Summary:





NtAccessCheck(>)  1 
NtUserGetThreadDesktop(>)  1 
NtEnumerateKey(>)  6 
NtUserFindExistingCursorIcon(>)  24 


NtCallbackReturn(>)  1 
NtDuplicateObject(>)  2 
NtSetEvent(>)  6 
NtFlushInstructionCache(>)  26 


NtConnectPort(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryDirectoryFile(>)  7 
NtOpenProcessTokenEx(>)  28 


NtCreateProcessEx(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserSystemParametersInfo(>)  7 
NtOpenThreadTokenEx(>)  28 


NtCreateThread(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtCreateMutant(>)  8 
NtUnmapViewOfSection(>)  31 


NtDelayExecution(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetInformationProcess(>)  8 
NtQuerySystemInformation(>)  33 


NtDuplicateToken(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtCreateKey(>)  9 
NtFreeVirtualMemory(>)  34 


NtFsControlFile(>)  1 
NtReadVirtualMemory(>)  2 
NtContinue(>)  10 
NtQueryInformationToken(>)  34 


NtGdiCreateBitmap(>)  1 
NtTerminateProcess(>)  2 
NtCreateSemaphore(>)  10 
NtUserRegisterClassExWOW(>)  34 


NtGdiInit(>)  1 
NtAddAtom(>)  3 
NtOpenMutant(>)  10 
NtQuerySection(>)  35 


NtGdiQueryFontAssocInfo(>)  1 
NtClearEvent(>)  3 
NtReleaseMutant(>)  10 
NtQueryDebugFilterState(>)  37 


NtGdiSelectBitmap(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryVolumeInformationFile(>)  12 
NtQueryVirtualMemory(>)  52 


NtOpenKeyedEvent(>)  1 
NtNotifyChangeKey(>)  3 
NtRequestWaitReplyPort(>)  12 
NtCreateSection(>)  54 


NtQueryEvent(>)  1 
NtOpenEvent(>)  3 
NtSetValueKey(>)  13 
NtProtectVirtualMemory(>)  54 


NtQueryInformationJobObject(>)  1 
NtOpenProcess(>)  3 
NtQueryDefaultUILanguage(>)  14 
NtUserGetClassInfo(>)  54 


NtQueryObject(>)  1 
NtReleaseSemaphore(>)  3 
NtQueryInformationProcess(>)  14 
NtOpenSection(>)  57 


NtQueryTimerResolution(>)  1 
NtSetInformationObject(>)  3 
NtSetInformationFile(>)  14 
NtMapViewOfSection(>)  80 


NtReadFile(>)  1 
NtUserGetDC(>)  3 
NtSetInformationThread(>)  14 
NtOpenFile(>)  83 


NtRegisterThreadTerminatePort(>)  1 
NtWaitForMultipleObjects(>)  3 
NtWaitForSingleObject(>)  18 
NtAllocateVirtualMemory(>)  118 


NtResumeThread(>)  1 
NtWriteFile(>)  3 
NtUserUnregisterClass(>)  19 
NtQueryAttributesFile(>)  129 


NtSecureConnectPort(>)  1 
NtOpenProcessToken(>)  4 
NtQueryDefaultLocale(>)  21 
NtOpenKey(>)  196 


NtTestAlert(>)  1 
NtWriteVirtualMemory(>)  4 
NtUserRegisterWindowMessage(>)  22 
NtQueryValueKey(>)  338 


NtUserCallNoParam(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateEvent(>)  23 
NtClose(>)  354 


NtUserGetObjectInformation(>)  1 
NtOpenThreadToken(>)  5 
NtCreateFile(>)  23 


NtUserGetProcessWindowStation(>)  1 
NtDeviceIoControlFile(>)  6 



Trace:

