316, 392, 1507, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 316, 392, 1507, 0}  (144, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 316, 392, 1507, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01387   392   NtQueryValueKey  (136,  (136, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01388   392   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 148, ) }, ... 148, ) == 0x0
 01389   392   NtQueryValueKey  (148,  (148, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01390   392   NtClose  (148, ... ) == 0x0
 01391   392   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 148, ) }, ... 148, ) == 0x0
 01392   392   NtQueryValueKey  (148,  (148, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393   392   NtClose  (148, ... ) == 0x0
 01394   392   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 148, ) }, ... 148, ) == 0x0
 01395   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 152, ) }, ... 152, ) == 0x0
 01396   392   NtQueryValueKey  (152,  (152, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01397   392   NtClose  (152, ... ) == 0x0
 01398   392   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 152, ) }, ... 152, ) == 0x0
 01399   392   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 156, ) }, ... 156, ) == 0x0
 01400   392   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 160, ) }, ... 160, ) == 0x0
 01401   392   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 164, ) }, ... 164, ) == 0x0
 01402   392   NtQueryValueKey  (164,  (164, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01403   392   NtQueryValueKey  (164,  (164, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01404   392   NtClose  (164, ... ) == 0x0
 01405   392   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 164, ) }, ... 164, ) == 0x0
 01406   392   NtQueryValueKey  (164,  (164, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (164, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01407   392   NtQueryValueKey  (164,  (164, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (164, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01408   392   NtQueryValueKey  (164,  (164, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (164, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01409   392   NtQueryValueKey  (164,  (164, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (164, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01410   392   NtQueryValueKey  (164,  (164, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (164, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01411   392   NtQueryValueKey  (164,  (164, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (164, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01412   392   NtClose  (164, ... ) == 0x0
 01413   392   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "Content"}, ... 164, ) }, ... 164, ) == 0x0
 01414   392   NtQueryValueKey  (164,  (164, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01415   392   NtClose  (164, ... ) == 0x0
 01416   392   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "Content"}, ... 164, ) }, ... 164, ) == 0x0
 01417   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 168, ) }, ... 168, ) == 0x0
 01418   392   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 01419   392   NtClose  (168, ... ) == 0x0
 01420   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01421   392   NtQueryValueKey  (168,  (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01422   392   NtClose  (168, ... ) == 0x0
 01423   392   NtQueryDefaultUILanguage  (1236032, ...
 01424   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01425   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01426   392   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01427   392   NtClose  (-2147482020, ... ) == 0x0
 01428   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01429   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   392   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01431   392   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   392   NtClose  (-2147482032, ... ) == 0x0
 01433   392   NtClose  (-2147482020, ... ) == 0x0
 01423   392   NtQueryDefaultUILanguage  ... ) == 0x0
 01434   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 168, {status=0x0, info=1}, ) }, 1, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01436   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 168, ... 172, ) == 0x0
 01437   392   NtMapViewOfSection  (172, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xb00000), 0x0, 8323072, ) == 0x0
 01438   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   392   NtQueryDefaultLocale  (1, 1234068, ... ) == 0x0
 01440   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234924, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234924, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\333\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\347\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\354\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1508, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\333\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\347\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\354\336\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 392, 1508, 0}  (24, {128, 156, new_msg, 0, 1234924, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\333\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\347\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\354\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1508, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\333\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\347\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\354\336\22\0\0\0\0\0" )  ) == 0x0
 01442   392   NtClose  (168, ... ) == 0x0
 01443   392   NtClose  (172, ... ) == 0x0
 01444   392   NtUnmapViewOfSection  (-1, 0xb00000, ... ) == 0x0
 01445   392   NtUnmapViewOfSection  (-1, 0x12deec, ... ) == STATUS_NOT_MAPPED_VIEW
 01446   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01447   392   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01448   392   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01450   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01451   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233152, ... ) }, 1233152, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01453   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01454   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01455   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233744, ... ) }, 1233744, ... ) == 0x0
 01456   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 172, {status=0x0, info=1}, ) }, 3, 33, ... 172, {status=0x0, info=1}, ) == 0x0
 01457   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01458   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 168, ) }, ... 168, ) == 0x0
 01459   392   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 01460   392   NtClose  (168, ... ) == 0x0
 01461   392   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 168, ) == 0x0
 01462   392   NtQueryInformationProcess  (168, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01463   392   NtClose  (168, ... ) == 0x0
 01464   392   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01465   392   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 01466   392   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 01467   392   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "Control Panel\Desktop"}, ... 168, ) }, ... 168, ) == 0x0
 01468   392   NtQueryValueKey  (168,  (168, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469   392   NtClose  (168, ... ) == 0x0
 01470   392   NtUserSystemParametersInfo  (41, 500, 1235608, 0, ... ) == 0x1
 01471   392   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 01472   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01473   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01474   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc03b
 01475   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01476   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc03d
 01477   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01478   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01479   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc03f
 01480   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01481   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01482   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc041
 01483   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01484   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01485   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc043
 01486   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01487   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc045
 01488   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01489   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01490   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc047
 01491   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01492   392   NtUserFindExistingCursorIcon  (1235396, 1235412, 1235980, ... ) == 0x10011
 01493   392   NtUserRegisterClassExWOW  (1235848, 1235928, 1235912, 1235944, 0, 384, 0, ... ) == 0x810dc049
 01494   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01495   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01496   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc04b
 01497   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01498   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01499   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc04d
 01500   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01501   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01502   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc04f
 01503   392   NtUserGetClassInfo  (1999896576, 1236020, 1235972, 1236048, 0, ... ) == 0x0
 01504   392   NtUserRegisterClassExWOW  (1235856, 1235936, 1235920, 1235952, 0, 384, 0, ... ) == 0x810dc051
 01505   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01506   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01507   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc053
 01508   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01509   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01510   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc055
 01511   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc057
 01512   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01513   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01514   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc059
 01515   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01516   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10013
 01517   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc05b
 01518   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01519   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01520   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc05d
 01521   392   NtUserGetClassInfo  (1999896576, 1236016, 1235968, 1236044, 0, ... ) == 0x0
 01522   392   NtUserFindExistingCursorIcon  (1235400, 1235416, 1235984, ... ) == 0x10011
 01523   392   NtUserRegisterClassExWOW  (1235852, 1235932, 1235916, 1235948, 0, 384, 0, ... ) == 0x810dc05f
 01524   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc03b
 01525   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc03d
 01526   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc03f
 01527   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc041
 01528   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc043
 01529   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc045
 01530   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc047
 01531   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc049
 01532   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc04b
 01533   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc04d
 01534   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc04f
 01535   392   NtUserGetClassInfo  (1999896576, 1237772, 1237724, 1237800, 0, ... ) == 0xc051
 01536   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc053
 01537   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc055
 01538   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc059
 01539   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc05b
 01540   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc05d
 01541   392   NtUserGetClassInfo  (1999896576, 1237768, 1237720, 1237796, 0, ... ) == 0xc05f
 01542   392   NtProtectVirtualMemory  (-1, (0x773d1720), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01543   392   NtProtectVirtualMemory  (-1, (0x773d1720), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01544   392   NtProtectVirtualMemory  (-1, (0x773d1728), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01545   392   NtProtectVirtualMemory  (-1, (0x773d1728), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01546   392   NtProtectVirtualMemory  (-1, (0x773d172c), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01547   392   NtProtectVirtualMemory  (-1, (0x773d172c), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01548   392   NtProtectVirtualMemory  (-1, (0x773d1798), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01549   392   NtProtectVirtualMemory  (-1, (0x773d1798), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01550   392   NtProtectVirtualMemory  (-1, (0x773d17b8), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01551   392   NtProtectVirtualMemory  (-1, (0x773d17b8), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01552   392   NtProtectVirtualMemory  (-1, (0x773d1834), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01553   392   NtProtectVirtualMemory  (-1, (0x773d1834), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01554   392   NtProtectVirtualMemory  (-1, (0x773d1864), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01555   392   NtProtectVirtualMemory  (-1, (0x773d1864), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01556   392   NtProtectVirtualMemory  (-1, (0x773d1888), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01557   392   NtProtectVirtualMemory  (-1, (0x773d1888), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01558   392   NtProtectVirtualMemory  (-1, (0x773d18e0), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01559   392   NtProtectVirtualMemory  (-1, (0x773d18e0), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01560   392   NtProtectVirtualMemory  (-1, (0x773d18e4), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01561   392   NtProtectVirtualMemory  (-1, (0x773d18e4), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01562   392   NtProtectVirtualMemory  (-1, (0x773d18e8), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01563   392   NtProtectVirtualMemory  (-1, (0x773d18e8), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01564   392   NtProtectVirtualMemory  (-1, (0x773d18ec), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01565   392   NtProtectVirtualMemory  (-1, (0x773d18ec), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01566   392   NtProtectVirtualMemory  (-1, (0x773d18f0), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01567   392   NtProtectVirtualMemory  (-1, (0x773d18f0), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01568   392   NtProtectVirtualMemory  (-1, (0x773d190c), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01569   392   NtProtectVirtualMemory  (-1, (0x773d190c), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01570   392   NtProtectVirtualMemory  (-1, (0x773d1930), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01571   392   NtProtectVirtualMemory  (-1, (0x773d1930), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01572   392   NtProtectVirtualMemory  (-1, (0x773d1938), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01573   392   NtProtectVirtualMemory  (-1, (0x773d1938), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01574   392   NtProtectVirtualMemory  (-1, (0x773d1954), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01575   392   NtProtectVirtualMemory  (-1, (0x773d1954), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01576   392   NtProtectVirtualMemory  (-1, (0x773d195c), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01577   392   NtProtectVirtualMemory  (-1, (0x773d195c), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01578   392   NtProtectVirtualMemory  (-1, (0x773d1968), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01579   392   NtProtectVirtualMemory  (-1, (0x773d1968), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01580   392   NtProtectVirtualMemory  (-1, (0x773d19d4), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01581   392   NtProtectVirtualMemory  (-1, (0x773d19d4), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01582   392   NtProtectVirtualMemory  (-1, (0x773d1a00), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01583   392   NtProtectVirtualMemory  (-1, (0x773d1a00), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01584   392   NtProtectVirtualMemory  (-1, (0x773d1a04), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01585   392   NtProtectVirtualMemory  (-1, (0x773d1a04), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01586   392   NtProtectVirtualMemory  (-1, (0x773d1a08), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01587   392   NtProtectVirtualMemory  (-1, (0x773d1a08), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01588   392   NtProtectVirtualMemory  (-1, (0x773d1a20), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01589   392   NtProtectVirtualMemory  (-1, (0x773d1a20), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01590   392   NtProtectVirtualMemory  (-1, (0x773d1a2c), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01591   392   NtProtectVirtualMemory  (-1, (0x773d1a2c), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01592   392   NtProtectVirtualMemory  (-1, (0x773d1a40), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01593   392   NtProtectVirtualMemory  (-1, (0x773d1a40), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01594   392   NtProtectVirtualMemory  (-1, (0x773d1a44), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01595   392   NtProtectVirtualMemory  (-1, (0x773d1a44), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01596   392   NtProtectVirtualMemory  (-1, (0x773d1a48), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01597   392   NtProtectVirtualMemory  (-1, (0x773d1a48), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01598   392   NtProtectVirtualMemory  (-1, (0x773d1a4c), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01599   392   NtProtectVirtualMemory  (-1, (0x773d1a4c), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01600   392   NtProtectVirtualMemory  (-1, (0x773d1a54), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01601   392   NtProtectVirtualMemory  (-1, (0x773d1a54), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01602   392   NtProtectVirtualMemory  (-1, (0x773d1a5c), 4, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01603   392   NtProtectVirtualMemory  (-1, (0x773d1a5c), 4, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01604   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01605   392   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1364304, 0,  (0x1f0003, {24, 52, 0x80, 1364304, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 168, ) }, 0, 2147483647, ... 168, ) == STATUS_OBJECT_NAME_EXISTS
 01606   392   NtReleaseSemaphore  (168, 1, ... 0, ) == 0x0
 01607   392   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x0
 01608   392   NtCreateKey  (0x2000000, {24, 120, 0x40, 0, 0,  (0x2000000, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01609   392   NtQueryValueKey  (176,  (176, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (176, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01610   392   NtClose  (176, ... ) == 0x0
 01611   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1238584, ... ) }, 1238584, ... ) == 0x0
 01612   392   NtCreateKey  (0x2000000, {24, 120, 0x40, 0, 0,  (0x2000000, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01613   392   NtSetValueKey  (176,  (176, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (176, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 01614   392   NtClose  (176, ... ) == 0x0
 01615   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239972, ... ) }, 1239972, ... ) == 0x0
 01616   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239704, ... ) }, 1239704, ... ) == 0x0
 01617   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01618   392   NtSetInformationFile  (176, 1239696, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01619   392   NtClose  (176, ... ) == 0x0
 01620   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1239704, ... ) }, 1239704, ... ) == 0x0
 01621   392   NtQueryValueKey  (164,  (164, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01622   392   NtQueryValueKey  (164,  (164, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01623   392   NtQueryValueKey  (164,  (164, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 01624   392   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 176, ) }, ... 176, ) == 0x0
 01625   392   NtOpenKey  (0xf, {24, 176, 0x40, 0, 0,  (0xf, {24, 176, 0x40, 0, 0, "Paths"}, ... 180, ) }, ... 180, ) == 0x0
 01626   392   NtOpenKey  (0xf, {24, 180, 0x40, 0, 0,  (0xf, {24, 180, 0x40, 0, 0, "Path1"}, ... 184, ) }, ... 184, ) == 0x0
 01627   392   NtOpenKey  (0xf, {24, 180, 0x40, 0, 0,  (0xf, {24, 180, 0x40, 0, 0, "Path2"}, ... 188, ) }, ... 188, ) == 0x0
 01628   392   NtOpenKey  (0xf, {24, 180, 0x40, 0, 0,  (0xf, {24, 180, 0x40, 0, 0, "Path3"}, ... 192, ) }, ... 192, ) == 0x0
 01629   392   NtOpenKey  (0xf, {24, 180, 0x40, 0, 0,  (0xf, {24, 180, 0x40, 0, 0, "Path4"}, ... 196, ) }, ... 196, ) == 0x0
 01630   392   NtOpenKey  (0xf, {24, 176, 0x40, 0, 0,  (0xf, {24, 176, 0x40, 0, 0, "Special Paths"}, ... 200, ) }, ... 200, ) == 0x0
 01631   392   NtSetValueKey  (180,  (180, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (180, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 01632   392   NtSetValueKey  (180,  (180, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (180, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01633   392   NtSetValueKey  (184,  (184, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (184, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01634   392   NtSetValueKey  (188,  (188, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (188, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01635   392   NtSetValueKey  (192,  (192, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (192, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01636   392   NtSetValueKey  (196,  (196, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (196, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01637   392   NtSetValueKey  (184,  (184, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (184, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01638   392   NtSetValueKey  (188,  (188, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (188, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01639   392   NtSetValueKey  (192,  (192, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (192, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01640   392   NtSetValueKey  (196,  (196, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (196, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01641   392   NtClose  (196, ... ) == 0x0
 01642   392   NtClose  (192, ... ) == 0x0
 01643   392   NtClose  (188, ... ) == 0x0
 01644   392   NtClose  (184, ... ) == 0x0
 01645   392   NtClose  (180, ... ) == 0x0
 01646   392   NtClose  (200, ... ) == 0x0
 01647   392   NtClose  (176, ... ) == 0x0
 01648   392   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "Cookies"}, ... 176, ) }, ... 176, ) == 0x0
 01649   392   NtQueryValueKey  (176,  (176, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01650   392   NtClose  (176, ... ) == 0x0
 01651   392   NtClose  (164, ... ) == 0x0
 01652   392   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "Cookies"}, ... 164, ) }, ... 164, ) == 0x0
 01653   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01654   392   NtReleaseSemaphore  (168, 1, ... 0, ) == 0x0
 01655   392   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x0
 01656   392   NtCreateKey  (0x2000000, {24, 120, 0x40, 0, 0,  (0x2000000, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01657   392   NtQueryValueKey  (176,  (176, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (176, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01658   392   NtClose  (176, ... ) == 0x0
 01659   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1238584, ... ) }, 1238584, ... ) == 0x0
 01660   392   NtCreateKey  (0x2000000, {24, 120, 0x40, 0, 0,  (0x2000000, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01661   392   NtSetValueKey  (176,  (176, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (176, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01662   392   NtClose  (176, ... ) == 0x0
 01663   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1239972, ... ) }, 1239972, ... ) == 0x0
 01664   392   NtQueryValueKey  (164,  (164, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01665   392   NtQueryValueKey  (164,  (164, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01666   392   NtQueryValueKey  (164,  (164, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01667   392   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "History"}, ... 176, ) }, ... 176, ) == 0x0
 01668   392   NtQueryValueKey  (176,  (176, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01669   392   NtClose  (176, ... ) == 0x0
 01670   392   NtClose  (164, ... ) == 0x0
 01671   392   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "History"}, ... 164, ) }, ... 164, ) == 0x0
 01672   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01673   392   NtReleaseSemaphore  (168, 1, ... 0, ) == 0x0
 01674   392   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x0
 01675   392   NtCreateKey  (0x2000000, {24, 120, 0x40, 0, 0,  (0x2000000, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01676   392   NtQueryValueKey  (176,  (176, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (176, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01677   392   NtClose  (176, ... ) == 0x0
 01678   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1238584, ... ) }, 1238584, ... ) == 0x0
 01679   392   NtCreateKey  (0x2000000, {24, 120, 0x40, 0, 0,  (0x2000000, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01680   392   NtSetValueKey  (176,  (176, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (176, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 01681   392   NtClose  (176, ... ) == 0x0
 01682   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239972, ... ) }, 1239972, ... ) == 0x0
 01683   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239704, ... ) }, 1239704, ... ) == 0x0
 01684   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01685   392   NtSetInformationFile  (176, 1239696, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01686   392   NtClose  (176, ... ) == 0x0
 01687   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1239704, ... ) }, 1239704, ... ) == 0x0
 01688   392   NtQueryValueKey  (164,  (164, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01689   392   NtQueryValueKey  (164,  (164, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01690   392   NtQueryValueKey  (164,  (164, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01691   392   NtClose  (164, ... ) == 0x0
 01692   392   NtClose  (160, ... ) == 0x0
 01693   392   NtClose  (152, ... ) == 0x0
 01694   392   NtClose  (156, ... ) == 0x0
 01695   392   NtClose  (148, ... ) == 0x0
 01696   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 148, ) }, ... 148, ) == 0x0
 01697   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 156, ) }, ... 156, ) == 0x0
 01698   392   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 01699   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 152, {status=0x0, info=1}, ) }, 3, 8388641, ... 152, {status=0x0, info=1}, ) == 0x0
 01700   392   NtQueryVolumeInformationFile  (152, 1241240, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01701   392   NtClose  (152, ... ) == 0x0
 01702   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 152, {status=0x0, info=1}, ) }, 3, 8388641, ... 152, {status=0x0, info=1}, ) == 0x0
 01703   392   NtQueryVolumeInformationFile  (152, 1241264, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01704   392   NtClose  (152, ... ) == 0x0
 01705   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241576, ... ) }, 1241576, ... ) == 0x0
 01706   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 152, {status=0x0, info=1}, ) }, 7, 2113568, ... 152, {status=0x0, info=1}, ) == 0x0
 01707   392   NtSetInformationFile  (152, 1241568, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01708   392   NtClose  (152, ... ) == 0x0
 01709   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1364304, 1241544,  (0xc0100080, {24, 0, 0x40, 1364304, 1241544, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01710   392   NtSetInformationFile  (152, 1241636, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01711   392   NtQueryInformationFile  (152, 1241616, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01712   392   NtClose  (152, ... ) == 0x0
 01713   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1364304, 1241528,  (0xc0100080, {24, 0, 0x40, 1364304, 1241528, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01714   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 160, ) }, ... 160, ) == 0x0
 01715   392   NtMapViewOfSection  (160, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 32768, ) == 0x0
 01716   392   NtReleaseMutant  (156, ... 0x0, ) == 0x0
 01717   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 164, ) }, ... 164, ) == 0x0
 01718   392   NtWaitForSingleObject  (164, 0, 0x0, ... ) == 0x0
 01719   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 176, {status=0x0, info=1}, ) }, 3, 8388641, ... 176, {status=0x0, info=1}, ) == 0x0
 01720   392   NtQueryVolumeInformationFile  (176, 1241240, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01721   392   NtClose  (176, ... ) == 0x0
 01722   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 176, {status=0x0, info=1}, ) }, 3, 8388641, ... 176, {status=0x0, info=1}, ) == 0x0
 01723   392   NtQueryVolumeInformationFile  (176, 1241264, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01724   392   NtClose  (176, ... ) == 0x0
 01725   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1241576, ... ) }, 1241576, ... ) == 0x0
 01726   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01727   392   NtSetInformationFile  (176, 1241568, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01728   392   NtClose  (176, ... ) == 0x0
 01729   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1364304, 1241544,  (0xc0100080, {24, 0, 0x40, 1364304, 1241544, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01730   392   NtSetInformationFile  (176, 1241636, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01731   392   NtQueryInformationFile  (176, 1241616, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01732   392   NtClose  (176, ... ) == 0x0
 01733   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1364304, 1241528,  (0xc0100080, {24, 0, 0x40, 1364304, 1241528, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01734   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 200, ) }, ... 200, ) == 0x0
 01735   392   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa80000), {0, 0}, 16384, ) == 0x0
 01736   392   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 01737   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 180, ) }, ... 180, ) == 0x0
 01738   392   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 01739   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 184, {status=0x0, info=1}, ) }, 3, 8388641, ... 184, {status=0x0, info=1}, ) == 0x0
 01740   392   NtQueryVolumeInformationFile  (184, 1241240, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01741   392   NtClose  (184, ... ) == 0x0
 01742   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 184, {status=0x0, info=1}, ) }, 3, 8388641, ... 184, {status=0x0, info=1}, ) == 0x0
 01743   392   NtQueryVolumeInformationFile  (184, 1241264, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01744   392   NtClose  (184, ... ) == 0x0
 01745   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241576, ... ) }, 1241576, ... ) == 0x0
 01746   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01747   392   NtSetInformationFile  (184, 1241568, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01748   392   NtClose  (184, ... ) == 0x0
 01749   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1364304, 1241544,  (0xc0100080, {24, 0, 0x40, 1364304, 1241544, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 184, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 184, {status=0x0, info=1}, ) == 0x0
 01750   392   NtSetInformationFile  (184, 1241636, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01751   392   NtQueryInformationFile  (184, 1241616, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01752   392   NtClose  (184, ... ) == 0x0
 01753   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1364304, 1241528,  (0xc0100080, {24, 0, 0x40, 1364304, 1241528, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 184, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 184, {status=0x0, info=1}, ) == 0x0
 01754   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 188, ) }, ... 188, ) == 0x0
 01755   392   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa90000), {0, 0}, 32768, ) == 0x0
 01756   392   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 01757   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241632, ... ) }, 1241632, ... ) == 0x0
 01758   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 192, {status=0x0, info=1}, ) }, 7, 2113568, ... 192, {status=0x0, info=1}, ) == 0x0
 01759   392   NtSetInformationFile  (192, 1241624, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01760   392   NtClose  (192, ... ) == 0x0
 01761   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1241632, ... ) }, 1241632, ... ) == 0x0
 01762   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241632, ... ) }, 1241632, ... ) == 0x0
 01763   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 192, {status=0x0, info=1}, ) }, 7, 2113568, ... 192, {status=0x0, info=1}, ) == 0x0
 01764   392   NtSetInformationFile  (192, 1241624, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01765   392   NtClose  (192, ... ) == 0x0
 01766   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1241632, ... ) }, 1241632, ... ) == 0x0
 01767   392   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 01768   392   NtQueryInformationFile  (152, 1240012, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01769   392   NtReleaseMutant  (156, ... 0x0, ) == 0x0
 01770   392   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 192, ) }, ... 192, ) == 0x0
 01771   392   NtOpenKey  (0xf, {24, 192, 0x40, 0, 0,  (0xf, {24, 192, 0x40, 0, 0, "Extensible Cache"}, ... 196, ) }, ... 196, ) == 0x0
 01772   392   NtClose  (192, ... ) == 0x0
 01773   392   NtWaitForSingleObject  (148, 0, {-600000000, -1}, ... ) == 0x0
 01774   392   NtEnumerateKey  (196, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (196, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 01775   392   NtOpenKey  (0xf, {24, 196, 0x40, 0, 0,  (0xf, {24, 196, 0x40, 0, 0, "MSHist012007051420070521"}, ... 192, ) }, ... 192, ) == 0x0
 01776   392   NtQueryValueKey  (192,  (192, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01777   392   NtQueryValueKey  (192,  (192, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01778   392   NtQueryValueKey  (192,  (192, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (192, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01779   392   NtQueryValueKey  (192,  (192, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01780   392   NtQueryValueKey  (192,  (192, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (192, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01781   392   NtQueryValueKey  (192,  (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01782   392   NtQueryValueKey  (192,  (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01783   392   NtQueryValueKey  (192,  (192, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01784   392   NtQueryValueKey  (192,  (192, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01785   392   NtClose  (192, ... ) == 0x0
 01786   392   NtEnumerateKey  (196, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (196, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 01787   392   NtOpenKey  (0xf, {24, 196, 0x40, 0, 0,  (0xf, {24, 196, 0x40, 0, 0, "MSHist012007052120070528"}, ... 192, ) }, ... 192, ) == 0x0
 01788   392   NtQueryValueKey  (192,  (192, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01789   392   NtQueryValueKey  (192,  (192, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01790   392   NtQueryValueKey  (192,  (192, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (192, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01791   392   NtQueryValueKey  (192,  (192, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01792   392   NtQueryValueKey  (192,  (192, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (192, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01793   392   NtQueryValueKey  (192,  (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01794   392   NtQueryValueKey  (192,  (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01795   392   NtQueryValueKey  (192,  (192, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01796   392   NtQueryValueKey  (192,  (192, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01797   392   NtClose  (192, ... ) == 0x0
 01798   392   NtEnumerateKey  (196, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (196, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 01799   392   NtOpenKey  (0xf, {24, 196, 0x40, 0, 0,  (0xf, {24, 196, 0x40, 0, 0, "MSHist012007053120070601"}, ... 192, ) }, ... 192, ) == 0x0
 01800   392   NtQueryValueKey  (192,  (192, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01801   392   NtQueryValueKey  (192,  (192, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01802   392   NtQueryValueKey  (192,  (192, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (192, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01803   392   NtQueryValueKey  (192,  (192, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01804   392   NtQueryValueKey  (192,  (192, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (192, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01805   392   NtQueryValueKey  (192,  (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01806   392   NtQueryValueKey  (192,  (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01807   392   NtQueryValueKey  (192,  (192, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01808   392   NtQueryValueKey  (192,  (192, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01809   392   NtClose  (192, ... ) == 0x0
 01810   392   NtEnumerateKey  (196, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01811   392   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01812   392   NtClose  (196, ... ) == 0x0
 01813   392   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 01814   392   NtQueryInformationFile  (152, 1241940, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01815   392   NtReleaseMutant  (156, ... 0x0, ) == 0x0
 01816   392   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 01817   392   NtQueryInformationFile  (152, 1242012, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01818   392   NtReleaseMutant  (156, ... 0x0, ) == 0x0
 01819   392   NtOpenKey  (0x1, {24, 120, 0x40, 0, 0,  (0x1, {24, 120, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01820   392   NtOpenKey  (0x1, {24, 120, 0x40, 0, 0,  (0x1, {24, 120, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01821   392   NtOpenKey  (0x1, {24, 120, 0x40, 0, 0,  (0x1, {24, 120, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01822   392   NtOpenKey  (0x1, {24, 120, 0x40, 0, 0,  (0x1, {24, 120, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01823   392   NtOpenKey  (0x1, {24, 120, 0x40, 0, 0,  (0x1, {24, 120, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01824   392   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01825   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 196, ) }, ... 196, ) == 0x0
 01826   392   NtQueryValueKey  (196,  (196, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01827   392   NtClose  (196, ... ) == 0x0
 01828   392   NtQueryValueKey  (136,  (136, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01829   392   NtQueryValueKey  (136,  (136, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01830   392   NtQueryValueKey  (136,  (136, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01831   392   NtQueryValueKey  (136,  (136, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832   392   NtQueryValueKey  (136,  (136, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01833   392   NtQueryValueKey  (136,  (136, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01834   392   NtQueryValueKey  (136,  (136, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01835   392   NtQueryValueKey  (136,  (136, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01836   392   NtQueryValueKey  (136,  (136, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01837   392   NtQueryValueKey  (136,  (136, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01838   392   NtQueryValueKey  (136,  (136, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01839   392   NtQueryValueKey  (136,  (136, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01840   392   NtOpenKey  (0x1, {24, 120, 0x40, 0, 0,  (0x1, {24, 120, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 196, ) }, ... 196, ) == 0x0
 01841   392   NtQueryValueKey  (196,  (196, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01842   392   NtClose  (196, ... ) == 0x0
 01843   392   NtQueryValueKey  (136,  (136, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01844   392   NtQueryValueKey  (136,  (136, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01845   392   NtQueryValueKey  (136,  (136, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01846   392   NtQueryValueKey  (136,  (136, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01847   392   NtQueryValueKey  (136,  (136, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01848   392   NtQueryValueKey  (136,  (136, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01849   392   NtQueryValueKey  (136,  (136, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01850   392   NtQueryValueKey  (136,  (136, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01851   392   NtQueryValueKey  (136,  (136, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01852   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 196, ) }, ... 196, ) == 0x0
 01853   392   NtQueryValueKey  (196,  (196, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01854   392   NtClose  (196, ... ) == 0x0
 01855   392   NtQueryValueKey  (136,  (136, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01856   392   NtQueryValueKey  (136,  (136, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01857   392   NtQueryValueKey  (136,  (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01858   392   NtQueryValueKey  (136,  (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01859   392   NtQueryValueKey  (136,  (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01860   392   NtQueryValueKey  (136,  (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01861   392   NtQueryValueKey  (136,  (136, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01862   392   NtQueryValueKey  (136,  (136, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01863   392   NtQueryValueKey  (136,  (136, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01864   392   NtQueryValueKey  (136,  (136, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01865   392   NtQueryValueKey  (136,  (136, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (136, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01866   392   NtQueryValueKey  (136,  (136, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01867   392   NtQueryValueKey  (136,  (136, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01868   392   NtQueryValueKey  (136,  (136, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01869   392   NtQueryValueKey  (136,  (136, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01870   392   NtQueryValueKey  (136,  (136, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01871   392   NtQueryValueKey  (136,  (136, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01872   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetStartupMutex"}, ... 196, ) }, ... 196, ) == 0x0
 01873   392   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 192, ) == 0x0
 01874   392   NtQueryValueKey  (136,  (136, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01875   392   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 01876   392   NtQueryInformationFile  (152, 1241988, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01877   392   NtReleaseMutant  (156, ... 0x0, ) == 0x0
 01878   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetConnectionMutex"}, ... 204, ) }, ... 204, ) == 0x0
 01879   392   NtCreateMutant  (0x1f0001, 0x0, 0, ... 208, ) == 0x0
 01880   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 212, ) }, ... 212, ) == 0x0
 01881   392   NtQueryValueKey  (136,  (136, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01882   392   NtQueryValueKey  (136,  (136, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01883   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01884   392   NtQueryValueKey  (216,  (216, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01885   392   NtQueryValueKey  (216,  (216, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01886   392   NtClose  (216, ... ) == 0x0
 01887   392   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 216, ) == 0x0
 01888   392   NtWaitForSingleObject  (216, 0, 0x0, ... ) == 0x0
 01889   392   NtClearEvent  (216, ... ) == 0x0
 01890   392   NtSetEvent  (216, ... 0x0, ) == 0x0
 01891   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01892   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1239576, ... ) }, 1239576, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01893   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 1239576, ... ) }, 1239576, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01894   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 1239576, ... ) }, 1239576, ... ) == 0x0
 01895   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 220, {status=0x0, info=1}, ) }, 5, 96, ... 220, {status=0x0, info=1}, ) == 0x0
 01896   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 220, ... 224, ) == 0x0
 01897   392   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01898   392   NtClose  (220, ... ) == 0x0
 01899   392   NtMapViewOfSection  (224, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 01900   392   NtClose  (224, ... ) == 0x0
 01901   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 224, ) }, ... 224, ) == 0x0
 01902   392   NtQueryValueKey  (224,  (224, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (224, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01903   392   NtQueryValueKey  (224,  (224, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (224, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01904   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 220, ) == 0x0
 01905   392   NtOpenKey  (0x2000000, {24, 224, 0x40, 0, 0,  (0x2000000, {24, 224, 0x40, 0, 0, "Protocol_Catalog9"}, ... 228, ) }, ... 228, ) == 0x0
 01906   392   NtQueryValueKey  (228,  (228, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01907   392   NtNotifyChangeKey  (228, 220, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01908   392   NtQueryValueKey  (228,  (228, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01909   392   NtOpenKey  (0x2000000, {24, 228, 0x40, 0, 0,  (0x2000000, {24, 228, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01910   392   NtQueryValueKey  (228,  (228, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 01911   392   NtQueryValueKey  (228,  (228, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01912   392   NtOpenKey  (0x2000000, {24, 228, 0x40, 0, 0,  (0x2000000, {24, 228, 0x40, 0, 0, "Catalog_Entries"}, ... 232, ) }, ... 232, ) == 0x0
 01913   392   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01914   392   NtOpenKey  (0x20019, {24, 232, 0x40, 0, 0,  (0x20019, {24, 232, 0x40, 0, 0, "000000000001"}, ... 236, ) }, ... 236, ) == 0x0
 01915   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01916   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01917   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0~\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0~\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\177\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\200\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0~\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0~\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\177\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\200\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0 (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0~\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0~\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\177\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\200\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01918   392   NtClose  (236, ... ) == 0x0
 01919   392   NtOpenKey  (0x20019, {24, 232, 0x40, 0, 0,  (0x20019, {24, 232, 0x40, 0, 0, "000000000002"}, ... 236, ) }, ... 236, ) == 0x0
 01920   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01921   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01922   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\203\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\203\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\204\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\205\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\203\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\203\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\204\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\205\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0 (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\203\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\203\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\204\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\205\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01923   392   NtClose  (236, ... ) == 0x0
 01924   392   NtOpenKey  (0x20019, {24, 232, 0x40, 0, 0,  (0x20019, {24, 232, 0x40, 0, 0, "000000000003"}, ... 236, ) }, ... 236, ) == 0x0
 01925   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01926   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01927   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\210\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\210\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\211\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\212\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\210\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\210\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\211\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\212\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0 (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\210\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\210\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\211\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\212\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01928   392   NtClose  (236, ... ) == 0x0
 01929   392   NtOpenKey  (0x20019, {24, 232, 0x40, 0, 0,  (0x20019, {24, 232, 0x40, 0, 0, "000000000004"}, ... 236, ) }, ... 236, ) == 0x0
 01930   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01931   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01932   392   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01933   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\216\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\216\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\217\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\220\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\216\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\216\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\217\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\220\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0 (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\216\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\216\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\217\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\220\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01934   392   NtClose  (236, ... ) == 0x0
 01935   392   NtOpenKey  (0x20019, {24, 232, 0x40, 0, 0,  (0x20019, {24, 232, 0x40, 0, 0, "000000000005"}, ... 236, ) }, ... 236, ) == 0x0
 01936   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01937   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01938   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\223\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\223\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\224\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\225\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\223\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\223\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\224\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\225\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0 (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\223\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\223\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\224\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\225\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01939   392   NtClose  (236, ... ) == 0x0
 01940   392   NtOpenKey  (0x20019, {24, 232, 0x40, 0, 0,  (0x20019, {24, 232, 0x40, 0, 0, "000000000006"}, ... 236, ) }, ... 236, ) == 0x0
 01941   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01942   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01943   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\230\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\230\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\231\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\232\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\230\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\230\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\231\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\232\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0 (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\230\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\230\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\231\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\232\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01944   392   NtClose  (236, ... ) == 0x0
 01945   392   NtOpenKey  (0x20019, {24, 232, 0x40, 0, 0,  (0x20019, {24, 232, 0x40, 0, 0, "000000000007"}, ... 236, ) }, ... 236, ) == 0x0
 01946   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01947   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01948   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\235\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\235\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\236\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\237\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\235\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\235\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\236\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\237\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0 (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\235\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\235\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\236\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\237\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01949   392   NtClose  (236, ... ) == 0x0
 01950   392   NtOpenKey  (0x20019, {24, 232, 0x40, 0, 0,  (0x20019, {24, 232, 0x40, 0, 0, "000000000008"}, ... 236, ) }, ... 236, ) == 0x0
 01951   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01952   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01953   392   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01954   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\243\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\243\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\244\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\245\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\243\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\243\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\244\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\245\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0 (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\243\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\243\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\244\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\245\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01955   392   NtClose  (236, ... ) == 0x0
 01956   392   NtOpenKey  (0x20019, {24, 232, 0x40, 0, 0,  (0x20019, {24, 232, 0x40, 0, 0, "000000000009"}, ... 236, ) }, ... 236, ) == 0x0
 01957   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01958   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01959   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\250\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\250\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\251\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\252\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\250\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\250\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\251\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\252\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0 (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\250\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\250\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\251\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\252\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01960   392   NtClose  (236, ... ) == 0x0
 01961   392   NtOpenKey  (0x20019, {24, 232, 0x40, 0, 0,  (0x20019, {24, 232, 0x40, 0, 0, "000000000010"}, ... 236, ) }, ... 236, ) == 0x0
 01962   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01963   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01964   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\255\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\255\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\256\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\257\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\255\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\255\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\256\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\257\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0 (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\255\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\255\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\350\0\0\0T\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\354\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\256\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\354\0\0\0\257\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\7\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\354\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01965   392   NtClose  (236, ... ) == 0x0
 01966   392   NtOpenKey  (0x20019, {24, 232, 0x40, 0, 0,  (0x20019, {24, 232, 0x40, 0, 0, "000000000011"}, ... 236, ) }, ... 236, ) == 0x0
 01967   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01968   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01969   392   NtQueryValueKey  (236,  (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\262\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\262\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\263\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\264\7\0\0<\1\0\0\210\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\334\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\7\0\0<\1\0\0\210\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\265\7\0\0<\1\0\0\210\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\265\7\0\0<\1\0\0\210\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\266\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\340\0\0\0p\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310\353\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (236, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\262\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354\0\0\0\262\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\263\7\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\264\7\0\0<\1\0\0\210\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\334\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\7\0\0<\1\0\0\210\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\265\7\0\0<\1\0\0\210\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\265\7\0\0<\1\0\0\210\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\266\7\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\340\0\0\0p\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310\353\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01970   392   NtClose  (236, ... ) == 0x0