 00001   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   408   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   408   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   408   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   408   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   408   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   408   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   408   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   408   NtClose  (12, ... ) == 0x0
 00014   408   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   408   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   408   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   408   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   408   NtClose  (16, ... ) == 0x0
 00021   408   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   408   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   408   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18612224}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18612224}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   408   NtClose  (16, ... ) == 0x0
 00026   408   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   408   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   408   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   408   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\34\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\34\1\4\0\0\0" ... {28, 56, reply, 0, 388, 408, 1482, 0} "P\224\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\34\1\4\0\0\0" )  ... {28, 56, reply, 0, 388, 408, 1482, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\34\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\34\1\4\0\0\0" ... {28, 56, reply, 0, 388, 408, 1482, 0} "P\224\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\34\1\4\0\0\0" )  ) == 0x0
 00032   408   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   408   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   408   NtClose  (16, ... ) == 0x0
 00036   408   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   408   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   408   NtClose  (28, ... ) == 0x0
 00041   408   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   408   NtClose  (28, ... ) == 0x0
 00045   408   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   408   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   408   NtClose  (28, ... ) == 0x0
 00049   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   408   NtClose  (28, ... ) == 0x0
 00052   408   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\34\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\34\18\6\0\0" ... {28, 56, reply, 0, 388, 408, 1485, 0} " \245\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\34\18\6\0\0" )  ... {28, 56, reply, 0, 388, 408, 1485, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\34\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\34\18\6\0\0" ... {28, 56, reply, 0, 388, 408, 1485, 0} " \245\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\34\18\6\0\0" )  ) == 0x0
 00056   408   NtProtectVirtualMemory  (-1, (0x495000), 12288, 4, ... (0x495000), 12288, 8, ) == 0x0
 00057   408   NtProtectVirtualMemory  (-1, (0x495000), 12288, 8, ... (0x495000), 12288, 8, ) == 0x0
 00058   408   NtFlushInstructionCache  (-1, 4804608, 12288, ... ) == 0x0
 00059   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   408   NtClose  (28, ... ) == 0x0
 00062   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   408   NtClose  (28, ... ) == 0x0
 00065   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   408   NtClose  (28, ... ) == 0x0
 00068   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   408   NtClose  (28, ... ) == 0x0
 00071   408   NtProtectVirtualMemory  (-1, (0x495000), 12288, 4, ... (0x495000), 12288, 8, ) == 0x0
 00072   408   NtProtectVirtualMemory  (-1, (0x495000), 12288, 8, ... (0x495000), 12288, 8, ) == 0x0
 00073   408   NtFlushInstructionCache  (-1, 4804608, 12288, ... ) == 0x0
 00074   408   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   408   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   408   NtClose  (28, ... ) == 0x0
 00077   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   408   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   408   NtClose  (28, ... ) == 0x0
 00080   408   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00081   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   408   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   408   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   408   NtClose  (28, ... ) == 0x0
 00085   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   408   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   408   NtClose  (28, ... ) == 0x0
 00088   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   408   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\34\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\34\1$\1\0\0" ... {28, 56, reply, 0, 388, 408, 1487, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\34\1$\1\0\0" )  ... {28, 56, reply, 0, 388, 408, 1487, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\34\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\34\1$\1\0\0" ... {28, 56, reply, 0, 388, 408, 1487, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\34\1$\1\0\0" )  ) == 0x0
 00093   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4a0000), 0x0, 1060864, ) == 0x0
 00095   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   408   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   408   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   408   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   408   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   408   NtClose  (-2147482020, ... ) == 0x0
 00101   408   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00102   408   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00103   408   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   408   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   408   NtClose  (-2147482020, ... ) == 0x0
 00107   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   408   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   408   NtClose  (-2147482020, ... ) == 0x0
 00110   408   NtQueryDefaultLocale  (0, -133527028, ... ) == 0x0
 00111   408   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   408   NtUserCallNoParam  (24, ... ) == 0x0
 00113   408   NtGdiCreateCompatibleDC  (0, ...
 00114   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00113   408   NtGdiCreateCompatibleDC  ... ) == 0x100103ce