 01971   392   NtClose  (232, ... ) == 0x0
 01972   392   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x102
 01973   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 232, ) == 0x0
 01974   392   NtOpenKey  (0x2000000, {24, 224, 0x40, 0, 0,  (0x2000000, {24, 224, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 236, ) }, ... 236, ) == 0x0
 01975   392   NtQueryValueKey  (236,  (236, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01976   392   NtNotifyChangeKey  (236, 232, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01977   392   NtQueryValueKey  (236,  (236, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01978   392   NtOpenKey  (0x2000000, {24, 236, 0x40, 0, 0,  (0x2000000, {24, 236, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01979   392   NtQueryValueKey  (236,  (236, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01980   392   NtOpenKey  (0x2000000, {24, 236, 0x40, 0, 0,  (0x2000000, {24, 236, 0x40, 0, 0, "Catalog_Entries"}, ... 240, ) }, ... 240, ) == 0x0
 01981   392   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000001"}, ... 244, ) }, ... 244, ) == 0x0
 01982   392   NtQueryValueKey  (244,  (244, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01983   392   NtQueryValueKey  (244,  (244, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01984   392   NtQueryValueKey  (244,  (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01985   392   NtQueryValueKey  (244,  (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01986   392   NtQueryValueKey  (244,  (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01987   392   NtQueryValueKey  (244,  (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01988   392   NtQueryValueKey  (244,  (244, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (244, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01989   392   NtQueryValueKey  (244,  (244, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01990   392   NtQueryValueKey  (244,  (244, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01991   392   NtQueryValueKey  (244,  (244, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01992   392   NtQueryValueKey  (244,  (244, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01993   392   NtQueryValueKey  (244,  (244, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01994   392   NtClose  (244, ... ) == 0x0
 01995   392   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01996   392   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000002"}, ... 244, ) }, ... 244, ) == 0x0
 01997   392   NtQueryValueKey  (244,  (244, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01998   392   NtQueryValueKey  (244,  (244, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01999   392   NtQueryValueKey  (244,  (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 02000   392   NtQueryValueKey  (244,  (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 02001   392   NtQueryValueKey  (244,  (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 02002   392   NtQueryValueKey  (244,  (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 02003   392   NtQueryValueKey  (244,  (244, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (244, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 02004   392   NtQueryValueKey  (244,  (244, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02005   392   NtQueryValueKey  (244,  (244, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 02006   392   NtQueryValueKey  (244,  (244, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02007   392   NtQueryValueKey  (244,  (244, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02008   392   NtQueryValueKey  (244,  (244, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02009   392   NtClose  (244, ... ) == 0x0
 02010   392   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000003"}, ... 244, ) }, ... 244, ) == 0x0
 02011   392   NtQueryValueKey  (244,  (244, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02012   392   NtQueryValueKey  (244,  (244, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02013   392   NtQueryValueKey  (244,  (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02014   392   NtQueryValueKey  (244,  (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02015   392   NtQueryValueKey  (244,  (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02016   392   NtQueryValueKey  (244,  (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02017   392   NtQueryValueKey  (244,  (244, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (244, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 02018   392   NtQueryValueKey  (244,  (244, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02019   392   NtQueryValueKey  (244,  (244, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 02020   392   NtQueryValueKey  (244,  (244, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02021   392   NtQueryValueKey  (244,  (244, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02022   392   NtQueryValueKey  (244,  (244, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02023   392   NtClose  (244, ... ) == 0x0
 02024   392   NtClose  (240, ... ) == 0x0
 02025   392   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 02026   392   NtClose  (224, ... ) == 0x0
 02027   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02028   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02029   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 224, ) }, ... 224, ) == 0x0
 02030   392   NtQueryValueKey  (224,  (224, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02031   392   NtClose  (224, ... ) == 0x0
 02032   392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 224, ) == 0x0
 02033   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1239524, ... ) }, 1239524, ... ) == 0x0
 02034   392   NtClearEvent  (192, ... ) == 0x0
 02035   392   NtSetEvent  (192, ... 0x0, ) == 0x0
 02036   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02037   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\icmp.dll"}, 1240108, ... ) }, 1240108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02038   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "icmp.dll"}, 1240108, ... ) }, 1240108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02039   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 1240108, ... ) }, 1240108, ... ) == 0x0
 02040   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02041   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 02042   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02043   392   NtClose  (240, ... ) == 0x0
 02044   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 02045   392   NtClose  (244, ... ) == 0x0
 02046   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02047   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1240860, ... ) }, 1240860, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02048   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "iphlpapi.dll"}, 1240860, ... ) }, 1240860, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02049   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 1240860, ... ) }, 1240860, ... ) == 0x0
 02050   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02051   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 02052   392   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02053   392   NtClose  (244, ... ) == 0x0
 02054   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 02055   392   NtClose  (240, ... ) == 0x0
 02056   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02057   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 1240056, ... ) }, 1240056, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02058   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netman.dll"}, 1240056, ... ) }, 1240056, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02059   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 1240056, ... ) }, 1240056, ... ) == 0x0
 02060   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02061   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 02062   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02063   392   NtClose  (240, ... ) == 0x0
 02064   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 02065   392   NtClose  (244, ... ) == 0x0
 02066   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02067   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 1239252, ... ) }, 1239252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02068   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MPRAPI.dll"}, 1239252, ... ) }, 1239252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 1239252, ... ) }, 1239252, ... ) == 0x0
 02070   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02071   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 02072   392   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02073   392   NtClose  (244, ... ) == 0x0
 02074   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 02075   392   NtClose  (240, ... ) == 0x0
 02076   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02077   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ACTIVEDS.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02079   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 1238448, ... ) }, 1238448, ... ) == 0x0
 02080   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02081   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 02082   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02083   392   NtClose  (240, ... ) == 0x0
 02084   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 02085   392   NtClose  (244, ... ) == 0x0
 02086   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02087   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 1237644, ... ) }, 1237644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "adsldpc.dll"}, 1237644, ... ) }, 1237644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02089   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 1237644, ... ) }, 1237644, ... ) == 0x0
 02090   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02091   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 02092   392   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02093   392   NtClose  (244, ... ) == 0x0
 02094   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 02095   392   NtClose  (240, ... ) == 0x0
 02096   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02097   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1236840, ... ) }, 1236840, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02098   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1236840, ... ) }, 1236840, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02099   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1236840, ... ) }, 1236840, ... ) == 0x0
 02100   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02101   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 02102   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02103   392   NtClose  (240, ... ) == 0x0
 02104   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 02105   392   NtClose  (244, ... ) == 0x0
 02106   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 244, ) }, ... 244, ) == 0x0
 02107   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02108   392   NtClose  (244, ... ) == 0x0
 02109   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02110   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237644, ... ) }, 1237644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02111   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237644, ... ) }, 1237644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02112   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237644, ... ) }, 1237644, ... ) == 0x0
 02113   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02114   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 02115   392   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02116   392   NtClose  (244, ... ) == 0x0
 02117   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 02118   392   NtClose  (240, ... ) == 0x0
 02119   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02120   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02121   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02122   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1238448, ... ) }, 1238448, ... ) == 0x0
 02123   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02124   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 02125   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02126   392   NtClose  (240, ... ) == 0x0
 02127   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 02128   392   NtClose  (244, ... ) == 0x0
 02129   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02130   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02131   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SAMLIB.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02132   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1238448, ... ) }, 1238448, ... ) == 0x0
 02133   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02134   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 02135   392   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02136   392   NtClose  (244, ... ) == 0x0
 02137   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 02138   392   NtClose  (240, ... ) == 0x0
 02139   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02140   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02141   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02142   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1238448, ... ) }, 1238448, ... ) == 0x0
 02143   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02144   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 02145   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02146   392   NtClose  (240, ... ) == 0x0
 02147   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 02148   392   NtClose  (244, ... ) == 0x0
 02149   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02150   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 1239252, ... ) }, 1239252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.dll"}, 1239252, ... ) }, 1239252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02152   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 1239252, ... ) }, 1239252, ... ) == 0x0
 02153   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02154   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 02155   392   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02156   392   NtClose  (244, ... ) == 0x0
 02157   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 02158   392   NtClose  (240, ... ) == 0x0
 02159   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02160   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02161   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02162   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1238448, ... ) }, 1238448, ... ) == 0x0
 02163   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02164   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 02165   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02166   392   NtClose  (240, ... ) == 0x0
 02167   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 02168   392   NtClose  (244, ... ) == 0x0
 02169   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02170   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02171   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02172   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1238448, ... ) }, 1238448, ... ) == 0x0
 02173   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02174   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 02175   392   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02176   392   NtClose  (244, ... ) == 0x0
 02177   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 02178   392   NtClose  (240, ... ) == 0x0
 02179   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02180   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1237644, ... ) }, 1237644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02181   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 1237644, ... ) }, 1237644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02182   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 1237644, ... ) }, 1237644, ... ) == 0x0
 02183   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02184   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 02185   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02186   392   NtClose  (240, ... ) == 0x0
 02187   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 02188   392   NtClose  (244, ... ) == 0x0
 02189   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02190   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 1239252, ... ) }, 1239252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02191   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WZCSvc.DLL"}, 1239252, ... ) }, 1239252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 1239252, ... ) }, 1239252, ... ) == 0x0
 02193   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02194   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 02195   392   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02196   392   NtClose  (244, ... ) == 0x0
 02197   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 02198   392   NtClose  (240, ... ) == 0x0
 02199   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02201   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WMI.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 1238448, ... ) }, 1238448, ... ) == 0x0
 02203   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02204   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 02205   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02206   392   NtClose  (240, ... ) == 0x0
 02207   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 02208   392   NtClose  (244, ... ) == 0x0
 02209   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02210   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DHCPCSVC.DLL"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02212   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 1238448, ... ) }, 1238448, ... ) == 0x0
 02213   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02214   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 02215   392   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02216   392   NtClose  (244, ... ) == 0x0
 02217   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 02218   392   NtClose  (240, ... ) == 0x0
 02219   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02220   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1237644, ... ) }, 1237644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 1237644, ... ) }, 1237644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02222   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1237644, ... ) }, 1237644, ... ) == 0x0
 02223   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02224   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 02225   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02226   392   NtClose  (240, ... ) == 0x0
 02227   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 02228   392   NtClose  (244, ... ) == 0x0
 02229   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02231   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1238448, ... ) }, 1238448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02232   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1238448, ... ) }, 1238448, ... ) == 0x0
 02233   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02234   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 02235   392   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02236   392   NtClose  (244, ... ) == 0x0
 02237   392   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 02238   392   NtClose  (240, ... ) == 0x0
 02239   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02240   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1237644, ... ) }, 1237644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02241   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1237644, ... ) }, 1237644, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02242   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1237644, ... ) }, 1237644, ... ) == 0x0
 02243   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02244   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 02245   392   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02246   392   NtClose  (240, ... ) == 0x0
 02247   392   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 02248   392   NtClose  (244, ... ) == 0x0
 02249   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 244, ) == 0x0
 02250   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 240, ) }, ... 240, ) == 0x0
 02251   392   NtQueryValueKey  (240,  (240, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02252   392   NtClose  (240, ... ) == 0x0
 02253   392   NtQueryDefaultLocale  (1, 1241504, ... ) == 0x0
 02254   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02255   392   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11141120, 262144, ) == 0x0
 02256   392   NtAllocateVirtualMemory  (-1, 11141120, 0, 4096, 4096, 4, ... 11141120, 4096, ) == 0x0
 02257   392   NtAllocateVirtualMemory  (-1, 11145216, 0, 8192, 4096, 4, ... 11145216, 8192, ) == 0x0
 02258   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02259   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02260   392   NtQueryDefaultLocale  (1, 1241464, ... ) == 0x0
 02261   392   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02262   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 240, ) }, ... 240, ) == 0x0
 02263   392   NtQueryValueKey  (240,  (240, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02264   392   NtClose  (240, ... ) == 0x0
 02265   392   NtUserGetProcessWindowStation  (... ) == 0x28
 02266   392   NtUserGetObjectInformation  (40, 1, 1241136, 12, 1241148, ... ) == 0x1
 02267   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 240, ) }, ... 240, ) == 0x0
 02268   392   NtQueryValueKey  (240,  (240, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 02269   392   NtClose  (240, ... ) == 0x0
 02270   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 240, ) }, ... 240, ) == 0x0
 02271   392   NtQueryValueKey  (240,  (240, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02272   392   NtQueryValueKey  (240,  (240, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02273   392   NtClose  (240, ... ) == 0x0
 02274   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 240, ) }, ... 240, ) == 0x0
 02275   392   NtQueryValueKey  (240,  (240, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02276   392   NtQueryValueKey  (240,  (240, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02277   392   NtClose  (240, ... ) == 0x0
 02278   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 240, ) }, ... 240, ) == 0x0
 02279   392   NtQueryValueKey  (240,  (240, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02280   392   NtQueryValueKey  (240,  (240, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02281   392   NtClose  (240, ... ) == 0x0
 02282   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 240, ) }, ... 240, ) == 0x0
 02283   392   NtQueryValueKey  (240,  (240, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02284   392   NtQueryValueKey  (240,  (240, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02285   392   NtClose  (240, ... ) == 0x0
 02286   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 240, ) }, ... 240, ) == 0x0
 02287   392   NtQueryValueKey  (240,  (240, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (240, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02288   392   NtQueryValueKey  (240,  (240, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (240, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02289   392   NtClose  (240, ... ) == 0x0
 02290   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 240, ) }, ... 240, ) == 0x0
 02291   392   NtQueryValueKey  (240,  (240, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (240, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 02292   392   NtClose  (240, ... ) == 0x0
 02293   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 240, ) == 0x0
 02294   392   NtCreateMutant  (0x1f0001, 0x0, 0, ... 248, ) == 0x0
 02295   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 02296   392   NtCreateMutant  (0x1f0001, 0x0, 0, ... 256, ) == 0x0
 02297   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 260, ) == 0x0
 02298   392   NtCreateMutant  (0x1f0001, 0x0, 0, ... 264, ) == 0x0
 02299   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 268, ) }, ... 268, ) == 0x0
 02300   392   NtQueryValueKey  (268,  (268, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02301   392   NtQueryValueKey  (268,  (268, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02302   392   NtOpenKey  (0x1, {24, 268, 0x40, 0, 0,  (0x1, {24, 268, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02303   392   NtClose  (268, ... ) == 0x0
 02304   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1241056, ... ) }, 1241056, ... ) == 0x0
 02305   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 268, ) }, ... 268, ) == 0x0
 02306   392   NtQueryValueKey  (268,  (268, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (268, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (268, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02307   392   NtClose  (268, ... ) == 0x0
 02308   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 268, ) }, ... 268, ) == 0x0
 02309   392   NtQueryValueKey  (268,  (268, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (268, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (268, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 02310   392   NtClose  (268, ... ) == 0x0
 02311   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02312   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 268, ) }, ... 268, ) == 0x0
 02313   392   NtQueryValueKey  (268,  (268, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (268, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (268, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02314   392   NtClose  (268, ... ) == 0x0
 02315   392   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 02316   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 268, ) == 0x0
 02317   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 272, ) == 0x0
 02318   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 276, ) == 0x0
 02319   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 280, ) }, ... 280, ) == 0x0
 02320   392   NtQueryValueKey  (280,  (280, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02321   392   NtQueryValueKey  (280,  (280, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02322   392   NtQueryValueKey  (280,  (280, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02323   392   NtQueryValueKey  (280,  (280, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02324   392   NtQueryValueKey  (280,  (280, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02325   392   NtQueryValueKey  (280,  (280, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02326   392   NtQueryValueKey  (280,  (280, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02327   392   NtQueryValueKey  (280,  (280, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02328   392   NtQueryValueKey  (280,  (280, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02329   392   NtQueryValueKey  (280,  (280, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02330   392   NtQueryValueKey  (280,  (280, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02331   392   NtQueryValueKey  (280,  (280, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02332   392   NtQueryValueKey  (280,  (280, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02333   392   NtQueryValueKey  (280,  (280, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02334   392   NtQueryValueKey  (280,  (280, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02335   392   NtQueryValueKey  (280,  (280, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02336   392   NtQueryValueKey  (280,  (280, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02337   392   NtQueryValueKey  (280,  (280, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02338   392   NtQueryValueKey  (280,  (280, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02339   392   NtQueryValueKey  (280,  (280, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02340   392   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 02341   392   NtQueryValueKey  (280,  (280, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02342   392   NtQueryValueKey  (280,  (280, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02343   392   NtQueryValueKey  (280,  (280, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02344   392   NtQueryValueKey  (280,  (280, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02345   392   NtQueryValueKey  (280,  (280, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02346   392   NtQueryValueKey  (280,  (280, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02347   392   NtQueryValueKey  (280,  (280, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02348   392   NtQueryValueKey  (280,  (280, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02349   392   NtQueryValueKey  (280,  (280, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02350   392   NtQueryValueKey  (280,  (280, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02351   392   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 02352   392   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 284, ) }, ... 284, ) == 0x0
 02353   392   NtQueryValueKey  (284,  (284, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (284, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02354   392   NtClose  (284, ... ) == 0x0
 02355   392   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 0, 0,  (0x1f0003, {24, 52, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 02356   392   NtQueryValueKey  (280,  (280, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02357   392   NtQueryValueKey  (280,  (280, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02358   392   NtQueryValueKey  (280,  (280, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02359   392   NtQueryValueKey  (280,  (280, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02360   392   NtQueryValueKey  (280,  (280, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02361   392   NtQueryValueKey  (280,  (280, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02362   392   NtQueryValueKey  (280,  (280, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02363   392   NtQueryValueKey  (280,  (280, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02364   392   NtQueryValueKey  (280,  (280, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02365   392   NtQueryValueKey  (280,  (280, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02366   392   NtQueryDefaultUILanguage  (1240024, ...
 02367   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02368   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 02369   392   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02370   392   NtClose  (-2147482020, ... ) == 0x0
 02371   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 02372   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02373   392   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 02374   392   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02375   392   NtClose  (-2147482032, ... ) == 0x0
 02376   392   NtClose  (-2147482020, ... ) == 0x0
 02366   392   NtQueryDefaultUILanguage  ... ) == 0x0
 02377   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02378   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 284, {status=0x0, info=1}, ) }, 1, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02379   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 284, ... 288, ) == 0x0
 02380   392   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xb00000), 0x0, 163840, ) == 0x0
 02381   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02382   392   NtQueryDefaultLocale  (1, 1238060, ... ) == 0x0
 02383   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02384   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238916, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238916, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\34\1\0\0\377\377\377\377\0\0\0\0\360Z\262\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\204\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1509, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\34\1\0\0\377\377\377\377\0\0\0\0\360Z\262\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\204\356\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 392, 1509, 0}  (24, {128, 156, new_msg, 0, 1238916, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\34\1\0\0\377\377\377\377\0\0\0\0\360Z\262\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\204\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1509, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\34\1\0\0\377\377\377\377\0\0\0\0\360Z\262\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\204\356\22\0\0\0\0\0" )  ) == 0x0
 02385   392   NtClose  (284, ... ) == 0x0
 02386   392   NtClose  (288, ... ) == 0x0
 02387   392   NtUnmapViewOfSection  (-1, 0xb00000, ... ) == 0x0
 02388   392   NtUnmapViewOfSection  (-1, 0x12ee84, ... ) == STATUS_NOT_MAPPED_VIEW
 02389   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02390   392   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02391   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02392   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02393   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237144, ... ) }, 1237144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02394   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02395   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02396   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02397   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237736, ... ) }, 1237736, ... ) == 0x0
 02398   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 288, {status=0x0, info=1}, ) }, 3, 33, ... 288, {status=0x0, info=1}, ) == 0x0
 02399   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02400   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 284, ) }, ... 284, ) == 0x0
 02401   392   NtQueryValueKey  (284,  (284, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02402   392   NtQueryValueKey  (284,  (284, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02403   392   NtClose  (284, ... ) == 0x0
 02404   392   NtCreateMutant  (0x1f0001, 0x0, 0, ... 284, ) == 0x0
 02405   392   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1390656, 0,  (0x1f0001, {24, 52, 0x80, 1390656, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 02406   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "RasPbFile"}, ... 292, ) }, ... 292, ) == 0x0
 02407   392   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 296, ) == 0x0
 02408   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 300, ) == 0x0
 02409   392   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 304, ) == 0x0
 02410   392   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 308, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 308, 2, ) , 0, ... 308, 2, ) == 0x0
 02411   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 312, ) }, ... 312, ) == 0x0
 02412   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02413   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02414   392   NtQueryValueKey  (312,  (312, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02415   392   NtQueryValueKey  (308,  (308, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02416   392   NtQueryValueKey  (312,  (312, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02417   392   NtQueryValueKey  (308,  (308, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02418   392   NtQueryValueKey  (312,  (312, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02419   392   NtQueryValueKey  (308,  (308, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02420   392   NtQueryValueKey  (312,  (312, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02421   392   NtQueryValueKey  (308,  (308, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02422   392   NtQueryValueKey  (312,  (312, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02423   392   NtQueryValueKey  (312,  (312, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02424   392   NtQueryValueKey  (312,  (312, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02425   392   NtQueryValueKey  (312,  (312, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02426   392   NtQueryValueKey  (312,  (312, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02427   392   NtQueryValueKey  (312,  (312, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428   392   NtQueryValueKey  (312,  (312, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02429   392   NtQueryValueKey  (308,  (308, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02430   392   NtQueryValueKey  (312,  (312, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02431   392   NtQueryValueKey  (312,  (312, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02432   392   NtQueryValueKey  (308,  (308, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02433   392   NtQueryValueKey  (312,  (312, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02434   392   NtQueryValueKey  (308,  (308, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02435   392   NtQueryValueKey  (312,  (312, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02436   392   NtQueryValueKey  (308,  (308, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02437   392   NtQueryValueKey  (312,  (312, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02438   392   NtQueryValueKey  (308,  (308, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02439   392   NtQueryValueKey  (312,  (312, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02440   392   NtQueryValueKey  (308,  (308, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02441   392   NtQueryValueKey  (312,  (312, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02442   392   NtQueryValueKey  (308,  (308, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02443   392   NtQueryValueKey  (312,  (312, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02444   392   NtQueryValueKey  (308,  (308, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02445   392   NtQueryValueKey  (312,  (312, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02446   392   NtQueryValueKey  (308,  (308, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02447   392   NtQueryValueKey  (312,  (312, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02448   392   NtQueryValueKey  (312,  (312, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02449   392   NtQueryValueKey  (312,  (312, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02450   392   NtQueryValueKey  (312,  (312, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02451   392   NtQueryValueKey  (312,  (312, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02452   392   NtQueryValueKey  (312,  (312, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02453   392   NtQueryValueKey  (312,  (312, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02454   392   NtQueryValueKey  (312,  (312, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02455   392   NtQueryValueKey  (312,  (312, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02456   392   NtQueryValueKey  (312,  (312, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02457   392   NtQueryValueKey  (312,  (312, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02458   392   NtQueryValueKey  (312,  (312, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02459   392   NtQueryValueKey  (312,  (312, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02460   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02461   392   NtQueryValueKey  (316,  (316, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02462   392   NtClose  (316, ... ) == 0x0
 02463   392   NtClose  (308, ... ) == 0x0
 02464   392   NtClose  (312, ... ) == 0x0
 02465   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 312, ) }, ... 312, ) == 0x0
 02466   392   NtQueryValueKey  (312,  (312, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02467   392   NtQueryValueKey  (312,  (312, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02468   392   NtQueryValueKey  (312,  (312, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02469   392   NtClose  (312, ... ) == 0x0
 02470   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 312, ) == 0x0
 02471   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 308, ) == 0x0
 02472   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 316, ) == 0x0
 02473   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02474   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 02475   392   NtAllocateVirtualMemory  (-1, 11534336, 0, 4096, 4096, 4, ... 11534336, 4096, ) == 0x0
 02476   392   NtAllocateVirtualMemory  (-1, 11538432, 0, 8192, 4096, 4, ... 11538432, 8192, ) == 0x0
 02477   392   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 320, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 320, {status=0x0, info=0}, ) == 0x0
 02478   392   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 324, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 324, {status=0x0, info=0}, ) == 0x0
 02479   392   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 328, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 328, {status=0x0, info=0}, ) == 0x0
 02480   392   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) == 0x0
 02481   392   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1241588,  (0x20100080, {24, 0, 0x40, 0, 1241588, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 336, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 336, {status=0x0, info=0}, ) == 0x0
 02482   392   NtAllocateVirtualMemory  (-1, 11546624, 0, 36864, 4096, 4, ... 11546624, 36864, ) == 0x0
 02483   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 340, ) == 0x0
 02484   392   NtDeviceIoControlFile  (320, 340, 0x0, 0x0, 0x120003,  (320, 340, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (320, 340, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 02485   392   NtClose  (340, ... ) == 0x0
 02486   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 340, ) == 0x0
 02487   392   NtDeviceIoControlFile  (320, 340, 0x0, 0x0, 0x120003,  (320, 340, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\34\325+\273\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (320, 340, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\34\325+\273\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 02488   392   NtClose  (340, ... ) == 0x0
 02489   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 340, ) == 0x0
 02490   392   NtDeviceIoControlFile  (320, 340, 0x0, 0x0, 0x120003,  (320, 340, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0;\325+\273\304&\3\0\373\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\247}\0\0\300\0\0\0+\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (320, 340, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0;\325+\273\304&\3\0\373\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\247}\0\0\300\0\0\0+\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 02491   392   NtClose  (340, ... ) == 0x0
 02492   392   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02493   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 340, ) == 0x0
 02494   392   NtDeviceIoControlFile  (320, 340, 0x0, 0x0, 0x120003,  (320, 340, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (320, 340, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 02495   392   NtClose  (340, ... ) == 0x0
 02496   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 340, ) == 0x0
 02497   392   NtDeviceIoControlFile  (320, 340, 0x0, 0x0, 0x120003,  (320, 340, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (320, 340, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 02498   392   NtClose  (340, ... ) == 0x0
 02499   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 340, ) == 0x0
 02500   392   NtDeviceIoControlFile  (320, 340, 0x0, 0x0, 0x120003,  (320, 340, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\2\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (320, 340, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\2\0\0\0\3\0\1\0", ) , ) == 0x0
 02501   392   NtClose  (340, ... ) == 0x0
 02502   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02503   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02504   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02505   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02506   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02507   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02508   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02509   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02510   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02511   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02512   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02513   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02514   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02515   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02516   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02517   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02518   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02519   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02520   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02521   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02522   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02523   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02524   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02525   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02526   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02527   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02528   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02529   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02530   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02531   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02532   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02533   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02534   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02535   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02536   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02537   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02538   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02539   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02540   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02541   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02542   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02543   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02544   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02545   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02546   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02547   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02548   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02549   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02550   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02551   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02552   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02553   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02554   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02555   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02556   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02557   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02558   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02559   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02560   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02561   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02562   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02563   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02564   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02565   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02566   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02567   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02568   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02569   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02570   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02571   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02572   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02573   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02574   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02575   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02576   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02577   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02578   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02579   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02580   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02581   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02582   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02583   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02584   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02585   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02586   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02587   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02588   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02589   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02590   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02591   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02592   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02593   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02594   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02595   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02596   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02597   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02598   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02599   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02600   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02601   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02602   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02603   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02604   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02605   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02606   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02607   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02608   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02609   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02610   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02611   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02612   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02613   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02614   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02615   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02616   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02617   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02618   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02619   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02620   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02621   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02622   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
 02623   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02624   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 1, 4096, 4, ... 11599872, 4096, ) == 0x0
 02625   392   NtQueryVirtualMemory  (-1, 0xb10000, Basic, 28, ... {BaseAddress=0xb10000,AllocationBase=0xb10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02626   392   NtFreeVirtualMemory  (-1, (0xb10000), 0, 32768, ... (0xb10000), 65536, ) == 0x0
 02627   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 340, ) }, ... 340, ) == 0x0
 02628   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 344, ) }, ... 344, ) == 0x0
 02629   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 348, ) }, ... 348, ) == 0x0
 02630   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 352, ) }, ... 352, ) == 0x0
 02631   392   NtQueryDefaultLocale  (1, 1241524, ... ) == 0x0
 02632   392   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 02633   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 02634   392   NtProtectVirtualMemory  (-1, (0x71c21358), 4, 4, ... (0x71c21000), 4096, 32, ) == 0x0
 02635   392   NtProtectVirtualMemory  (-1, (0x71c21358), 4, 32, ... (0x71c21000), 4096, 4, ) == 0x0
 02636   392   NtProtectVirtualMemory  (-1, (0x71c213a4), 4, 4, ... (0x71c21000), 4096, 32, ) == 0x0
 02637   392   NtProtectVirtualMemory  (-1, (0x71c213a4), 4, 32, ... (0x71c21000), 4096, 4, ) == 0x0
 02638   392   NtProtectVirtualMemory  (-1, (0x71c213b4), 4, 4, ... (0x71c21000), 4096, 32, ) == 0x0
 02639   392   NtProtectVirtualMemory  (-1, (0x71c213b4), 4, 32, ... (0x71c21000), 4096, 4, ) == 0x0
 02640   392   NtProtectVirtualMemory  (-1, (0x71c213b8), 4, 4, ... (0x71c21000), 4096, 32, ) == 0x0
 02641   392   NtProtectVirtualMemory  (-1, (0x71c213b8), 4, 32, ... (0x71c21000), 4096, 4, ) == 0x0
 02642   392   NtProtectVirtualMemory  (-1, (0x71c213c0), 4, 4, ... (0x71c21000), 4096, 32, ) == 0x0
 02643   392   NtProtectVirtualMemory  (-1, (0x71c213c0), 4, 32, ... (0x71c21000), 4096, 4, ) == 0x0
 02644   392   NtProtectVirtualMemory  (-1, (0x71c213c4), 4, 4, ... (0x71c21000), 4096, 32, ) == 0x0
 02645   392   NtProtectVirtualMemory  (-1, (0x71c213c4), 4, 32, ... (0x71c21000), 4096, 4, ) == 0x0
 02646   392   NtProtectVirtualMemory  (-1, (0x71c213dc), 4, 4, ... (0x71c21000), 4096, 32, ) == 0x0
 02647   392   NtProtectVirtualMemory  (-1, (0x71c213dc), 4, 32, ... (0x71c21000), 4096, 4, ) == 0x0
 02648   392   NtProtectVirtualMemory  (-1, (0x71c213e8), 4, 4, ... (0x71c21000), 4096, 32, ) == 0x0
 02649   392   NtProtectVirtualMemory  (-1, (0x71c213e8), 4, 32, ... (0x71c21000), 4096, 4, ) == 0x0
 02650   392   NtProtectVirtualMemory  (-1, (0x71c213f4), 4, 4, ... (0x71c21000), 4096, 32, ) == 0x0
 02651   392   NtProtectVirtualMemory  (-1, (0x71c213f4), 4, 32, ... (0x71c21000), 4096, 4, ) == 0x0
 02652   392   NtProtectVirtualMemory  (-1, (0x71c21404), 4, 4, ... (0x71c21000), 4096, 32, ) == 0x0
 02653   392   NtProtectVirtualMemory  (-1, (0x71c21404), 4, 32, ... (0x71c21000), 4096, 4, ) == 0x0
 02654   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 02655   392   NtProtectVirtualMemory  (-1, (0x76f210e8), 4, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02656   392   NtProtectVirtualMemory  (-1, (0x76f210e8), 4, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02657   392   NtProtectVirtualMemory  (-1, (0x76f2115c), 4, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02658   392   NtProtectVirtualMemory  (-1, (0x76f2115c), 4, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02659   392   NtProtectVirtualMemory  (-1, (0x76f21160), 4, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02660   392   NtProtectVirtualMemory  (-1, (0x76f21160), 4, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02661   392   NtProtectVirtualMemory  (-1, (0x76f21164), 4, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02662   392   NtProtectVirtualMemory  (-1, (0x76f21164), 4, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02663   392   NtProtectVirtualMemory  (-1, (0x76f21168), 4, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02664   392   NtProtectVirtualMemory  (-1, (0x76f21168), 4, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02665   392   NtProtectVirtualMemory  (-1, (0x76f21170), 4, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02666   392   NtProtectVirtualMemory  (-1, (0x76f21170), 4, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02667   392   NtProtectVirtualMemory  (-1, (0x76f21194), 4, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02668   392   NtProtectVirtualMemory  (-1, (0x76f21194), 4, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02669   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 02670   392   NtProtectVirtualMemory  (-1, (0x76d61100), 4, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02671   392   NtProtectVirtualMemory  (-1, (0x76d61100), 4, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02672   392   NtProtectVirtualMemory  (-1, (0x76d61114), 4, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02673   392   NtProtectVirtualMemory  (-1, (0x76d61114), 4, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02674   392   NtProtectVirtualMemory  (-1, (0x76d61134), 4, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02675   392   NtProtectVirtualMemory  (-1, (0x76d61134), 4, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02676   392   NtProtectVirtualMemory  (-1, (0x76d61148), 4, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02677   392   NtProtectVirtualMemory  (-1, (0x76d61148), 4, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02678   392   NtProtectVirtualMemory  (-1, (0x76d6114c), 4, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02679   392   NtProtectVirtualMemory  (-1, (0x76d6114c), 4, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02680   392   NtProtectVirtualMemory  (-1, (0x76d61160), 4, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02681   392   NtProtectVirtualMemory  (-1, (0x76d61160), 4, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02682   392   NtProtectVirtualMemory  (-1, (0x76de1200), 4, 4, ... (0x76de1000), 4096, 32, ) == 0x0