 00115   408   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   408   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   408   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x140503cd
 00118   408   NtGdiCreateSolidBrush  (0, 0, ...
 00119   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9109504, 4096, ) == 0x0
 00118   408   NtGdiCreateSolidBrush  ... ) == 0x131003d2
 00120   408   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   408   NtGdiCreateCompatibleDC  (0, ... ) == 0x3e01040a
 00122   408   NtGdiSelectBitmap  (1040253962, 335872973, ... ) == 0x185000f
 00123   408   NtUserGetThreadDesktop  (408, 0, ... ) == 0x2c
 00124   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   408   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   408   NtClose  (52, ... ) == 0x0
 00127   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00129   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00131   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00133   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00135   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00137   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00139   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00141   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00143   408   NtAllocateVirtualMemory  (-1, 6057984, 0, 4096, 4096, 32, ... 6057984, 4096, ) == 0x0
 00142   408   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00144   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00146   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00147   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00148   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00149   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00150   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00151   408   NtCallbackReturn  (0, 0, 0, ...
 00152   408   NtGdiInit  (... ) == 0x1
 00153   408   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   408   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   408   NtTestAlert  (... ) == 0x0
 00156   408   NtContinue  (1244464, 1, ...
 00157   408   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x496bd6,}, 4, ... ) == 0x0
 00158   408   NtContinue  (1244368, 0, ...
 00159   408   NtContinue  (1244368, 0, ...
 00160   408   NtContinue  (1244368, 0, ...
 00161   408   NtContinue  (1244368, 0, ...
 00162   408   NtContinue  (1244368, 0, ...
 00163   408   NtContinue  (1244368, 0, ...
 00164   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244968,  (0x80100080, {24, 0, 0x40, 0, 1244968, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 52, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 52, {status=0x0, info=1}, ) == 0x0
 00165   408   NtReadFile  (52, 0, 0, 0, 1024, 0x0, 0, ... {status=0x0, info=1024},  (52, 0, 0, 0, 1024, 0x0, 0, ... {status=0x0, info=1024}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0{\310\205\302?\251\353\221?\251\353\221?\251\353\221?\251\352\221\254\251\353\221]\266\370\221:\251\353\221D\265\347\221=\251\353\221\274\265\345\221&\251\353\221\327\266\341\221\271\251\353\221\327\266\340\221\13\251\353\221Rich?\251\353\221\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\375\313\375F\0\0\0\0\0\0\0\0\340\0\16\1\13\1\6\0\0\0\0\0\0d\6\0\0\0\0\0\326k\11\0\0\20\0\0\0 \3\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\11\0\0\4\0\0\374\332\2\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\342k\11\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0~l\11\0\10\0\0\0\0 \3\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0.text\0\0\0\0\20\3\0\0\20\0\0\0n\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00166   408   NtClose  (52, ... ) == 0x0
 00167   408   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00168   408   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "nxx8xZd3"}, 1, ... 56, ) }, 1, ... 56, ) == 0x0
 00169   408   NtAllocateVirtualMemory  (-1, 0, 0, 93712, 4096, 4, ... 9175040, 94208, ) == 0x0
 00170   408   NtFreeVirtualMemory  (-1, (0x8c0000), 93712, 16384, ... (0x8c0000), 94208, ) == 0x0
 00171   408   NtAllocateVirtualMemory  (-1, 0, 0, 4624, 4096, 4, ... 9306112, 8192, ) == 0x0
 00172   408   NtFreeVirtualMemory  (-1, (0x8e0000), 4624, 16384, ... (0x8e0000), 8192, ) == 0x0
 00173   408   NtAllocateVirtualMemory  (-1, 0, 0, 23568, 4096, 4, ... 9371648, 24576, ) == 0x0
 00174   408   NtFreeVirtualMemory  (-1, (0x8f0000), 23568, 16384, ... (0x8f0000), 24576, ) == 0x0
 00175   408   NtAllocateVirtualMemory  (-1, 0, 0, 2064, 4096, 4, ... 9437184, 4096, ) == 0x0
 00176   408   NtFreeVirtualMemory  (-1, (0x900000), 2064, 16384, ... (0x900000), 4096, ) == 0x0
 00177   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00178   408   NtQueryValueKey  (60,  (60, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   408   NtClose  (60, ... ) == 0x0
 00180   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1243064, ... ) }, 1243064, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1243064, ... ) }, 1243064, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00183   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1243064, ... ) }, 1243064, ... ) == 0x0
 00184   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00185   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 64, ) == 0x0
 00186   408   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00187   408   NtOpenProcessToken  (-1, 0x8, ... 68, ) == 0x0
 00188   408   NtQueryInformationToken  (68, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00189   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 72, ) }, ... 72, ) == 0x0
 00191   408   NtQueryValueKey  (72,  (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00192   408   NtClose  (72, ... ) == 0x0
 00193   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00194   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00195   408   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00196   408   NtClose  (72, ... ) == 0x0
 00197   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00198   408   NtClose  (68, ... ) == 0x0
 00199   408   NtClose  (60, ... ) == 0x0
 00200   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00201   408   NtClose  (64, ... ) == 0x0
 00202   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00203   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00204   408   NtClose  (64, ... ) == 0x0
 00205   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242260, ... ) }, 1242260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00207   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1242260, ... ) }, 1242260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1242260, ... ) }, 1242260, ... ) == 0x0
 00209   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00210   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 60, ) == 0x0
 00211   408   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00212   408   NtClose  (64, ... ) == 0x0
 00213   408   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00214   408   NtClose  (60, ... ) == 0x0
 00215   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00216   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9502720, 65536, ) == 0x0
 00217   408   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00218   408   NtAllocateVirtualMemory  (-1, 9506816, 0, 8192, 4096, 4, ... 9506816, 8192, ) == 0x0
 00219   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 60, ) }, ... 60, ) == 0x0
 00220   408   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x920000), 0x0, 12288, ) == 0x0
 00221   408   NtClose  (60, ... ) == 0x0
 00222   408   NtAllocateVirtualMemory  (-1, 9515008, 0, 4096, 4096, 4, ... 9515008, 4096, ) == 0x0
 00223   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00224   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00225   408   NtAllocateVirtualMemory  (-1, 0, 0, 6419, 4096, 4, ... 9633792, 8192, ) == 0x0
 00226   408   NtOpenProcess  (0x1f0fff, {24, 0, 0x0, 0, 0, 0x0}, {388, 0}, ... 60, ) == 0x0
 00227   408   NtProtectVirtualMemory  (60, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 00228   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00229   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9699328, 65536, ) == 0x0
 00230   408   NtAllocateVirtualMemory  (-1, 9699328, 0, 4096, 4096, 4, ... 9699328, 4096, ) == 0x0
 00231   408   NtAllocateVirtualMemory  (-1, 9703424, 0, 8192, 4096, 4, ... 9703424, 8192, ) == 0x0
 00232   408   NtAllocateVirtualMemory  (-1, 9711616, 0, 20480, 4096, 4, ... 9711616, 20480, ) == 0x0
 00233   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9764864, 1048576, ) == 0x0
 00234   408   NtAllocateVirtualMemory  (-1, 9764864, 0, 32768, 4096, 4, ... 9764864, 32768, ) == 0x0
 00235   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00236   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00237   408   NtClose  (64, ... ) == 0x0
 00238   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00239   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00240   408   NtClose  (64, ... ) == 0x0
 00241   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00242   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00243   408   NtClose  (64, ... ) == 0x0
 00244   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00245   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00246   408   NtClose  (64, ... ) == 0x0
 00247   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00248   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00249   408   NtClose  (64, ... ) == 0x0
 00250   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 64, ) }, ... 64, ) == 0x0
 00251   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00252   408   NtClose  (64, ... ) == 0x0
 00253   408   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   408   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00255   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00256   408   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00257   408   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00258   408   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00259   408   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1240596, 0,  (0x1f0003, {24, 52, 0x80, 1240596, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00260   408   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 64, ) }, ... 64, ) == 0x0
 00261   408   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00262   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00263   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00264   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 68, ) }, ... 68, ) == 0x0
 00265   408   NtQueryValueKey  (68,  (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00266   408   NtClose  (68, ... ) == 0x0
 00267   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00268   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00269   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00270   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00271   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 68, ) }, ... 68, ) == 0x0
 00272   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   408   NtClose  (68, ... ) == 0x0
 00276   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 68, ) }, ... 68, ) == 0x0
 00277   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00278   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   408   NtClose  (68, ... ) == 0x0
 00280   408   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   408   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00282   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   408   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   408   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00285   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00286   408   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00287   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00288   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00289   408   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00290   408   NtClose  (68, ... ) == 0x0
 00291   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 68, ) }, ... 68, ) == 0x0
 00292   408   NtSetInformationObject  (68, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00293   408   NtCreateKey  (0xf003f, {24, 68, 0x40, 0, 0,  (0xf003f, {24, 68, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 72, 2, ) }, 0, 0x0, 0, ... 72, 2, ) == 0x0
 00294   408   NtQueryDefaultUILanguage  (1238832, ...
 00295   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00296   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00297   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00298   408   NtClose  (-2147482020, ... ) == 0x0
 00299   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00300   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00302   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   408   NtClose  (-2147482032, ... ) == 0x0
 00304   408   NtClose  (-2147482020, ... ) == 0x0
 00294   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00305   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   408   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00307   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 76, {status=0x0, info=1}, ) }, 1, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00308   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 76, ... 80, ) == 0x0