 02683   392   NtProtectVirtualMemory  (-1, (0x76de1200), 4, 32, ... (0x76de1000), 4096, 4, ) == 0x0
 02684   392   NtProtectVirtualMemory  (-1, (0x76de1214), 4, 4, ... (0x76de1000), 4096, 32, ) == 0x0
 02685   392   NtProtectVirtualMemory  (-1, (0x76de1214), 4, 32, ... (0x76de1000), 4096, 4, ) == 0x0
 02686   392   NtProtectVirtualMemory  (-1, (0x76de1220), 4, 4, ... (0x76de1000), 4096, 32, ) == 0x0
 02687   392   NtProtectVirtualMemory  (-1, (0x76de1220), 4, 32, ... (0x76de1000), 4096, 4, ) == 0x0
 02688   392   NtProtectVirtualMemory  (-1, (0x76de1230), 4, 4, ... (0x76de1000), 4096, 32, ) == 0x0
 02689   392   NtProtectVirtualMemory  (-1, (0x76de1230), 4, 32, ... (0x76de1000), 4096, 4, ) == 0x0
 02690   392   NtProtectVirtualMemory  (-1, (0x76de1234), 4, 4, ... (0x76de1000), 4096, 32, ) == 0x0
 02691   392   NtProtectVirtualMemory  (-1, (0x76de1234), 4, 32, ... (0x76de1000), 4096, 4, ) == 0x0
 02692   392   NtProtectVirtualMemory  (-1, (0x76de1244), 4, 4, ... (0x76de1000), 4096, 32, ) == 0x0
 02693   392   NtProtectVirtualMemory  (-1, (0x76de1244), 4, 32, ... (0x76de1000), 4096, 4, ) == 0x0
 02694   392   NtProtectVirtualMemory  (-1, (0x76de1248), 4, 4, ... (0x76de1000), 4096, 32, ) == 0x0
 02695   392   NtProtectVirtualMemory  (-1, (0x76de1248), 4, 32, ... (0x76de1000), 4096, 4, ) == 0x0
 02696   392   NtProtectVirtualMemory  (-1, (0x76de1254), 4, 4, ... (0x76de1000), 4096, 32, ) == 0x0
 02697   392   NtProtectVirtualMemory  (-1, (0x76de1254), 4, 32, ... (0x76de1000), 4096, 4, ) == 0x0
 02698   392   NtProtectVirtualMemory  (-1, (0x76f61024), 4, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02699   392   NtProtectVirtualMemory  (-1, (0x76f61024), 4, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02700   392   NtProtectVirtualMemory  (-1, (0x76f61028), 4, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02701   392   NtProtectVirtualMemory  (-1, (0x76f61028), 4, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02702   392   NtProtectVirtualMemory  (-1, (0x76f6102c), 4, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02703   392   NtProtectVirtualMemory  (-1, (0x76f6102c), 4, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02704   392   NtProtectVirtualMemory  (-1, (0x76f6105c), 4, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02705   392   NtProtectVirtualMemory  (-1, (0x76f6105c), 4, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02706   392   NtProtectVirtualMemory  (-1, (0x76e111d4), 4, 4, ... (0x76e11000), 4096, 32, ) == 0x0
 02707   392   NtProtectVirtualMemory  (-1, (0x76e111d4), 4, 32, ... (0x76e11000), 4096, 4, ) == 0x0
 02708   392   NtProtectVirtualMemory  (-1, (0x76e111d8), 4, 4, ... (0x76e11000), 4096, 32, ) == 0x0
 02709   392   NtProtectVirtualMemory  (-1, (0x76e111d8), 4, 32, ... (0x76e11000), 4096, 4, ) == 0x0
 02710   392   NtProtectVirtualMemory  (-1, (0x76e111fc), 4, 4, ... (0x76e11000), 4096, 32, ) == 0x0
 02711   392   NtProtectVirtualMemory  (-1, (0x76e111fc), 4, 32, ... (0x76e11000), 4096, 4, ) == 0x0
 02712   392   NtProtectVirtualMemory  (-1, (0x76e11204), 4, 4, ... (0x76e11000), 4096, 32, ) == 0x0
 02713   392   NtProtectVirtualMemory  (-1, (0x76e11204), 4, 32, ... (0x76e11000), 4096, 4, ) == 0x0
 02714   392   NtProtectVirtualMemory  (-1, (0x76e11224), 4, 4, ... (0x76e11000), 4096, 32, ) == 0x0
 02715   392   NtProtectVirtualMemory  (-1, (0x76e11224), 4, 32, ... (0x76e11000), 4096, 4, ) == 0x0
 02716   392   NtProtectVirtualMemory  (-1, (0x76e11228), 4, 4, ... (0x76e11000), 4096, 32, ) == 0x0
 02717   392   NtProtectVirtualMemory  (-1, (0x76e11228), 4, 32, ... (0x76e11000), 4096, 4, ) == 0x0
 02718   392   NtProtectVirtualMemory  (-1, (0x76e1122c), 4, 4, ... (0x76e11000), 4096, 32, ) == 0x0
 02719   392   NtProtectVirtualMemory  (-1, (0x76e1122c), 4, 32, ... (0x76e11000), 4096, 4, ) == 0x0
 02720   392   NtProtectVirtualMemory  (-1, (0x76b2b028), 4, 4, ... (0x76b2b000), 4096, 2, ) == 0x0
 02721   392   NtProtectVirtualMemory  (-1, (0x76b2b028), 4, 2, ... (0x76b2b000), 4096, 4, ) == 0x0
 02722   392   NtProtectVirtualMemory  (-1, (0x76b2b02c), 4, 4, ... (0x76b2b000), 4096, 2, ) == 0x0
 02723   392   NtProtectVirtualMemory  (-1, (0x76b2b02c), 4, 2, ... (0x76b2b000), 4096, 4, ) == 0x0
 02724   392   NtProtectVirtualMemory  (-1, (0x76b2b034), 4, 4, ... (0x76b2b000), 4096, 2, ) == 0x0
 02725   392   NtProtectVirtualMemory  (-1, (0x76b2b034), 4, 2, ... (0x76b2b000), 4096, 4, ) == 0x0
 02726   392   NtProtectVirtualMemory  (-1, (0x76b2b038), 4, 4, ... (0x76b2b000), 4096, 2, ) == 0x0
 02727   392   NtProtectVirtualMemory  (-1, (0x76b2b038), 4, 2, ... (0x76b2b000), 4096, 4, ) == 0x0
 02728   392   NtProtectVirtualMemory  (-1, (0x76b2b03c), 4, 4, ... (0x76b2b000), 4096, 2, ) == 0x0
 02729   392   NtProtectVirtualMemory  (-1, (0x76b2b03c), 4, 2, ... (0x76b2b000), 4096, 4, ) == 0x0
 02730   392   NtProtectVirtualMemory  (-1, (0x76b2b0ac), 4, 4, ... (0x76b2b000), 4096, 2, ) == 0x0
 02731   392   NtProtectVirtualMemory  (-1, (0x76b2b0ac), 4, 2, ... (0x76b2b000), 4096, 4, ) == 0x0
 02732   392   NtProtectVirtualMemory  (-1, (0x76b2b0b0), 4, 4, ... (0x76b2b000), 4096, 2, ) == 0x0
 02733   392   NtProtectVirtualMemory  (-1, (0x76b2b0b0), 4, 2, ... (0x76b2b000), 4096, 4, ) == 0x0
 02734   392   NtProtectVirtualMemory  (-1, (0x76b2b0b4), 4, 4, ... (0x76b2b000), 4096, 2, ) == 0x0
 02735   392   NtProtectVirtualMemory  (-1, (0x76b2b0b4), 4, 2, ... (0x76b2b000), 4096, 4, ) == 0x0
 02736   392   NtProtectVirtualMemory  (-1, (0x76b2b0b8), 4, 4, ... (0x76b2b000), 4096, 2, ) == 0x0
 02737   392   NtProtectVirtualMemory  (-1, (0x76b2b0b8), 4, 2, ... (0x76b2b000), 4096, 4, ) == 0x0
 02738   392   NtProtectVirtualMemory  (-1, (0x76b2b0bc), 4, 4, ... (0x76b2b000), 4096, 2, ) == 0x0
 02739   392   NtProtectVirtualMemory  (-1, (0x76b2b0bc), 4, 2, ... (0x76b2b000), 4096, 4, ) == 0x0
 02740   392   NtProtectVirtualMemory  (-1, (0x76b2b0dc), 4, 4, ... (0x76b2b000), 4096, 2, ) == 0x0
 02741   392   NtProtectVirtualMemory  (-1, (0x76b2b0dc), 4, 2, ... (0x76b2b000), 4096, 4, ) == 0x0
 02742   392   NtProtectVirtualMemory  (-1, (0x76b2b0f4), 4, 4, ... (0x76b2b000), 4096, 2, ) == 0x0
 02743   392   NtProtectVirtualMemory  (-1, (0x76b2b0f4), 4, 2, ... (0x76b2b000), 4096, 4, ) == 0x0
 02744   392   NtProtectVirtualMemory  (-1, (0x76e410bc), 4, 4, ... (0x76e41000), 4096, 32, ) == 0x0
 02745   392   NtProtectVirtualMemory  (-1, (0x76e410bc), 4, 32, ... (0x76e41000), 4096, 4, ) == 0x0
 02746   392   NtProtectVirtualMemory  (-1, (0x76e411a0), 4, 4, ... (0x76e41000), 4096, 32, ) == 0x0
 02747   392   NtProtectVirtualMemory  (-1, (0x76e411a0), 4, 32, ... (0x76e41000), 4096, 4, ) == 0x0
 02748   392   NtProtectVirtualMemory  (-1, (0x76e411b8), 4, 4, ... (0x76e41000), 4096, 32, ) == 0x0
 02749   392   NtProtectVirtualMemory  (-1, (0x76e411b8), 4, 32, ... (0x76e41000), 4096, 4, ) == 0x0
 02750   392   NtProtectVirtualMemory  (-1, (0x76e411e0), 4, 4, ... (0x76e41000), 4096, 32, ) == 0x0
 02751   392   NtProtectVirtualMemory  (-1, (0x76e411e0), 4, 32, ... (0x76e41000), 4096, 4, ) == 0x0
 02752   392   NtProtectVirtualMemory  (-1, (0x76e411f4), 4, 4, ... (0x76e41000), 4096, 32, ) == 0x0
 02753   392   NtProtectVirtualMemory  (-1, (0x76e411f4), 4, 32, ... (0x76e41000), 4096, 4, ) == 0x0
 02754   392   NtProtectVirtualMemory  (-1, (0x76e41240), 4, 4, ... (0x76e41000), 4096, 32, ) == 0x0
 02755   392   NtProtectVirtualMemory  (-1, (0x76e41240), 4, 32, ... (0x76e41000), 4096, 4, ) == 0x0
 02756   392   NtProtectVirtualMemory  (-1, (0x76d41130), 4, 4, ... (0x76d41000), 4096, 32, ) == 0x0
 02757   392   NtProtectVirtualMemory  (-1, (0x76d41130), 4, 32, ... (0x76d41000), 4096, 4, ) == 0x0
 02758   392   NtProtectVirtualMemory  (-1, (0x76d41138), 4, 4, ... (0x76d41000), 4096, 32, ) == 0x0
 02759   392   NtProtectVirtualMemory  (-1, (0x76d41138), 4, 32, ... (0x76d41000), 4096, 4, ) == 0x0
 02760   392   NtProtectVirtualMemory  (-1, (0x76d41158), 4, 4, ... (0x76d41000), 4096, 32, ) == 0x0
 02761   392   NtProtectVirtualMemory  (-1, (0x76d41158), 4, 32, ... (0x76d41000), 4096, 4, ) == 0x0
 02762   392   NtProtectVirtualMemory  (-1, (0x76d41168), 4, 4, ... (0x76d41000), 4096, 32, ) == 0x0
 02763   392   NtProtectVirtualMemory  (-1, (0x76d41168), 4, 32, ... (0x76d41000), 4096, 4, ) == 0x0
 02764   392   NtProtectVirtualMemory  (-1, (0x76d41190), 4, 4, ... (0x76d41000), 4096, 32, ) == 0x0
 02765   392   NtProtectVirtualMemory  (-1, (0x76d41190), 4, 32, ... (0x76d41000), 4096, 4, ) == 0x0
 02766   392   NtProtectVirtualMemory  (-1, (0x76d41198), 4, 4, ... (0x76d41000), 4096, 32, ) == 0x0
 02767   392   NtProtectVirtualMemory  (-1, (0x76d41198), 4, 32, ... (0x76d41000), 4096, 4, ) == 0x0
 02768   392   NtProtectVirtualMemory  (-1, (0x76d411e0), 4, 4, ... (0x76d41000), 4096, 32, ) == 0x0
 02769   392   NtProtectVirtualMemory  (-1, (0x76d411e0), 4, 32, ... (0x76d41000), 4096, 4, ) == 0x0
 02770   392   NtProtectVirtualMemory  (-1, (0x76e810d8), 4, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 02771   392   NtProtectVirtualMemory  (-1, (0x76e810d8), 4, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 02772   392   NtProtectVirtualMemory  (-1, (0x76e810e0), 4, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 02773   392   NtProtectVirtualMemory  (-1, (0x76e810e0), 4, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 02774   392   NtProtectVirtualMemory  (-1, (0x76e81148), 4, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 02775   392   NtProtectVirtualMemory  (-1, (0x76e81148), 4, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 02776   392   NtProtectVirtualMemory  (-1, (0x76e8114c), 4, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 02777   392   NtProtectVirtualMemory  (-1, (0x76e8114c), 4, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 02778   392   NtProtectVirtualMemory  (-1, (0x76e81160), 4, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 02779   392   NtProtectVirtualMemory  (-1, (0x76e81160), 4, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 02780   392   NtProtectVirtualMemory  (-1, (0x76e81170), 4, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 02781   392   NtProtectVirtualMemory  (-1, (0x76e81170), 4, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 02782   392   NtProtectVirtualMemory  (-1, (0x76e811a0), 4, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 02783   392   NtProtectVirtualMemory  (-1, (0x76e811a0), 4, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 02784   392   NtProtectVirtualMemory  (-1, (0x76e811b0), 4, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 02785   392   NtProtectVirtualMemory  (-1, (0x76e811b0), 4, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 02786   392   NtProtectVirtualMemory  (-1, (0x76e811b4), 4, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 02787   392   NtProtectVirtualMemory  (-1, (0x76e811b4), 4, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 02788   392   NtProtectVirtualMemory  (-1, (0x766711e8), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02789   392   NtProtectVirtualMemory  (-1, (0x766711e8), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02790   392   NtProtectVirtualMemory  (-1, (0x766711fc), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02791   392   NtProtectVirtualMemory  (-1, (0x766711fc), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02792   392   NtProtectVirtualMemory  (-1, (0x76671258), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02793   392   NtProtectVirtualMemory  (-1, (0x76671258), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02794   392   NtProtectVirtualMemory  (-1, (0x76671290), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02795   392   NtProtectVirtualMemory  (-1, (0x76671290), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02796   392   NtProtectVirtualMemory  (-1, (0x766712cc), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02797   392   NtProtectVirtualMemory  (-1, (0x766712cc), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02798   392   NtProtectVirtualMemory  (-1, (0x766712e8), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02799   392   NtProtectVirtualMemory  (-1, (0x766712e8), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02800   392   NtProtectVirtualMemory  (-1, (0x766712ec), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02801   392   NtProtectVirtualMemory  (-1, (0x766712ec), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02802   392   NtProtectVirtualMemory  (-1, (0x76671300), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02803   392   NtProtectVirtualMemory  (-1, (0x76671300), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02804   392   NtProtectVirtualMemory  (-1, (0x76671304), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02805   392   NtProtectVirtualMemory  (-1, (0x76671304), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02806   392   NtProtectVirtualMemory  (-1, (0x76671308), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02807   392   NtProtectVirtualMemory  (-1, (0x76671308), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02808   392   NtProtectVirtualMemory  (-1, (0x7667130c), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02809   392   NtProtectVirtualMemory  (-1, (0x7667130c), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02810   392   NtProtectVirtualMemory  (-1, (0x76671310), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02811   392   NtProtectVirtualMemory  (-1, (0x76671310), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02812   392   NtProtectVirtualMemory  (-1, (0x76671368), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02813   392   NtProtectVirtualMemory  (-1, (0x76671368), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02814   392   NtProtectVirtualMemory  (-1, (0x7667136c), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02815   392   NtProtectVirtualMemory  (-1, (0x7667136c), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02816   392   NtProtectVirtualMemory  (-1, (0x76671378), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02817   392   NtProtectVirtualMemory  (-1, (0x76671378), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02818   392   NtProtectVirtualMemory  (-1, (0x7667137c), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02819   392   NtProtectVirtualMemory  (-1, (0x7667137c), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02820   392   NtProtectVirtualMemory  (-1, (0x76671380), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02821   392   NtProtectVirtualMemory  (-1, (0x76671380), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02822   392   NtProtectVirtualMemory  (-1, (0x76671384), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02823   392   NtProtectVirtualMemory  (-1, (0x76671384), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02824   392   NtProtectVirtualMemory  (-1, (0x76671390), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02825   392   NtProtectVirtualMemory  (-1, (0x76671390), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02826   392   NtProtectVirtualMemory  (-1, (0x766713a0), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02827   392   NtProtectVirtualMemory  (-1, (0x766713a0), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02828   392   NtProtectVirtualMemory  (-1, (0x766713a4), 4, 4, ... (0x76671000), 4096, 32, ) == 0x0
 02829   392   NtProtectVirtualMemory  (-1, (0x766713a4), 4, 32, ... (0x76671000), 4096, 4, ) == 0x0
 02830   392   NtProtectVirtualMemory  (-1, (0x76de12a0), 4, 4, ... (0x76de1000), 4096, 32, ) == 0x0
 02831   392   NtProtectVirtualMemory  (-1, (0x76de12a0), 4, 32, ... (0x76de1000), 4096, 4, ) == 0x0
 02832   392   NtProtectVirtualMemory  (-1, (0x76ee113c), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02833   392   NtProtectVirtualMemory  (-1, (0x76ee113c), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02834   392   NtProtectVirtualMemory  (-1, (0x76ee116c), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02835   392   NtProtectVirtualMemory  (-1, (0x76ee116c), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02836   392   NtProtectVirtualMemory  (-1, (0x76ee1170), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02837   392   NtProtectVirtualMemory  (-1, (0x76ee1170), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02838   392   NtProtectVirtualMemory  (-1, (0x76ee1178), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02839   392   NtProtectVirtualMemory  (-1, (0x76ee1178), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02840   392   NtProtectVirtualMemory  (-1, (0x76ee11b4), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02841   392   NtProtectVirtualMemory  (-1, (0x76ee11b4), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02842   392   NtProtectVirtualMemory  (-1, (0x76ee11e8), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02843   392   NtProtectVirtualMemory  (-1, (0x76ee11e8), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02844   392   NtProtectVirtualMemory  (-1, (0x76ee11fc), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02845   392   NtProtectVirtualMemory  (-1, (0x76ee11fc), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02846   392   NtProtectVirtualMemory  (-1, (0x76ee1208), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02847   392   NtProtectVirtualMemory  (-1, (0x76ee1208), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02848   392   NtProtectVirtualMemory  (-1, (0x76ee121c), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02849   392   NtProtectVirtualMemory  (-1, (0x76ee121c), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02850   392   NtProtectVirtualMemory  (-1, (0x76ee1224), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02851   392   NtProtectVirtualMemory  (-1, (0x76ee1224), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02852   392   NtProtectVirtualMemory  (-1, (0x76ee1228), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02853   392   NtProtectVirtualMemory  (-1, (0x76ee1228), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02854   392   NtProtectVirtualMemory  (-1, (0x76ee122c), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02855   392   NtProtectVirtualMemory  (-1, (0x76ee122c), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02856   392   NtProtectVirtualMemory  (-1, (0x76ee123c), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02857   392   NtProtectVirtualMemory  (-1, (0x76ee123c), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02858   392   NtProtectVirtualMemory  (-1, (0x76ee1254), 4, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 02859   392   NtProtectVirtualMemory  (-1, (0x76ee1254), 4, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 02860   392   NtProtectVirtualMemory  (-1, (0x76e9108c), 4, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 02861   392   NtProtectVirtualMemory  (-1, (0x76e9108c), 4, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 02862   392   NtProtectVirtualMemory  (-1, (0x76e91090), 4, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 02863   392   NtProtectVirtualMemory  (-1, (0x76e91090), 4, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 02864   392   NtProtectVirtualMemory  (-1, (0x76e91094), 4, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 02865   392   NtProtectVirtualMemory  (-1, (0x76e91094), 4, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 02866   392   NtProtectVirtualMemory  (-1, (0x76e910a4), 4, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 02867   392   NtProtectVirtualMemory  (-1, (0x76e910a4), 4, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 02868   392   NtProtectVirtualMemory  (-1, (0x76e910dc), 4, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 02869   392   NtProtectVirtualMemory  (-1, (0x76e910dc), 4, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 02870   392   NtProtectVirtualMemory  (-1, (0x76eb113c), 4, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 02871   392   NtProtectVirtualMemory  (-1, (0x76eb113c), 4, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 02872   392   NtProtectVirtualMemory  (-1, (0x76eb1140), 4, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 02873   392   NtProtectVirtualMemory  (-1, (0x76eb1140), 4, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 02874   392   NtProtectVirtualMemory  (-1, (0x76eb1150), 4, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 02875   392   NtProtectVirtualMemory  (-1, (0x76eb1150), 4, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 02876   392   NtProtectVirtualMemory  (-1, (0x76eb1178), 4, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 02877   392   NtProtectVirtualMemory  (-1, (0x76eb1178), 4, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 02878   392   NtProtectVirtualMemory  (-1, (0x76eb1198), 4, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 02879   392   NtProtectVirtualMemory  (-1, (0x76eb1198), 4, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 02880   392   NtProtectVirtualMemory  (-1, (0x76eb11dc), 4, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 02881   392   NtProtectVirtualMemory  (-1, (0x76eb11dc), 4, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 02882   392   NtProtectVirtualMemory  (-1, (0x76eb1218), 4, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 02883   392   NtProtectVirtualMemory  (-1, (0x76eb1218), 4, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 02884   392   NtProtectVirtualMemory  (-1, (0x76eb121c), 4, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 02885   392   NtProtectVirtualMemory  (-1, (0x76eb121c), 4, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 02886   392   NtProtectVirtualMemory  (-1, (0x76b41184), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02887   392   NtProtectVirtualMemory  (-1, (0x76b41184), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02888   392   NtProtectVirtualMemory  (-1, (0x76b4118c), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02889   392   NtProtectVirtualMemory  (-1, (0x76b4118c), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02890   392   NtProtectVirtualMemory  (-1, (0x76b411ac), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02891   392   NtProtectVirtualMemory  (-1, (0x76b411ac), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02892   392   NtProtectVirtualMemory  (-1, (0x76b411b4), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02893   392   NtProtectVirtualMemory  (-1, (0x76b411b4), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02894   392   NtProtectVirtualMemory  (-1, (0x76b411bc), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02895   392   NtProtectVirtualMemory  (-1, (0x76b411bc), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02896   392   NtProtectVirtualMemory  (-1, (0x76b411d4), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02897   392   NtProtectVirtualMemory  (-1, (0x76b411d4), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02898   392   NtProtectVirtualMemory  (-1, (0x76b411e4), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02899   392   NtProtectVirtualMemory  (-1, (0x76b411e4), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02900   392   NtProtectVirtualMemory  (-1, (0x76b411ec), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02901   392   NtProtectVirtualMemory  (-1, (0x76b411ec), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02902   392   NtProtectVirtualMemory  (-1, (0x76b411f4), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02903   392   NtProtectVirtualMemory  (-1, (0x76b411f4), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02904   392   NtProtectVirtualMemory  (-1, (0x76b4120c), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02905   392   NtProtectVirtualMemory  (-1, (0x76b4120c), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02906   392   NtProtectVirtualMemory  (-1, (0x76b4126c), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02907   392   NtProtectVirtualMemory  (-1, (0x76b4126c), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02908   392   NtProtectVirtualMemory  (-1, (0x76b41270), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02909   392   NtProtectVirtualMemory  (-1, (0x76b41270), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02910   392   NtProtectVirtualMemory  (-1, (0x76b41274), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02911   392   NtProtectVirtualMemory  (-1, (0x76b41274), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02912   392   NtProtectVirtualMemory  (-1, (0x76b4127c), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02913   392   NtProtectVirtualMemory  (-1, (0x76b4127c), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02914   392   NtProtectVirtualMemory  (-1, (0x76b41280), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02915   392   NtProtectVirtualMemory  (-1, (0x76b41280), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02916   392   NtProtectVirtualMemory  (-1, (0x76b412a0), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02917   392   NtProtectVirtualMemory  (-1, (0x76b412a0), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02918   392   NtProtectVirtualMemory  (-1, (0x76b412b4), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02919   392   NtProtectVirtualMemory  (-1, (0x76b412b4), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02920   392   NtProtectVirtualMemory  (-1, (0x76b412bc), 4, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02921   392   NtProtectVirtualMemory  (-1, (0x76b412bc), 4, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02922   392   NtProtectVirtualMemory  (-1, (0x76da10a0), 4, 4, ... (0x76da1000), 4096, 32, ) == 0x0
 02923   392   NtProtectVirtualMemory  (-1, (0x76da10a0), 4, 32, ... (0x76da1000), 4096, 4, ) == 0x0
 02924   392   NtProtectVirtualMemory  (-1, (0x76da10a8), 4, 4, ... (0x76da1000), 4096, 32, ) == 0x0
 02925   392   NtProtectVirtualMemory  (-1, (0x76da10a8), 4, 32, ... (0x76da1000), 4096, 4, ) == 0x0
 02926   392   NtProtectVirtualMemory  (-1, (0x76da10cc), 4, 4, ... (0x76da1000), 4096, 32, ) == 0x0
 02927   392   NtProtectVirtualMemory  (-1, (0x76da10cc), 4, 32, ... (0x76da1000), 4096, 4, ) == 0x0
 02928   392   NtProtectVirtualMemory  (-1, (0x76da10e8), 4, 4, ... (0x76da1000), 4096, 32, ) == 0x0
 02929   392   NtProtectVirtualMemory  (-1, (0x76da10e8), 4, 32, ... (0x76da1000), 4096, 4, ) == 0x0