 00309   408   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa50000), 0x0, 593920, ) == 0x0
 00310   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   408   NtQueryDefaultUILanguage  (2013024600, ...
 00312   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00313   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00314   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00315   408   NtClose  (-2147482020, ... ) == 0x0
 00316   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00317   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00319   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00320   408   NtClose  (-2147482032, ... ) == 0x0
 00321   408   NtClose  (-2147482020, ... ) == 0x0
 00311   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00322   408   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00323   408   NtQueryDefaultLocale  (1, 1236868, ... ) == 0x0
 00324   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237724, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237724, 1, 96, 0} "\210\6\34\1\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\34\1L\0\0\0\377\377\377\377\0\0\0\0P\275\254\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\34\1\0\0\0\0\0\0\0\0\334\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 408, 1498, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\34\1L\0\0\0\377\377\377\377\0\0\0\0P\275\254\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\34\1\0\0\0\0\0\0\0\0\334\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 408, 1498, 0}  (24, {128, 156, new_msg, 0, 1237724, 1, 96, 0} "\210\6\34\1\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\34\1L\0\0\0\377\377\377\377\0\0\0\0P\275\254\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\34\1\0\0\0\0\0\0\0\0\334\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 408, 1498, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\34\1L\0\0\0\377\377\377\377\0\0\0\0P\275\254\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\34\1\0\0\0\0\0\0\0\0\334\351\22\0\0\0\0\0" )  ) == 0x0
 00326   408   NtClose  (76, ... ) == 0x0
 00327   408   NtClose  (80, ... ) == 0x0
 00328   408   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00329   408   NtUnmapViewOfSection  (-1, 0x12e9dc, ... ) == STATUS_NOT_MAPPED_VIEW
 00330   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00331   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00332   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00333   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00334   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1235408, ... ) }, 1235408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00336   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00337   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00338   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1236000, ... ) }, 1236000, ... ) == 0x0
 00339   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 80, {status=0x0, info=1}, ) }, 3, 33, ... 80, {status=0x0, info=1}, ) == 0x0
 00340   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00341   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00342   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 76, ... 84, ) == 0x0
 00343   408   NtClose  (76, ... ) == 0x0
 00344   408   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb00000), 0x0, 921600, ) == 0x0
 00345   408   NtClose  (84, ... ) == 0x0
 00346   408   NtUnmapViewOfSection  (-1, 0xb00000, ... ) == 0x0
 00347   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00348   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 76, ) == 0x0
 00349   408   NtQuerySection  (76, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00350   408   NtClose  (84, ... ) == 0x0
 00351   408   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00352   408   NtClose  (76, ... ) == 0x0
 00353   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00354   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00355   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00356   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00357   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00358   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00359   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00360   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00361   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00362   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00363   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00364   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00365   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00366   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00367   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00368   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00369   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00370   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00371   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00372   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00373   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00374   408   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1237184, ... ) , 42, 1237184, ... ) == 0x0
 00375   408   NtQueryDefaultUILanguage  (1235900, ...
 00376   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00377   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00378   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00379   408   NtClose  (-2147482020, ... ) == 0x0
 00380   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00381   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00383   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384   408   NtClose  (-2147482032, ... ) == 0x0
 00385   408   NtClose  (-2147482020, ... ) == 0x0
 00375   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00386   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00387   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234752, ... ) }, 1234752, ... ) == 0x0
 00388   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00389   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 76, ... 84, ) == 0x0
 00390   408   NtClose  (76, ... ) == 0x0
 00391   408   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa50000), 0x0, 4096, ) == 0x0
 00392   408   NtClose  (84, ... ) == 0x0
 00393   408   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00394   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234392, ... ) }, 1234392, ... ) == 0x0
 00395   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1235092,  (0x80100080, {24, 0, 0x40, 0, 1235092, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 84, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 84, {status=0x0, info=1}, ) == 0x0
 00396   408   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 84, ... 76, ) == 0x0
 00397   408   NtClose  (84, ... ) == 0x0
 00398   408   NtMapViewOfSection  (76, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa50000), {0, 0}, 4096, ) == 0x0
 00399   408   NtClose  (76, ... ) == 0x0
 00400   408   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00401   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 76, {status=0x0, info=1}, ) }, 1, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00402   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 76, ... 84, ) == 0x0
 00403   408   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa50000), 0x0, 4096, ) == 0x0
 00404   408   NtQueryInformationFile  (76, 1234712, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00405   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234792, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234792, 1, 96, 0} "\210\6\34\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\34\1L\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\34\1\0\0\0\0\0\0\0\0h\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 408, 1499, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\34\1L\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\34\1\0\0\0\0\0\0\0\0h\336\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 408, 1499, 0}  (24, {128, 156, new_msg, 0, 1234792, 1, 96, 0} "\210\6\34\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\34\1L\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\34\1\0\0\0\0\0\0\0\0h\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 408, 1499, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\34\1L\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\34\1\0\0\0\0\0\0\0\0h\336\22\0\0\0\0\0" )  ) == 0x0
 00407   408   NtClose  (76, ... ) == 0x0
 00408   408   NtClose  (84, ... ) == 0x0
 00409   408   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00410   408   NtUnmapViewOfSection  (-1, 0x12de68, ... ) == STATUS_NOT_MAPPED_VIEW
 00411   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00412   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00413   408   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00414   408   NtUserGetDC  (0, ... ) == 0x1010050
 00415   408   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00416   408   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00417   408   NtContinue  (1234748, 0, ...
 00418   408   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00419   408   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 00420   408   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00421   408   NtUnmapViewOfSection  (-1, 0xaf0000, ... ) == 0x0
 00422   408   NtClose  (80, ... ) == 0x0
 00423   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 80, ) }, ... 80, ) == 0x0
 00424   408   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00425   408   NtClose  (80, ... ) == 0x0
 00426   408   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {388, 0}, ... 80, ) == 0x0
 00427   408   NtQueryInformationProcess  (80, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00428   408   NtClose  (80, ... ) == 0x0
 00429   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00430   408   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00431   408   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00432   408   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00433   408   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00434   408   NtClose  (80, ... ) == 0x0
 00435   408   NtUserSystemParametersInfo  (41, 500, 1237316, 0, ... ) == 0x1
 00436   408   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00437   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00438   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00439   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc03b
 00440   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00441   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc03d
 00442   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00443   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00444   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc03f
 00445   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00446   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00447   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc041
 00448   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00449   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00450   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc043
 00451   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00452   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc045
 00453   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00454   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00455   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc047
 00456   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00457   408   NtUserFindExistingCursorIcon  (1237104, 1237120, 1237688, ... ) == 0x10011
 00458   408   NtUserRegisterClassExWOW  (1237556, 1237636, 1237620, 1237652, 0, 384, 0, ... ) == 0x810dc049
 00459   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00460   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00461   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc04b
 00462   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00463   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00464   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc04d
 00465   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00466   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00467   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc04f
 00468   408   NtUserGetClassInfo  (1999896576, 1237728, 1237680, 1237756, 0, ... ) == 0x0
 00469   408   NtUserRegisterClassExWOW  (1237564, 1237644, 1237628, 1237660, 0, 384, 0, ... ) == 0x810dc051
 00470   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00471   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00472   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc053
 00473   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00474   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00475   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc055
 00476   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc057