 02930   392   NtProtectVirtualMemory  (-1, (0x76da10f0), 4, 4, ... (0x76da1000), 4096, 32, ) == 0x0
 02931   392   NtProtectVirtualMemory  (-1, (0x76da10f0), 4, 32, ... (0x76da1000), 4096, 4, ) == 0x0
 02932   392   NtProtectVirtualMemory  (-1, (0x76da10f8), 4, 4, ... (0x76da1000), 4096, 32, ) == 0x0
 02933   392   NtProtectVirtualMemory  (-1, (0x76da10f8), 4, 32, ... (0x76da1000), 4096, 4, ) == 0x0
 02934   392   NtProtectVirtualMemory  (-1, (0x76da10fc), 4, 4, ... (0x76da1000), 4096, 32, ) == 0x0
 02935   392   NtProtectVirtualMemory  (-1, (0x76da10fc), 4, 32, ... (0x76da1000), 4096, 4, ) == 0x0
 02936   392   NtProtectVirtualMemory  (-1, (0x76d81188), 4, 4, ... (0x76d81000), 4096, 32, ) == 0x0
 02937   392   NtProtectVirtualMemory  (-1, (0x76d81188), 4, 32, ... (0x76d81000), 4096, 4, ) == 0x0
 02938   392   NtProtectVirtualMemory  (-1, (0x76d811ac), 4, 4, ... (0x76d81000), 4096, 32, ) == 0x0
 02939   392   NtProtectVirtualMemory  (-1, (0x76d811ac), 4, 32, ... (0x76d81000), 4096, 4, ) == 0x0
 02940   392   NtProtectVirtualMemory  (-1, (0x76d811b0), 4, 4, ... (0x76d81000), 4096, 32, ) == 0x0
 02941   392   NtProtectVirtualMemory  (-1, (0x76d811b0), 4, 32, ... (0x76d81000), 4096, 4, ) == 0x0
 02942   392   NtProtectVirtualMemory  (-1, (0x76d811b4), 4, 4, ... (0x76d81000), 4096, 32, ) == 0x0
 02943   392   NtProtectVirtualMemory  (-1, (0x76d811b4), 4, 32, ... (0x76d81000), 4096, 4, ) == 0x0
 02944   392   NtProtectVirtualMemory  (-1, (0x76d811d4), 4, 4, ... (0x76d81000), 4096, 32, ) == 0x0
 02945   392   NtProtectVirtualMemory  (-1, (0x76d811d4), 4, 32, ... (0x76d81000), 4096, 4, ) == 0x0
 02946   392   NtProtectVirtualMemory  (-1, (0x76d811f4), 4, 4, ... (0x76d81000), 4096, 32, ) == 0x0
 02947   392   NtProtectVirtualMemory  (-1, (0x76d811f4), 4, 32, ... (0x76d81000), 4096, 4, ) == 0x0
 02948   392   NtProtectVirtualMemory  (-1, (0x76d81218), 4, 4, ... (0x76d81000), 4096, 32, ) == 0x0
 02949   392   NtProtectVirtualMemory  (-1, (0x76d81218), 4, 32, ... (0x76d81000), 4096, 4, ) == 0x0
 02950   392   NtProtectVirtualMemory  (-1, (0x76da1270), 4, 4, ... (0x76da1000), 4096, 32, ) == 0x0
 02951   392   NtProtectVirtualMemory  (-1, (0x76da1270), 4, 32, ... (0x76da1000), 4096, 4, ) == 0x0
 02952   392   NtProtectVirtualMemory  (-1, (0x76361074), 4, 4, ... (0x76361000), 4096, 32, ) == 0x0
 02953   392   NtProtectVirtualMemory  (-1, (0x76361074), 4, 32, ... (0x76361000), 4096, 4, ) == 0x0
 02954   392   NtProtectVirtualMemory  (-1, (0x76f5102c), 4, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02955   392   NtProtectVirtualMemory  (-1, (0x76f5102c), 4, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02956   392   NtProtectVirtualMemory  (-1, (0x76f51034), 4, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02957   392   NtProtectVirtualMemory  (-1, (0x76f51034), 4, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02958   392   NtProtectVirtualMemory  (-1, (0x76f51038), 4, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02959   392   NtProtectVirtualMemory  (-1, (0x76f51038), 4, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02960   392   NtProtectVirtualMemory  (-1, (0x76f51044), 4, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02961   392   NtProtectVirtualMemory  (-1, (0x76f51044), 4, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02962   392   NtProtectVirtualMemory  (-1, (0x76f5106c), 4, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02963   392   NtProtectVirtualMemory  (-1, (0x76f5106c), 4, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02964   392   NtProtectVirtualMemory  (-1, (0x76d6119c), 4, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02965   392   NtProtectVirtualMemory  (-1, (0x76d6119c), 4, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02966   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MPR.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 02967   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 02968   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02969   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\odbc32.dll"}, 1240108, ... ) }, 1240108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02970   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "odbc32.dll"}, 1240108, ... ) }, 1240108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02971   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 1240108, ... ) }, 1240108, ... ) == 0x0
 02972   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 5, 96, ... 356, {status=0x0, info=1}, ) }, 5, 96, ... 356, {status=0x0, info=1}, ) == 0x0
 02973   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 356, ... 360, ) == 0x0
 02974   392   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02975   392   NtClose  (356, ... ) == 0x0
 02976   392   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 02977   392   NtClose  (360, ... ) == 0x0
 02978   392   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 02979   392   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 02980   392   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 02981   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 360, ) }, ... 360, ) == 0x0
 02982   392   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02983   392   NtClose  (360, ... ) == 0x0
 02984   392   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02985   392   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02986   392   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02987   392   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02988   392   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02989   392   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02990   392   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02991   392   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02992   392   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02993   392   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02994   392   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02995   392   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02996   392   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02997   392   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02998   392   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02999   392   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 03000   392   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 03001   392   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 03002   392   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 03003   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03004   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03005   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03006   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03007   392   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11599872, 262144, ) == 0x0
 03008   392   NtAllocateVirtualMemory  (-1, 11599872, 0, 4096, 4096, 4, ... 11599872, 4096, ) == 0x0
 03009   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03010   392   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11862016, 262144, ) == 0x0
 03011   392   NtAllocateVirtualMemory  (-1, 11862016, 0, 4096, 4096, 4, ... 11862016, 4096, ) == 0x0
 03012   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03013   392   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 12124160, 262144, ) == 0x0
 03014   392   NtAllocateVirtualMemory  (-1, 12124160, 0, 4096, 4096, 4, ... 12124160, 4096, ) == 0x0
 03015   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03016   392   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 12386304, 262144, ) == 0x0
 03017   392   NtAllocateVirtualMemory  (-1, 12386304, 0, 4096, 4096, 4, ... 12386304, 4096, ) == 0x0
 03018   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03019   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03020   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03021   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03022   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1236080, ... ) }, 1236080, ... ) == 0x0
 03023   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 03024   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 360, ... 356, ) == 0x0
 03025   392   NtClose  (360, ... ) == 0x0
 03026   392   NtMapViewOfSection  (356, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc10000), 0x0, 90112, ) == 0x0
 03027   392   NtClose  (356, ... ) == 0x0
 03028   392   NtUnmapViewOfSection  (-1, 0xc10000, ... ) == 0x0
 03029   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1236396, ... ) }, 1236396, ... ) == 0x0
 03030   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 356, {status=0x0, info=1}, ) }, 5, 96, ... 356, {status=0x0, info=1}, ) == 0x0
 03031   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 356, ... 360, ) == 0x0
 03032   392   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03033   392   NtClose  (356, ... ) == 0x0
 03034   392   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 03035   392   NtClose  (360, ... ) == 0x0
 03036   392   NtQueryDefaultLocale  (1, 1238084, ... ) == 0x0
 03037   392   NtAllocateVirtualMemory  (-1, 11603968, 0, 4096, 4096, 4, ... 11603968, 4096, ) == 0x0
 03038   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 360, ) }, ... 360, ) == 0x0
 03039   392   NtClose  (360, ... ) == 0x0
 03040   392   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03041   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03042   392   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03043   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03044   392   NtProtectVirtualMemory  (-1, (0x77341244), 4, 4, ... (0x77341000), 4096, 32, ) == 0x0
 03045   392   NtProtectVirtualMemory  (-1, (0x77341244), 4, 32, ... (0x77341000), 4096, 4, ) == 0x0
 03046   392   NtProtectVirtualMemory  (-1, (0x77341268), 4, 4, ... (0x77341000), 4096, 32, ) == 0x0
 03047   392   NtProtectVirtualMemory  (-1, (0x77341268), 4, 32, ... (0x77341000), 4096, 4, ) == 0x0
 03048   392   NtProtectVirtualMemory  (-1, (0x7734126c), 4, 4, ... (0x77341000), 4096, 32, ) == 0x0
 03049   392   NtProtectVirtualMemory  (-1, (0x7734126c), 4, 32, ... (0x77341000), 4096, 4, ) == 0x0
 03050   392   NtProtectVirtualMemory  (-1, (0x77341270), 4, 4, ... (0x77341000), 4096, 32, ) == 0x0
 03051   392   NtProtectVirtualMemory  (-1, (0x77341270), 4, 32, ... (0x77341000), 4096, 4, ) == 0x0
 03052   392   NtProtectVirtualMemory  (-1, (0x77341274), 4, 4, ... (0x77341000), 4096, 32, ) == 0x0
 03053   392   NtProtectVirtualMemory  (-1, (0x77341274), 4, 32, ... (0x77341000), 4096, 4, ) == 0x0
 03054   392   NtProtectVirtualMemory  (-1, (0x77341278), 4, 4, ... (0x77341000), 4096, 32, ) == 0x0
 03055   392   NtProtectVirtualMemory  (-1, (0x77341278), 4, 32, ... (0x77341000), 4096, 4, ) == 0x0
 03056   392   NtProtectVirtualMemory  (-1, (0x7734127c), 4, 4, ... (0x77341000), 4096, 32, ) == 0x0
 03057   392   NtProtectVirtualMemory  (-1, (0x7734127c), 4, 32, ... (0x77341000), 4096, 4, ) == 0x0
 03058   392   NtProtectVirtualMemory  (-1, (0x7734128c), 4, 4, ... (0x77341000), 4096, 32, ) == 0x0
 03059   392   NtProtectVirtualMemory  (-1, (0x7734128c), 4, 32, ... (0x77341000), 4096, 4, ) == 0x0
 03060   392   NtProtectVirtualMemory  (-1, (0x77341290), 4, 4, ... (0x77341000), 4096, 32, ) == 0x0
 03061   392   NtProtectVirtualMemory  (-1, (0x77341290), 4, 32, ... (0x77341000), 4096, 4, ) == 0x0
 03062   392   NtProtectVirtualMemory  (-1, (0x77341294), 4, 4, ... (0x77341000), 4096, 32, ) == 0x0
 03063   392   NtProtectVirtualMemory  (-1, (0x77341294), 4, 32, ... (0x77341000), 4096, 4, ) == 0x0
 03064   392   NtProtectVirtualMemory  (-1, (0x773412a4), 4, 4, ... (0x77341000), 4096, 32, ) == 0x0
 03065   392   NtProtectVirtualMemory  (-1, (0x773412a4), 4, 32, ... (0x77341000), 4096, 4, ) == 0x0
 03066   392   NtProtectVirtualMemory  (-1, (0x763b10b8), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03067   392   NtProtectVirtualMemory  (-1, (0x763b10b8), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03068   392   NtProtectVirtualMemory  (-1, (0x763b10bc), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03069   392   NtProtectVirtualMemory  (-1, (0x763b10bc), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03070   392   NtProtectVirtualMemory  (-1, (0x763b1100), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03071   392   NtProtectVirtualMemory  (-1, (0x763b1100), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03072   392   NtProtectVirtualMemory  (-1, (0x763b1108), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03073   392   NtProtectVirtualMemory  (-1, (0x763b1108), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03074   392   NtProtectVirtualMemory  (-1, (0x763b112c), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03075   392   NtProtectVirtualMemory  (-1, (0x763b112c), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03076   392   NtProtectVirtualMemory  (-1, (0x763b1130), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03077   392   NtProtectVirtualMemory  (-1, (0x763b1130), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03078   392   NtProtectVirtualMemory  (-1, (0x763b113c), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03079   392   NtProtectVirtualMemory  (-1, (0x763b113c), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03080   392   NtProtectVirtualMemory  (-1, (0x763b1140), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03081   392   NtProtectVirtualMemory  (-1, (0x763b1140), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03082   392   NtProtectVirtualMemory  (-1, (0x763b1144), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03083   392   NtProtectVirtualMemory  (-1, (0x763b1144), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03084   392   NtProtectVirtualMemory  (-1, (0x763b1150), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03085   392   NtProtectVirtualMemory  (-1, (0x763b1150), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03086   392   NtProtectVirtualMemory  (-1, (0x763b117c), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03087   392   NtProtectVirtualMemory  (-1, (0x763b117c), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03088   392   NtProtectVirtualMemory  (-1, (0x763b1188), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03089   392   NtProtectVirtualMemory  (-1, (0x763b1188), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03090   392   NtProtectVirtualMemory  (-1, (0x763b118c), 4, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03091   392   NtProtectVirtualMemory  (-1, (0x763b118c), 4, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03092   392   NtProtectVirtualMemory  (-1, (0x1f7b10b8), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03093   392   NtProtectVirtualMemory  (-1, (0x1f7b10b8), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03094   392   NtProtectVirtualMemory  (-1, (0x1f7b10bc), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03095   392   NtProtectVirtualMemory  (-1, (0x1f7b10bc), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03096   392   NtProtectVirtualMemory  (-1, (0x1f7b10c0), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03097   392   NtProtectVirtualMemory  (-1, (0x1f7b10c0), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03098   392   NtProtectVirtualMemory  (-1, (0x1f7b10c4), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03099   392   NtProtectVirtualMemory  (-1, (0x1f7b10c4), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03100   392   NtProtectVirtualMemory  (-1, (0x1f7b10c8), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03101   392   NtProtectVirtualMemory  (-1, (0x1f7b10c8), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03102   392   NtProtectVirtualMemory  (-1, (0x1f7b10cc), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03103   392   NtProtectVirtualMemory  (-1, (0x1f7b10cc), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03104   392   NtProtectVirtualMemory  (-1, (0x1f7b10dc), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03105   392   NtProtectVirtualMemory  (-1, (0x1f7b10dc), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03106   392   NtProtectVirtualMemory  (-1, (0x1f7b10e0), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03107   392   NtProtectVirtualMemory  (-1, (0x1f7b10e0), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03108   392   NtProtectVirtualMemory  (-1, (0x1f7b110c), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03109   392   NtProtectVirtualMemory  (-1, (0x1f7b110c), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03110   392   NtProtectVirtualMemory  (-1, (0x1f7b1110), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03111   392   NtProtectVirtualMemory  (-1, (0x1f7b1110), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03112   392   NtProtectVirtualMemory  (-1, (0x1f7b1114), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03113   392   NtProtectVirtualMemory  (-1, (0x1f7b1114), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03114   392   NtProtectVirtualMemory  (-1, (0x1f7b111c), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03115   392   NtProtectVirtualMemory  (-1, (0x1f7b111c), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03116   392   NtProtectVirtualMemory  (-1, (0x1f7b1144), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03117   392   NtProtectVirtualMemory  (-1, (0x1f7b1144), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03118   392   NtProtectVirtualMemory  (-1, (0x1f7b114c), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03119   392   NtProtectVirtualMemory  (-1, (0x1f7b114c), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03120   392   NtProtectVirtualMemory  (-1, (0x1f7b115c), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03121   392   NtProtectVirtualMemory  (-1, (0x1f7b115c), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03122   392   NtProtectVirtualMemory  (-1, (0x1f7b1194), 4, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 03123   392   NtProtectVirtualMemory  (-1, (0x1f7b1194), 4, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 03124   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "avicap32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03125   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\avicap32.dll"}, 1240108, ... ) }, 1240108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03126   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "avicap32.dll"}, 1240108, ... ) }, 1240108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03127   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\avicap32.dll"}, 1240108, ... ) }, 1240108, ... ) == 0x0
 03128   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\avicap32.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 03129   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 356, ) == 0x0
 03130   392   NtQuerySection  (356, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03131   392   NtClose  (360, ... ) == 0x0
 03132   392   NtMapViewOfSection  (356, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73b80000), 0x0, 73728, ) == 0x0
 03133   392   NtClose  (356, ... ) == 0x0
 03134   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 356, ) }, ... 356, ) == 0x0
 03135   392   NtMapViewOfSection  (356, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 03136   392   NtClose  (356, ... ) == 0x0
 03137   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVFW32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03138   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVFW32.dll"}, 1239304, ... ) }, 1239304, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03139   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MSVFW32.dll"}, 1239304, ... ) }, 1239304, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03140   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSVFW32.dll"}, 1239304, ... ) }, 1239304, ... ) == 0x0
 03141   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSVFW32.dll"}, 5, 96, ... 356, {status=0x0, info=1}, ) }, 5, 96, ... 356, {status=0x0, info=1}, ) == 0x0
 03142   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 356, ... 360, ) == 0x0
 03143   392   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03144   392   NtClose  (356, ... ) == 0x0
 03145   392   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73bd0000), 0x0, 126976, ) == 0x0
 03146   392   NtClose  (360, ... ) == 0x0
 03147   392   NtProtectVirtualMemory  (-1, (0x73bd1000), 952, 4, ... (0x73bd1000), 4096, 32, ) == 0x0
 03148   392   NtProtectVirtualMemory  (-1, (0x73bd1000), 4096, 32, ... (0x73bd1000), 4096, 4, ) == 0x0
 03149   392   NtFlushInstructionCache  (-1, 1941770240, 952, ... ) == 0x0
 03150   392   NtQueryDefaultLocale  (1, 1240060, ... ) == 0x0
 03151   392   NtQueryDefaultLocale  (1, 1240064, ... ) == 0x0
 03152   392   NtProtectVirtualMemory  (-1, (0x73b81090), 4, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 03153   392   NtProtectVirtualMemory  (-1, (0x73b81090), 4, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 03154   392   NtProtectVirtualMemory  (-1, (0x73b81098), 4, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 03155   392   NtProtectVirtualMemory  (-1, (0x73b81098), 4, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 03156   392   NtProtectVirtualMemory  (-1, (0x73b810a8), 4, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 03157   392   NtProtectVirtualMemory  (-1, (0x73b810a8), 4, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 03158   392   NtProtectVirtualMemory  (-1, (0x73b810e0), 4, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 03159   392   NtProtectVirtualMemory  (-1, (0x73b810e0), 4, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 03160   392   NtProtectVirtualMemory  (-1, (0x73b81128), 4, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 03161   392   NtProtectVirtualMemory  (-1, (0x73b81128), 4, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 03162   392   NtProtectVirtualMemory  (-1, (0x73b8112c), 4, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 03163   392   NtProtectVirtualMemory  (-1, (0x73b8112c), 4, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 03164   392   NtProtectVirtualMemory  (-1, (0x73b81154), 4, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 03165   392   NtProtectVirtualMemory  (-1, (0x73b81154), 4, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 03166   392   NtProtectVirtualMemory  (-1, (0x73b81164), 4, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 03167   392   NtProtectVirtualMemory  (-1, (0x73b81164), 4, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 03168   392   NtProtectVirtualMemory  (-1, (0x73b81168), 4, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 03169   392   NtProtectVirtualMemory  (-1, (0x73b81168), 4, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 03170   392   NtProtectVirtualMemory  (-1, (0x73b81170), 4, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 03171   392   NtProtectVirtualMemory  (-1, (0x73b81170), 4, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 03172   392   NtProtectVirtualMemory  (-1, (0x77c01020), 4, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 03173   392   NtProtectVirtualMemory  (-1, (0x77c01020), 4, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 03174   392   NtProtectVirtualMemory  (-1, (0x77c0102c), 4, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 03175   392   NtProtectVirtualMemory  (-1, (0x77c0102c), 4, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 03176   392   NtProtectVirtualMemory  (-1, (0x77c01030), 4, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 03177   392   NtProtectVirtualMemory  (-1, (0x77c01030), 4, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 03178   392   NtProtectVirtualMemory  (-1, (0x77c0103c), 4, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 03179   392   NtProtectVirtualMemory  (-1, (0x77c0103c), 4, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 03180   392   NtProtectVirtualMemory  (-1, (0x77c01044), 4, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 03181   392   NtProtectVirtualMemory  (-1, (0x77c01044), 4, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 03182   392   NtProtectVirtualMemory  (-1, (0x77c01048), 4, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 03183   392   NtProtectVirtualMemory  (-1, (0x77c01048), 4, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 03184   392   NtProtectVirtualMemory  (-1, (0x77c01050), 4, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 03185   392   NtProtectVirtualMemory  (-1, (0x77c01050), 4, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 03186   392   NtProtectVirtualMemory  (-1, (0x77c01054), 4, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 03187   392   NtProtectVirtualMemory  (-1, (0x77c01054), 4, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 03188   392   NtProtectVirtualMemory  (-1, (0x77c01078), 4, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 03189   392   NtProtectVirtualMemory  (-1, (0x77c01078), 4, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 03190   392   NtProtectVirtualMemory  (-1, (0x77c01098), 4, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 03191   392   NtProtectVirtualMemory  (-1, (0x77c01098), 4, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 03192   392   NtProtectVirtualMemory  (-1, (0x77c0109c), 4, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 03193   392   NtProtectVirtualMemory  (-1, (0x77c0109c), 4, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 03194   392   NtProtectVirtualMemory  (-1, (0x77c010b0), 4, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 03195   392   NtProtectVirtualMemory  (-1, (0x77c010b0), 4, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 03196   392   NtProtectVirtualMemory  (-1, (0x73bd1130), 4, 4, ... (0x73bd1000), 4096, 32, ) == 0x0
 03197   392   NtProtectVirtualMemory  (-1, (0x73bd1130), 4, 32, ... (0x73bd1000), 4096, 4, ) == 0x0
 03198   392   NtProtectVirtualMemory  (-1, (0x73bd113c), 4, 4, ... (0x73bd1000), 4096, 32, ) == 0x0
 03199   392   NtProtectVirtualMemory  (-1, (0x73bd113c), 4, 32, ... (0x73bd1000), 4096, 4, ) == 0x0
 03200   392   NtProtectVirtualMemory  (-1, (0x73bd1140), 4, 4, ... (0x73bd1000), 4096, 32, ) == 0x0
 03201   392   NtProtectVirtualMemory  (-1, (0x73bd1140), 4, 32, ... (0x73bd1000), 4096, 4, ) == 0x0
 03202   392   NtProtectVirtualMemory  (-1, (0x73bd1144), 4, 4, ... (0x73bd1000), 4096, 32, ) == 0x0
 03203   392   NtProtectVirtualMemory  (-1, (0x73bd1144), 4, 32, ... (0x73bd1000), 4096, 4, ) == 0x0
 03204   392   NtProtectVirtualMemory  (-1, (0x73bd1150), 4, 4, ... (0x73bd1000), 4096, 32, ) == 0x0
 03205   392   NtProtectVirtualMemory  (-1, (0x73bd1150), 4, 32, ... (0x73bd1000), 4096, 4, ) == 0x0
 03206   392   NtProtectVirtualMemory  (-1, (0x73bd1168), 4, 4, ... (0x73bd1000), 4096, 32, ) == 0x0
 03207   392   NtProtectVirtualMemory  (-1, (0x73bd1168), 4, 32, ... (0x73bd1000), 4096, 4, ) == 0x0
 03208   392   NtProtectVirtualMemory  (-1, (0x73bd1188), 4, 4, ... (0x73bd1000), 4096, 32, ) == 0x0
 03209   392   NtProtectVirtualMemory  (-1, (0x73bd1188), 4, 32, ... (0x73bd1000), 4096, 4, ) == 0x0
 03210   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03211   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03212   392   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "botid"}, 0, ... 360, ) }, 0, ... 360, ) == 0x0
 03213   392   NtWaitForSingleObject  (360, 0, {-300000000, -1}, ... ) == 0x0
 03214   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lhdtgtbnp.exe"}, 1242400, ... ) }, 1242400, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03215   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241088, ... ) }, 1241088, ... ) == 0x0
 03216   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 356, {status=0x0, info=1}, ) }, 7, 2113568, ... 356, {status=0x0, info=1}, ) == 0x0
 03217   392   NtSetInformationFile  (356, 1241064, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 03218   392   NtClose  (356, ... ) == 0x0
 03219   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241332,  (0x80100080, {24, 0, 0x40, 0, 1241332, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 356, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 356, {status=0x0, info=1}, ) == 0x0
 03220   392   NtQueryInformationFile  (356, 1242268, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 03221   392   NtQueryInformationFile  (356, 1242240, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03222   392   NtQueryInformationFile  (356, 1242192, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03223   392   NtAllocateVirtualMemory  (-1, 1396736, 0, 8192, 4096, 4, ... 1396736, 8192, ) == 0x0
 03224   392   NtQueryInformationFile  (356, 1395536, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 03225   392   NtQueryInformationFile  (356, 1240736, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03226   392   NtQueryInformationFile  (356, 1240580, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 03227   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\LHDTGTBNP.EXE"}, 1239472, ... ) }, 1239472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03228   392   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240588,  (0x40110080, {24, 0, 0x40, 0, 1240588, "\??\C:\WINDOWS\System32\lhdtgtbnp.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 03229   392   NtClose  (-2147482020, ... ) == 0x0
 03228   392   NtCreateFile  ... 364, {status=0x0, info=2}, ) == 0x0
 03230   392   NtQueryVolumeInformationFile  (364, 1239960, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 03231   392   NtQueryInformationFile  (364, 1239920, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03232   392   NtQueryVolumeInformationFile  (356, 1239960, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 03233   392   NtQueryVolumeInformationFile  (356, 1239644, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03234   392   NtSetInformationFile  (364, 1239748, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 03235   392   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 356, ... 368, ) == 0x0
 03236   392   NtMapViewOfSection  (368, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xc10000), {0, 0}, 180224, ) == 0x0
 03237   392   NtClose  (368, ... ) == 0x0
 03238   392   NtWriteFile  (364, 0, 0, 0,  (364, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\244\2563;\340\317]h\340\317]h\340\317]h\340\317\hh\317]h#\300\0h\347\317]h\200\307\20h\341\317]h\233\323Qh\342\317]hc\323Sh\371\317]h\217\320Vh\353\317]h\217\320Wh\234\317]h\346\354Vh\325\317]hRich\340\317]h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\7\0\374g\227F\0\0\0\0\0\0\0\0\340\0\17\3\13\1\6\0\0\0\0\0\0\236\2\0\0\0\0\0\0\34\12\0\0\320\10\0\0@\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\340\12\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0,\373\11\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\11\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\0ext\0\0\0t!\2\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 03239   392   NtWriteFile  (364, 0, 0, 0,  (364, 0, 0, 0, "\2318\337\311\216\4\27\220\317\303\212\227#\220\14\313\323\250alQ\353\356*`\314\325\237i\302x\241\231\225\15\22\204e\253:\335\256x\217\315Y\221{r\243g\12\260\272?\302\214\310\31\257z\256y\300\225\245\260I\305TrV\7\205\314@<-'$j"\0\33\213\7\246\375\300\220!\213\246\222H$x\27U\247\236j\36,\211t\213T\16\247We\253\264z\221\2147_w\303\204V\217\270$\32C\224\6\213h\32|\213Q:\14\305\376M\220\27\251\24|\312\306\361\256pZl\325\233T|}\236\216\0L\36\323Kc\267=Is\1~`\352$\13q[\375\212\223\265\212\36u{\260\15.\17'\14\216K:\307\211\346\1\275q\14\343u\242T\361:\323K\325\266F\10\252~\374\367\210\307\34m\247m\I\371\265a\332\217\215\310\345\247\323\168\272cA\34\314\5\31FE\250:\27~\227\347\247\324\256\333\363'\352\313\201\276\11\337\24\13_\371Z\360\6\377p\367\225G\261_\177#5(d\240\36\276OB\245e\351>\353\30\252\300\211\227\363\33k\0?\261\323b\305\305"_\361\32\237k\254\33\306\325\220\333.ML\3450\345a\340\272\243q\252\275\0\217(_)O\330\256\326\206\325\237\203\0WGp\12?\265[*sk\35d2\34\264\223<\13Ir\220BU\214\340\206\236\332\377aG\213\223\353\362\222C-\224\273\257\263\361pE\253\324C^-\263\257\313\228\11\37Z\377\360\33`\244N\326\332\265\367\275R\221\216h\336'\367\303:E\207\10\315\374\215_\15\17\274\345\314\30\220\203\323w\311\27U\356]\245\255.\232\35\301\347\13\341\353\315Ue\352\361\275M,:\353~U\377\266\33Ds\221\212\21\253\266\343\210\214X\27kR\307\235\1\315/\361^7y\212&\261\324", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\33\213\7\246\375\300\220!\213\246\222H$x\27U\247\236j\36,\211t\213T\16\247We\253\264z\221\2147_w\303\204V\217\270$\32C\224\6\213h\32|\213Q:\14\305\376M\220\27\251\24|\312\306\361\256pZl\325\233T|}\236\216\0L\36\323Kc\267=Is\1~`\352$\13q[\375\212\223\265\212\36u{\260\15.\17'\14\216K:\307\211\346\1\275q\14\343u\242T\361:\323K\325\266F\10\252~\374\367\210\307\34m\247m\I\371\265a\332\217\215\310\345\247\323\168\272cA\34\314\5\31FE\250:\27~\227\347\247\324\256\333\363'\352\313\201\276\11\337\24\13_\371Z\360\6\377p\367\225G\261_\177#5(d\240\36\276OB\245e\351>\353\30\252\300\211\227\363\33k\0?\261\323b\305\305 (364, 0, 0, 0, "\2318\337\311\216\4\27\220\317\303\212\227#\220\14\313\323\250alQ\353\356*`\314\325\237i\302x\241\231\225\15\22\204e\253:\335\256x\217\315Y\221{r\243g\12\260\272?\302\214\310\31\257z\256y\300\225\245\260I\305TrV\7\205\314@<-'$j"\0\33\213\7\246\375\300\220!\213\246\222H$x\27U\247\236j\36,\211t\213T\16\247We\253\264z\221\2147_w\303\204V\217\270$\32C\224\6\213h\32|\213Q:\14\305\376M\220\27\251\24|\312\306\361\256pZl\325\233T|}\236\216\0L\36\323Kc\267=Is\1~`\352$\13q[\375\212\223\265\212\36u{\260\15.\17'\14\216K:\307\211\346\1\275q\14\343u\242T\361:\323K\325\266F\10\252~\374\367\210\307\34m\247m\I\371\265a\332\217\215\310\345\247\323\168\272cA\34\314\5\31FE\250:\27~\227\347\247\324\256\333\363'\352\313\201\276\11\337\24\13_\371Z\360\6\377p\367\225G\261_\177#5(d\240\36\276OB\245e\351>\353\30\252\300\211\227\363\33k\0?\261\323b\305\305"_\361\32\237k\254\33\306\325\220\333.ML\3450\345a\340\272\243q\252\275\0\217(_)O\330\256\326\206\325\237\203\0WGp\12?\265[*sk\35d2\34\264\223<\13Ir\220BU\214\340\206\236\332\377aG\213\223\353\362\222C-\224\273\257\263\361pE\253\324C^-\263\257\313\228\11\37Z\377\360\33`\244N\326\332\265\367\275R\221\216h\336'\367\303:E\207\10\315\374\215_\15\17\274\345\314\30\220\203\323w\311\27U\356]\245\255.\232\35\301\347\13\341\353\315Ue\352\361\275M,:\353~U\377\266\33Ds\221\212\21\253\266\343\210\214X\27kR\307\235\1\315/\361^7y\212&\261\324", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 03240   392   NtWriteFile  (364, 0, 0, 0,  (364, 0, 0, 0, "\376\367\202DC )o\213\237\370\313\254\30\364\211\350\235\336\303\375\335\26\\247\311\21\247S\315\20pe\340$^\205\332\233\2730]\204]`\34\356\305%\302\331\7\250\36\233\253 \216\370\377(~\31@`\203\237\320\326\305~\233\3062;L\203!\242\370t\205\203*\16\313\246\215\34\31\263\350\272JW\347\215C%X\14\267/M~5\31\34?E\240\215W\251\376&K\2327#\242\321\14\300v\331\11\213\215^8\376#\204C\245\374\322v\210\363Z\244\372\240Pn\234\235s\344]\322\331\364A\224\351\211\15\253\273\201\251\371\252\2336\3756%\357\310\23H7i\27q\377\201\211\321\354\0\354\24\314\275\366\367\264\332"4A\241P\20J\377\27\245\213\327\301\305\273d:\227+\334\26\20\5\374\311\15\376\221^\260dn\353\361pc\354\237\255)W$\373\256o\347C m\340\252-\377]\305\260\260\326\350\366\365\200\33}Ph\321s\321\226\375[\305\324kV\4\237\233Q6\264\235bgu;\255\206O\341\4s\306m\347\300\302\4Va\233\336A$\227ENC*\27b\244P\30\237]\21\315\262\225q\6M\334IDJ\267J:v"yZ\5|\342\351\256\222\355~F\203\3\276\27V\352\206"\24\344\247\325J\322\325\364\275\264m\277\255\336\214\246$\146\32\325^\357J\363k\267B\30\227\221\245{S\351\306\24V\244\271YrA1i@s\234<$\337U\263\324\250\244S\254@\343\25\266\350\340:\336f\373\222Z6O\230\24/N\21\356B\364\276\247Xl:\355\230\251\347\355\336\361\3258\320\267\330\303\216\311N\5\226\235\334\260=~rA`\\355\3,\373\16\264\267\1\35\375d\31C\245\315\212\301\327(\326~\306\303@\3166\265~6$\231\257\341\300kR\356\266\210", 56320, 0x0, 0, ... {status=0x0, info=56320}, ) 4A\241P\20J\377\27\245\213\327\301\305\273d:\227+\334\26\20\5\374\311\15\376\221^\260dn\353\361pc\354\237\255)W$\373\256o\347C m\340\252-\377]\305\260\260\326\350\366\365\200\33}Ph\321s\321\226\375[\305\324kV\4\237\233Q6\264\235bgu;\255\206O\341\4s\306m\347\300\302\4Va\233\336A$\227ENC*\27b\244P\30\237]\21\315\262\225q\6M\334IDJ\267J:v (364, 0, 0, 0, "\376\367\202DC )o\213\237\370\313\254\30\364\211\350\235\336\303\375\335\26\\247\311\21\247S\315\20pe\340$^\205\332\233\2730]\204]`\34\356\305%\302\331\7\250\36\233\253 \216\370\377(~\31@`\203\237\320\326\305~\233\3062;L\203!\242\370t\205\203*\16\313\246\215\34\31\263\350\272JW\347\215C%X\14\267/M~5\31\34?E\240\215W\251\376&K\2327#\242\321\14\300v\331\11\213\215^8\376#\204C\245\374\322v\210\363Z\244\372\240Pn\234\235s\344]\322\331\364A\224\351\211\15\253\273\201\251\371\252\2336\3756%\357\310\23H7i\27q\377\201\211\321\354\0\354\24\314\275\366\367\264\332"4A\241P\20J\377\27\245\213\327\301\305\273d:\227+\334\26\20\5\374\311\15\376\221^\260dn\353\361pc\354\237\255)W$\373\256o\347C m\340\252-\377]\305\260\260\326\350\366\365\200\33}Ph\321s\321\226\375[\305\324kV\4\237\233Q6\264\235bgu;\255\206O\341\4s\306m\347\300\302\4Va\233\336A$\227ENC*\27b\244P\30\237]\21\315\262\225q\6M\334IDJ\267J:v"yZ\5|\342\351\256\222\355~F\203\3\276\27V\352\206"\24\344\247\325J\322\325\364\275\264m\277\255\336\214\246$\146\32\325^\357J\363k\267B\30\227\221\245{S\351\306\24V\244\271YrA1i@s\234<$\337U\263\324\250\244S\254@\343\25\266\350\340:\336f\373\222Z6O\230\24/N\21\356B\364\276\247Xl:\355\230\251\347\355\336\361\3258\320\267\330\303\216\311N\5\226\235\334\260=~rA`\\355\3,\373\16\264\267\1\35\375d\31C\245\315\212\301\327(\326~\306\303@\3166\265~6$\231\257\341\300kR\356\266\210", 56320, 0x0, 0, ... {status=0x0, info=56320}, ) \24\344\247\325J\322\325\364\275\264m\277\255\336\214\246$\146\32\325^\357J\363k\267B\30\227\221\245{S\351\306\24V\244\271YrA1i@s\234<$\337U\263\324\250\244S\254@\343\25\266\350\340:\336f\373\222Z6O\230\24/N\21\356B\364\276\247Xl:\355\230\251\347\355\336\361\3258\320\267\330\303\216\311N\5\226\235\334\260=~rA`\\355\3,\373\16\264\267\1\35\375d\31C\245\315\212\301\327(\326~\306\303@\3166\265~6$\231\257\341\300kR\356\266\210", 56320, 0x0, 0, ... {status=0x0, info=56320}, ) == 0x0
 03241   392   NtUnmapViewOfSection  (-1, 0xc10000, ... ) == 0x0
 03242   392   NtSetInformationFile  (364, 1242192, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03243   392   NtClose  (356, ... ) == 0x0
 03244   392   NtClose  (364, ... ) == 0x0
 03245   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\explorer.exe"}, 1241296, ... ) }, 1241296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03246   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "explorer.exe"}, 1241296, ... ) }, 1241296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03247   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 1241296, ... ) }, 1241296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03248   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\explorer.exe"}, 1241296, ... ) }, 1241296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03249   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe"}, 1241296, ... ) }, 1241296, ... ) == 0x0
 03250   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\EXPLORER.EXE"}, 1241804, ... ) }, 1241804, ... ) == 0x0
 03251   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\EXPLORER.EXE"}, 7, 2113568, ... 364, {status=0x0, info=1}, ) }, 7, 2113568, ... 364, {status=0x0, info=1}, ) == 0x0
 03252   392   NtSetInformationFile  (364, 1241780, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03253   392   NtClose  (364, ... ) == 0x0
 03254   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241784,  (0xc0100080, {24, 0, 0x40, 0, 1241784, "\??\C:\WINDOWS\EXPLORER.EXE"}, 0x0, 0, 1, 1, 96, 0, 0, ... ) }, 0x0, 0, 1, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 03255   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\EXPLORER.EXE"}, 7, 2113568, ... 364, {status=0x0, info=1}, ) }, 7, 2113568, ... 364, {status=0x0, info=1}, ) == 0x0
 03256   392   NtSetInformationFile  (364, 1241780, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03257   392   NtClose  (364, ... ) == 0x0
 03258   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242048,  (0x80100080, {24, 0, 0x40, 0, 1242048, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) == 0x0
 03259   392   NtQueryInformationFile  (364, 1242140, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03260   392   NtClose  (364, ... ) == 0x0
 03261   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\LHDTGTBNP.EXE"}, 1241804, ... ) }, 1241804, ... ) == 0x0
 03262   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\LHDTGTBNP.EXE"}, 7, 2113568, ... 364, {status=0x0, info=1}, ) }, 7, 2113568, ... 364, {status=0x0, info=1}, ) == 0x0
 03263   392   NtSetInformationFile  (364, 1241780, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03264   392   NtClose  (364, ... ) == 0x0
 03265   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241784,  (0xc0100080, {24, 0, 0x40, 0, 1241784, "\??\C:\WINDOWS\SYSTEM32\LHDTGTBNP.EXE"}, 0x0, 0, 1, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) == 0x0
 03266   392   NtQueryInformationFile  (364, 1241836, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03267   392   NtQueryInformationFile  (364, 1241836, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03268   392   NtCreateSection  (0xf0007, 0x0, {179200, 0}, 4, 134217728, 364, ... 356, ) == 0x0
 03269   392   NtMapViewOfSection  (356, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc10000), {0, 0}, 180224, ) == 0x0
 03270   392   NtUnmapViewOfSection  (-1, 0xc10000, ... ) == 0x0
 03271   392   NtClose  (356, ... ) == 0x0
 03272   392   NtSetInformationFile  (364, 1241840, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03273   392   NtClose  (364, ... ) == 0x0
 03274   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\LHDTGTBNP.EXE"}, 7, 2113568, ... 364, {status=0x0, info=1}, ) }, 7, 2113568, ... 364, {status=0x0, info=1}, ) == 0x0
 03275   392   NtSetInformationFile  (364, 1241784, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03276   392   NtClose  (364, ... ) == 0x0
 03277   392   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1242048,  (0x40100080, {24, 0, 0x40, 0, 1242048, "\??\C:\WINDOWS\System32\lhdtgtbnp.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) == 0x0
 03278   392   NtSetInformationFile  (364, 1242140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03279   392   NtClose  (364, ... ) == 0x0
 03280   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lhdtgtbnp.exe"}, 7, 2113568, ... 364, {status=0x0, info=1}, ) }, 7, 2113568, ... 364, {status=0x0, info=1}, ) == 0x0
 03281   392   NtSetInformationFile  (364, 1242392, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03282   392   NtClose  (364, ... ) == 0x0
 03283   392   NtOpenProcess  (0x100000, {24, 0, 0x2, 0, 0, 0x0}, {316, 0}, ... 364, ) == 0x0
 03284   392   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 03285   392   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lhdtgtbnp.exe"}, 5, 96, ... 356, {status=0x0, info=1}, ) }, 5, 96, ... 356, {status=0x0, info=1}, ) == 0x0
 03286   392   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 356, ... 368, ) == 0x0
 03287   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03288   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 372, ) }, ... 372, ) == 0x0
 03289   392   NtQueryValueKey  (372,  (372, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03290   392   NtClose  (372, ... ) == 0x0
 03291   392   NtQueryVolumeInformationFile  (356, 1238888, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03292   392   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 372, ) }, ... 372, ) == 0x0
 03293   392   NtWaitForSingleObject  (372, 0, {-1000000, -1}, ... ) == 0x0
 03294   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 376, ) }, ... 376, ) == 0x0
 03295   392   NtMapViewOfSection  (376, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc10000), {0, 0}, 57344, ) == 0x0
 03296   392   NtReleaseMutant  (372, ... 0x0, ) == 0x0
 03297   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1236872, ... ) }, 1236872, ... ) == 0x0
 03298   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 380, {status=0x0, info=1}, ) }, 5, 96, ... 380, {status=0x0, info=1}, ) == 0x0
 03299   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 380, ... 384, ) == 0x0
 03300   392   NtClose  (380, ... ) == 0x0
 03301   392   NtMapViewOfSection  (384, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc20000), 0x0, 106496, ) == 0x0
 03302   392   NtClose  (384, ... ) == 0x0
 03303   392   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 03304   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237188, ... ) }, 1237188, ... ) == 0x0
 03305   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 384, {status=0x0, info=1}, ) }, 5, 96, ... 384, {status=0x0, info=1}, ) == 0x0
 03306   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 384, ... 380, ) == 0x0
 03307   392   NtQuerySection  (380, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03308   392   NtClose  (384, ... ) == 0x0
 03309   392   NtMapViewOfSection  (380, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 03310   392   NtClose  (380, ... ) == 0x0
 03311   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 380, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 380, {status=0x0, info=1}, ) == 0x0
 03312   392   NtQueryInformationFile  (380, 1237476, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03313   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 380, ... 384, ) == 0x0
 03314   392   NtMapViewOfSection  (384, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc20000), 0x0, 1028096, ) == 0x0
 03315   392   NtQueryInformationFile  (380, 1237572, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03316   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03317   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03318   392   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 03319   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 388, {status=0x0, info=1}, ) }, 3, 16417, ... 388, {status=0x0, info=1}, ) == 0x0
 03320   392   NtQueryDirectoryFile  (388, 0, 0, 0, 1235136, 616, BothDirectory, 1,  (388, 0, 0, 0, 1235136, 616, BothDirectory, 1, "lhdtgtbnp.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 03321   392   NtClose  (388, ... ) == 0x0
 03322   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03323   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03324   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lhdtgtbnp.exe"}, 1234524, ... ) }, 1234524, ... ) == 0x0
 03325   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 388, {status=0x0, info=1}, ) }, 3, 16417, ... 388, {status=0x0, info=1}, ) == 0x0
 03326   392   NtQueryDirectoryFile  (388, 0, 0, 0, 1233884, 616, BothDirectory, 1,  (388, 0, 0, 0, 1233884, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03327   392   NtClose  (388, ... ) == 0x0
 03328   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 388, {status=0x0, info=1}, ) }, 3, 16417, ... 388, {status=0x0, info=1}, ) == 0x0
 03329   392   NtQueryDirectoryFile  (388, 0, 0, 0, 1233884, 616, BothDirectory, 1,  (388, 0, 0, 0, 1233884, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03330   392   NtClose  (388, ... ) == 0x0
 03331   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03332   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03333   392   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03334   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03335   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 03336   392   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03337   392   NtClose  (388, ... ) == 0x0
 03338   392   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03339   392   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\lhdtgtbnp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03340   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03341   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03342   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lhdtgtbnp.exe"}, 1236804, ... ) }, 1236804, ... ) == 0x0
 03343   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 388, {status=0x0, info=1}, ) }, 3, 16417, ... 388, {status=0x0, info=1}, ) == 0x0
 03344   392   NtQueryDirectoryFile  (388, 0, 0, 0, 1236164, 616, BothDirectory, 1,  (388, 0, 0, 0, 1236164, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03345   392   NtClose  (388, ... ) == 0x0
 03346   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 388, {status=0x0, info=1}, ) }, 3, 16417, ... 388, {status=0x0, info=1}, ) == 0x0
 03347   392   NtQueryDirectoryFile  (388, 0, 0, 0, 1236164, 616, BothDirectory, 1,  (388, 0, 0, 0, 1236164, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03348   392   NtClose  (388, ... ) == 0x0
 03349   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03350   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03351   392   NtWaitForSingleObject  (372, 0, {-1000000, -1}, ... ) == 0x0
 03352   392   NtQueryVolumeInformationFile  (356, 1237448, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03353   392   NtQueryInformationFile  (356, 1237428, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03354   392   NtQueryInformationFile  (356, 1237468, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03355   392   NtReleaseMutant  (372, ... 0x0, ) == 0x0
 03356   392   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 03357   392   NtClose  (384, ... ) == 0x0
 03358   392   NtClose  (380, ... ) == 0x0
 03359   392   NtQuerySection  (368, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03360   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lhdtgtbnp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03361   392   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 03362   392   NtOpenProcessToken  (-1, 0xa, ... 380, ) == 0x0
 03363   392   NtQueryInformationToken  (380, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 03364   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03365   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 384, ) }, ... 384, ) == 0x0
 03366   392   NtQueryValueKey  (384,  (384, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (384, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03367   392   NtQueryValueKey  (384,  (384, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (384, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03368   392   NtClose  (384, ... ) == 0x0
 03369   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 384, ) }, ... 384, ) == 0x0
 03370   392   NtQueryValueKey  (384,  (384, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03371   392   NtQueryValueKey  (384,  (384, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (384, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 03372   392   NtClose  (384, ... ) == 0x0
 03373   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03374   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 384, ) }, ... 384, ) == 0x0
 03375   392   NtQueryValueKey  (384,  (384, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03376   392   NtClose  (384, ... ) == 0x0
 03377   392   NtQueryDefaultLocale  (1, 1238260, ... ) == 0x0
 03378   392   NtQueryDefaultLocale  (1, 1238260, ... ) == 0x0
 03379   392   NtQueryDefaultLocale  (1, 1238260, ... ) == 0x0
 03380   392   NtQueryDefaultLocale  (1, 1238260, ... ) == 0x0
 03381   392   NtQueryDefaultLocale  (1, 1238260, ... ) == 0x0
 03382   392   NtQueryDefaultLocale  (1, 1238260, ... ) == 0x0
 03383   392   NtQueryDefaultLocale  (1, 1238260, ... ) == 0x0
 03384   392   NtQueryDefaultLocale  (1, 1238260, ... ) == 0x0
 03385   392   NtQueryDefaultLocale  (1, 1238260, ... ) == 0x0
 03386   392   NtQueryDefaultLocale  (1, 1238260, ... ) == 0x0
 03387   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 384, ) }, ... 384, ) == 0x0
 03388   392   NtEnumerateKey  (384, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (384, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 03389   392   NtOpenKey  (0x20019, {24, 384, 0x40, 0, 0,  (0x20019, {24, 384, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 388, ) }, ... 388, ) == 0x0
 03390   392   NtQueryValueKey  (388,  (388, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (388, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 03391   392   NtQueryValueKey  (388,  (388, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (388, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03392   392   NtClose  (388, ... ) == 0x0
 03393   392   NtEnumerateKey  (384, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 03394   392   NtClose  (384, ... ) == 0x0
 03395   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03396   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03397   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03398   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03399   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03400   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03401   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03402   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03403   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03404   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03405   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03406   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03407   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03408   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03409   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03410   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03411   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03412   392   NtClose  (384, ... ) == 0x0
 03413   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03414   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03415   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03416   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03417   392   NtClose  (384, ... ) == 0x0
 03418   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03419   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03420   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03421   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03422   392   NtClose  (384, ... ) == 0x0
 03423   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03424   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03425   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03426   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03427   392   NtClose  (384, ... ) == 0x0
 03428   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03429   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03430   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03431   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03432   392   NtClose  (384, ... ) == 0x0
 03433   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03434   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03435   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03436   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03437   392   NtClose  (384, ... ) == 0x0
 03438   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03439   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03440   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03441   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03442   392   NtClose  (384, ... ) == 0x0
 03443   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03444   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03445   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03446   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03447   392   NtClose  (384, ... ) == 0x0
 03448   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03449   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03450   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03451   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03452   392   NtClose  (384, ... ) == 0x0
 03453   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03454   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03455   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03456   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03457   392   NtClose  (384, ... ) == 0x0
 03458   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03459   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03460   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03461   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03462   392   NtClose  (384, ... ) == 0x0
 03463   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03464   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03465   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03466   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03467   392   NtClose  (384, ... ) == 0x0
 03468   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03469   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03470   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03471   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03472   392   NtClose  (384, ... ) == 0x0
 03473   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03474   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03475   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03476   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03477   392   NtClose  (384, ... ) == 0x0
 03478   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03479   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03480   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03481   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03482   392   NtClose  (384, ... ) == 0x0
 03483   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03484   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 384, ) }, ... 384, ) == 0x0
 03485   392   NtQueryValueKey  (384,  (384, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (384, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (384, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 03486   392   NtClose  (384, ... ) == 0x0
 03487   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03488   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 384, ) == 0x0
 03489   392   NtQueryInformationToken  (384, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03490   392   NtClose  (384, ... ) == 0x0
 03491   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03492   392   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 03493   392   NtOpenProcessToken  (-1, 0xa, ... 384, ) == 0x0
 03494   392   NtDuplicateToken  (384, 0xc, {24, 0, 0x0, 0, 1238780, 0x0}, 0, 2, ... 388, ) == 0x0
 03495   392   NtClose  (384, ... ) == 0x0
 03496   392   NtAccessCheck  (1401584, 388, 0x1, 1238908, 1238852, 56, 1238936, ... (0x1), ) == 0x0
 03497   392   NtClose  (388, ... ) == 0x0
 03498   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 03499   392   NtQueryValueKey  (388,  (388, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (388, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03500   392   NtClose  (388, ... ) == 0x0
 03501   392   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 388, ) }, ... 388, ) == 0x0
 03502   392   NtQuerySymbolicLinkObject  (388, ...  (388, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 03503   392   NtClose  (388, ... ) == 0x0
 03504   392   NtQueryInformationFile  (356, 1237240, 528, Name, ... {status=0x0, info=66}, ) == 0x0
 03505   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03506   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03507   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lhdtgtbnp.exe"}, 1235828, ... ) }, 1235828, ... ) == 0x0
 03508   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 388, {status=0x0, info=1}, ) }, 3, 16417, ... 388, {status=0x0, info=1}, ) == 0x0
 03509   392   NtQueryDirectoryFile  (388, 0, 0, 0, 1235188, 616, BothDirectory, 1,  (388, 0, 0, 0, 1235188, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03510   392   NtClose  (388, ... ) == 0x0
 03511   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 388, {status=0x0, info=1}, ) }, 3, 16417, ... 388, {status=0x0, info=1}, ) == 0x0
 03512   392   NtQueryDirectoryFile  (388, 0, 0, 0, 1235188, 616, BothDirectory, 1,  (388, 0, 0, 0, 1235188, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03513   392   NtClose  (388, ... ) == 0x0
 03514   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03515   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03516   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03517   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 03518   392   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03519   392   NtClose  (388, ... ) == 0x0
 03520   392   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 388, ) }, ... 388, ) == 0x0
 03521   392   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 384, ) }, ... 384, ) == 0x0
 03522   392   NtClose  (388, ... ) == 0x0
 03523   392   NtQueryValueKey  (384,  (384, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03524   392   NtQueryValueKey  (384,  (384, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (384, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 03525   392   NtClose  (384, ... ) == 0x0
 03526   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 12713984, 4096, ) == 0x0
 03527   392   NtAllocateVirtualMemory  (-1, 12713984, 0, 4096, 4096, 4, ... 12713984, 4096, ) == 0x0
 03528   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 384, ) }, ... 384, ) == 0x0
 03529   392   NtQueryValueKey  (384,  (384, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03530   392   NtClose  (384, ... ) == 0x0
 03531   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03532   392   NtQueryInformationToken  (380, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03533   392   NtQueryInformationToken  (380, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03534   392   NtClose  (380, ... ) == 0x0
 03535   392   NtCreateProcessEx  (1241516, 2035711, 0, -1, 4, 368, 0, 0, 0, ... ) == 0x0
 03536   392   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "W32_Virtu"}, ... 384, ) }, ... 384, ) == 0x0
 03537   392   NtMapViewOfSection  (384, 380, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 03538   392   NtClose  (384, ... ) == 0x0
 03539   392   NtProtectVirtualMemory  (380, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 03540   392   NtWriteVirtualMemory  (380, 0x77f7e603,  (380, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 03541   392   NtProtectVirtualMemory  (380, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 03542   392   NtWriteVirtualMemory  (380, 0x77f7e6a3,  (380, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 03543   392   NtProtectVirtualMemory  (380, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 03544   392   NtWriteVirtualMemory  (380, 0x77f7e6b3,  (380, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 03545   392   NtSetInformationProcess  (380, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 03546   392   NtQueryInformationProcess  (380, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=588,ParentPid=316,}, 0x0, ) == 0x0
 03547   392   NtReadVirtualMemory  (380, 0x7ffdf008, 4, ...  (380, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 03548   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\lhdtgtbnp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03549   392   NtAllocateVirtualMemory  (-1, 1404928, 0, 8192, 4096, 4, ... 1404928, 8192, ) == 0x0
 03550   392   NtReadVirtualMemory  (380, 0x400000, 4096, ...  (380, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\244\2563;\340\317]h\340\317]h\340\317]h\340\317\hh\317]h#\300\0h\347\317]h\200\307\20h\341\317]h\233\323Qh\342\317]hc\323Sh\371\317]h\217\320Vh\353\317]h\217\320Wh\234\317]h\346\354Vh\325\317]hRich\340\317]h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\7\0\374g\227F\0\0\0\0\0\0\0\0\340\0\17\3\13\1\6\0\0\0\0\0\0\236\2\0\0\0\0\0\0\34\12\0\0\320\10\0\0@\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\340\12\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0,\373\11\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\11\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\0ext\0\0\0t!\2\0", 4096, ) , 4096, ) == 0x0
 03551   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03552   392   NtQueryInformationProcess  (380, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=588,ParentPid=316,}, 0x0, ) == 0x0
 03553   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1239580, ... ) }, 1239580, ... ) == 0x0
 03554   392   NtAllocateVirtualMemory  (-1, 0, 0, 1660, 4096, 4, ... 12779520, 4096, ) == 0x0
 03555   392   NtAllocateVirtualMemory  (380, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 03556   392   NtWriteVirtualMemory  (380, 0x10000,  (380, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 03557   392   NtAllocateVirtualMemory  (380, 0, 0, 1660, 4096, 4, ... 131072, 4096, ) == 0x0
 03558   392   NtWriteVirtualMemory  (380, 0x20000,  (380, 0x20000, "\0\20\0\0|\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\374\0\376\0\230\4\0\0B\0D\0\230\5\0\0t\0v\0\334\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\2\0T\6\0\0\36\0 \0X\6\0\0\0\0\2\0x\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1660, ... 0x0, ) , 1660, ... 0x0, ) == 0x0
 03559   392   NtWriteVirtualMemory  (380, 0x7ffdf010,  (380, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03560   392   NtWriteVirtualMemory  (380, 0x7ffdf1e8,  (380, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03561   392   NtFreeVirtualMemory  (-1, (0xc30000), 0, 32768, ... (0xc30000), 4096, ) == 0x0
 03562   392   NtAllocateVirtualMemory  (380, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 03563   392   NtAllocateVirtualMemory  (380, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 03564   392   NtProtectVirtualMemory  (380, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 03565   392   NtCreateThread  (0x1f03ff, 0x0, 380, 1239780, 1240500, 1, ... 384, {588, 576}, ) == 0x0
 03566   392   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1393336, 1241600}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1393336, 1241600} "\0\0\0\0\0\0\1\0\2$\370w U\367w\177\1\0\0\200\1\0\0L\2\0\0@\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0s\0t\0e\0" ... {168, 196, reply, 0, 316, 392, 1511, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w|\1\0\0\200\1\0\0L\2\0\0@\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0s\0t\0e\0" )  ... {168, 196, reply, 0, 316, 392, 1511, 0}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1393336, 1241600} "\0\0\0\0\0\0\1\0\2$\370w U\367w\177\1\0\0\200\1\0\0L\2\0\0@\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0s\0t\0e\0" ... {168, 196, reply, 0, 316, 392, 1511, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w|\1\0\0\200\1\0\0L\2\0\0@\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0s\0t\0e\0" )  ) == 0x0
 03567   392   NtResumeThread  (384, ... 1, ) == 0x0
 03568   392   NtClose  (356, ... ) == 0x0
 03569   392   NtClose  (368, ... ) == 0x0
 03570   392   NtDelayExecution  (0, {-2000000, -1}, ... ) == 0x0
 03571   392   NtClose  (380, ... ) == 0x0
 03572   392   NtClose  (384, ... ) == 0x0
 03573   392   NtTerminateProcess  (0, 0, ... ) == 0x0
 03574   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x15,}, 4, ... ) == 0x0
 03575   392   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 03576   392   NtClose  (320, ... ) == 0x0
 03577   392   NtClose  (324, ... ) == 0x0
 03578   392   NtClose  (332, ... ) == 0x0
 03579   392   NtClose  (328, ... ) == 0x0
 03580   392   NtClose  (336, ... ) == 0x0
 03581   392   NtClose  (308, ... ) == 0x0
 03582   392   NtClose  (316, ... ) == 0x0
 03583   392   NtClose  (352, ... ) == 0x0
 03584   392   NtClose  (348, ... ) == 0x0
 03585   392   NtClose  (344, ... ) == 0x0
 03586   392   NtClose  (340, ... ) == 0x0
 03587   392   NtClose  (312, ... ) == 0x0
 03588   392   NtClose  (296, ... ) == 0x0
 03589   392   NtClose  (292, ... ) == 0x0
 03590   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 03591   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 03592   392   NtClose  (284, ... ) == 0x0
 03593   392   NtUnmapViewOfSection  (-1, 0xae0000, ... ) == 0x0
 03594   392   NtClose  (288, ... ) == 0x0
 03595   392   NtClose  (280, ... ) == 0x0
 03596   392   NtClose  (268, ... ) == 0x0
 03597   392   NtClose  (272, ... ) == 0x0
 03598   392   NtClose  (276, ... ) == 0x0
 03599   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 03600   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 03601   392   NtWaitForMultipleObjects  (2, (240, 248, ), 1, 0, 0x0, ... ) == 0x1
 03602   392   NtClose  (248, ... ) == 0x0
 03603   392   NtSetEvent  (240, ... 0x0, ) == 0x0
 03604   392   NtClose  (240, ... ) == 0x0
 03605   392   NtWaitForMultipleObjects  (2, (252, 256, ), 1, 0, 0x0, ... ) == 0x1
 03606   392   NtClose  (256, ... ) == 0x0
 03607   392   NtSetEvent  (252, ... 0x0, ) == 0x0
 03608   392   NtClose  (252, ... ) == 0x0
 03609   392   NtWaitForMultipleObjects  (2, (260, 264, ), 1, 0, 0x0, ... ) == 0x1
 03610   392   NtClose  (264, ... ) == 0x0
 03611   392   NtSetEvent  (260, ... 0x0, ) == 0x0
 03612   392   NtClose  (260, ... ) == 0x0
 03613   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 03614   392   NtFreeVirtualMemory  (-1, (0xaa0000), 0, 32768, ... (0xaa0000), 262144, ) == 0x0
 03615   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\USER32.dll"}, 1239360, ... ) }, 1239360, ... ) == 0x0
 03616   392   NtUserUnregisterClass  (1241852, 1991376896, 1241840, ... ) == 0x0
 03617   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc03b
 03618   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03619   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc03d
 03620   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03621   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc03f
 03622   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03623   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc041
 03624   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03625   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc043
 03626   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03627   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc045
 03628   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03629   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc047
 03630   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03631   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc049
 03632   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03633   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc04b
 03634   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03635   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc04d
 03636   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03637   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc04f
 03638   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03639   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc051
 03640   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03641   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc053
 03642   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03643   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc057
 03644   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03645   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc059
 03646   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03647   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc05b
 03648   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03649   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc05d
 03650   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03651   392   NtUserGetClassInfo  (1999896576, 1241940, 1241892, 1241968, 0, ... ) == 0xc05f
 03652   392   NtUserUnregisterClass  (1241944, 1999896576, 1241932, ... ) == 0x1
 03653   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 03654   392   NtClose  (168, ... ) == 0x0
 03655   392   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 03656   392   NtClose  (172, ... ) == 0x0
 03657   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 03658   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 03659   392   NtClose  (140, ... ) == 0x0
 03660   392   NtClose  (128, ... ) == 0x0
 03661   392   NtClose  (144, ... ) == 0x0
 03662   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc03b
 03663   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03664   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc03d
 03665   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03666   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc03f
 03667   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03668   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc041
 03669   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03670   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc043
 03671   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03672   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc045
 03673   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03674   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc047
 03675   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03676   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc049
 03677   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03678   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc04b
 03679   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03680   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc04d
 03681   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03682   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc04f
 03683   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03684   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc051
 03685   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03686   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc053
 03687   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03688   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc057
 03689   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03690   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc059
 03691   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03692   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc05b
 03693   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03694   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc05d
 03695   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03696   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc05f
 03697   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03698   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc017
 03699   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03700   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc019
 03701   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03702   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc018
 03703   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03704   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc01a
 03705   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03706   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc01c
 03707   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03708   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc01e
 03709   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03710   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc01b
 03711   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03712   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc068
 03713   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03714   392   NtUserGetClassInfo  (1905590272, 1241940, 1241892, 1241968, 0, ... ) == 0xc06a
 03715   392   NtUserUnregisterClass  (1241944, 1905590272, 1241932, ... ) == 0x1
 03716   392   NtUnmapViewOfSection  (-1, 0xa60000, ... ) == 0x0
 03717   392   NtClose  (136, ... ) == 0x0
 03718   392   NtClose  (124, ... ) == 0x0
 03719   392   NtWaitForSingleObject  (192, 0, 0x0, ... ) == 0x0
 03720   392   NtClearEvent  (192, ... ) == 0x0
 03721   392   NtSetEvent  (192, ... 0x0, ) == 0x0
 03722   392   NtClose  (192, ... ) == 0x0
 03723   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 03724   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 03725   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 03726   392   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 03727   392   NtFreeVirtualMemory  (-1, (0xc20000), 4096, 32768, ... (0xc20000), 4096, ) == 0x0
 03728   392   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1390768, 2011597602, 0, 1}  (24, {20, 48, new_msg, 0, 1390768, 2011597602, 0, 1} "\0\0\0\0\3\0\1\0\0\340\375\177\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 316, 392, 1523, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 316, 392, 1523, 0}  (24, {20, 48, new_msg, 0, 1390768, 2011597602, 0, 1} "\0\0\0\0\3\0\1\0\0\340\375\177\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 316, 392, 1523, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03729   392   NtTerminateProcess  (-1, 0, ...
 03730   392   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtUserGetObjectInformation(>)	1	NtEnumerateKey(>)	6	NtOpenProcessTokenEx(>)	26
NtAdjustPrivilegesToken(>)	1	NtUserGetProcessWindowStation(>)	1	NtOpenProcessToken(>)	6	NtOpenThreadTokenEx(>)	26
NtCallbackReturn(>)	1	NtUserGetThreadDesktop(>)	1	NtSetEvent(>)	6	NtCreateEvent(>)	29
NtConnectPort(>)	1	NtAccessCheck(>)	2	NtCreateMutant(>)	7	NtQueryInformationToken(>)	32
NtContinue(>)	1	NtCreateIoCompletion(>)	2	NtOpenThreadToken(>)	7	NtQuerySection(>)	33
NtCreateProcessEx(>)	1	NtCreateThread(>)	2	NtCreateKey(>)	9	NtFreeVirtualMemory(>)	36
NtDelayExecution(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryDirectoryFile(>)	9	NtQuerySystemInformation(>)	37
NtDuplicateToken(>)	1	NtOpenDirectoryObject(>)	2	NtCreateSemaphore(>)	10	NtUnmapViewOfSection(>)	43
NtEnumerateValueKey(>)	1	NtOpenSymbolicLinkObject(>)	2	NtOpenMutant(>)	10	NtUserUnregisterClass(>)	46
NtGdiCreateBitmap(>)	1	NtQueryInstallUILanguage(>)	2	NtQueryDefaultUILanguage(>)	10	NtCreateSection(>)	47
NtGdiInit(>)	1	NtQuerySymbolicLinkObject(>)	2	NtReleaseMutant(>)	10	NtUserFindExistingCursorIcon(>)	48
NtGdiQueryFontAssocInfo(>)	1	NtReadVirtualMemory(>)	2	NtUserSystemParametersInfo(>)	10	NtFlushInstructionCache(>)	51
NtGdiSelectBitmap(>)	1	NtResumeThread(>)	2	NtRequestWaitReplyPort(>)	11	NtQueryVirtualMemory(>)	52
NtOpenKeyedEvent(>)	1	NtTerminateProcess(>)	2	NtQueryVolumeInformationFile(>)	12	NtWriteVirtualMemory(>)	58
NtQueryEvent(>)	1	NtClearEvent(>)	3	NtSetInformationProcess(>)	12	NtUserRegisterClassExWOW(>)	63
NtQueryInformationJobObject(>)	1	NtGdiCreateCompatibleDC(>)	3	NtSetValueKey(>)	13	NtOpenSection(>)	75
NtQueryObject(>)	1	NtNotifyChangeKey(>)	3	NtSetInformationThread(>)	16	NtOpenFile(>)	80
NtQuerySystemTime(>)	1	NtOpenEvent(>)	3	NtWaitForSingleObject(>)	18	NtUserGetClassInfo(>)	82
NtQueryTimerResolution(>)	1	NtReleaseSemaphore(>)	3	NtOpenProcess(>)	19	NtMapViewOfSection(>)	114
NtReadFile(>)	1	NtSetInformationObject(>)	3	NtQueryInformationProcess(>)	20	NtAllocateVirtualMemory(>)	131
NtRegisterThreadTerminatePort(>)	1	NtWaitForMultipleObjects(>)	3	NtUserRegisterWindowMessage(>)	20	NtQueryAttributesFile(>)	141
NtSecureConnectPort(>)	1	NtDuplicateObject(>)	4	NtQueryDefaultLocale(>)	21	NtOpenKey(>)	198
NtTestAlert(>)	1	NtFsControlFile(>)	4	NtSetInformationFile(>)	22	NtQueryValueKey(>)	341
NtUserCallNoParam(>)	1	NtWriteFile(>)	4	NtCreateFile(>)	23	NtClose(>)	383
NtUserCallOneParam(>)	1	NtGdiGetStockObject(>)	5	NtQueryDebugFilterState(>)	23	NtProtectVirtualMemory(>)	1120
NtUserGetDC(>)	1	NtDeviceIoControlFile(>)	6	NtQueryInformationFile(>)	23