 00477   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00478   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00479   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc059
 00480   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00481   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10013
 00482   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc05b
 00483   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00484   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00485   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc05d
 00486   408   NtUserGetClassInfo  (1999896576, 1237724, 1237676, 1237752, 0, ... ) == 0x0
 00487   408   NtUserFindExistingCursorIcon  (1237108, 1237124, 1237692, ... ) == 0x10011
 00488   408   NtUserRegisterClassExWOW  (1237560, 1237640, 1237624, 1237656, 0, 384, 0, ... ) == 0x810dc05f
 00489   408   NtCreateKey  (0x2001f, {24, 68, 0x40, 0, 0,  (0x2001f, {24, 68, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0
 00490   408   NtQueryValueKey  (80,  (80, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00491   408   NtQueryValueKey  (80,  (80, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00492   408   NtQueryValueKey  (80,  (80, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00493   408   NtQueryValueKey  (80,  (80, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00494   408   NtQueryValueKey  (80,  (80, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00495   408   NtQueryValueKey  (80,  (80, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496   408   NtQueryValueKey  (80,  (80, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00497   408   NtQueryValueKey  (80,  (80, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00498   408   NtQueryValueKey  (80,  (80, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00499   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00500   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1239936, ... ) }, 1239936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00501   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1239936, ... ) }, 1239936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00502   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1239936, ... ) }, 1239936, ... ) == 0x0
 00503   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00504   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 76, ) == 0x0
 00505   408   NtQuerySection  (76, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00506   408   NtClose  (84, ... ) == 0x0
 00507   408   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 00508   408   NtClose  (76, ... ) == 0x0
 00509   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00510   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 00511   408   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 88, ) }, ... 88, ) == 0x0
 00512   408   NtQueryEvent  (88, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 00513   408   NtClose  (88, ... ) == 0x0
 00514   408   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1241420, 140, ... 88, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241420, 140, ... 88, 0x0, 0x0, 256, 140, ) == 0x0
 00515   408   NtRequestWaitReplyPort  (88, {28, 52, new_msg, 0, 0, 0, 0, 0}  (88, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 388, 408, 1501, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 388, 408, 1501, 0}  (88, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 388, 408, 1501, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 00516   408   NtQueryValueKey  (80,  (80, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517   408   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 92, ) }, ... 92, ) == 0x0
 00518   408   NtQueryValueKey  (92,  (92, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00519   408   NtClose  (92, ... ) == 0x0
 00520   408   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 92, ) }, ... 92, ) == 0x0
 00521   408   NtQueryValueKey  (92,  (92, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522   408   NtClose  (92, ... ) == 0x0
 00523   408   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 92, ) }, ... 92, ) == 0x0
 00524   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00525   408   NtQueryValueKey  (96,  (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00526   408   NtClose  (96, ... ) == 0x0
 00527   408   NtOpenKey  (0xf, {24, 68, 0x40, 0, 0,  (0xf, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 96, ) }, ... 96, ) == 0x0
 00528   408   NtOpenKey  (0xf, {24, 68, 0x40, 0, 0,  (0xf, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 100, ) }, ... 100, ) == 0x0
 00529   408   NtOpenKey  (0xf, {24, 68, 0x40, 0, 0,  (0xf, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 104, ) }, ... 104, ) == 0x0
 00530   408   NtOpenKey  (0xf, {24, 68, 0x40, 0, 0,  (0xf, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 108, ) }, ... 108, ) == 0x0
 00531   408   NtQueryValueKey  (108,  (108, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00532   408   NtQueryValueKey  (108,  (108, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00533   408   NtClose  (108, ... ) == 0x0
 00534   408   NtOpenKey  (0xf, {24, 68, 0x40, 0, 0,  (0xf, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 108, ) }, ... 108, ) == 0x0
 00535   408   NtQueryValueKey  (108,  (108, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00536   408   NtQueryValueKey  (108,  (108, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00537   408   NtQueryValueKey  (108,  (108, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00538   408   NtQueryValueKey  (108,  (108, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00539   408   NtQueryValueKey  (108,  (108, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00540   408   NtQueryValueKey  (108,  (108, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00541   408   NtClose  (108, ... ) == 0x0
 00542   408   NtOpenKey  (0xf, {24, 100, 0x40, 0, 0,  (0xf, {24, 100, 0x40, 0, 0, "Content"}, ... 108, ) }, ... 108, ) == 0x0
 00543   408   NtQueryValueKey  (108,  (108, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00544   408   NtClose  (108, ... ) == 0x0
 00545   408   NtOpenKey  (0xf, {24, 100, 0x40, 0, 0,  (0xf, {24, 100, 0x40, 0, 0, "Content"}, ... 108, ) }, ... 108, ) == 0x0
 00546   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 112, ) }, ... 112, ) == 0x0
 00547   408   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00548   408   NtClose  (112, ... ) == 0x0
 00549   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 112, ) }, ... 112, ) == 0x0
 00550   408   NtQueryValueKey  (112,  (112, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00551   408   NtClose  (112, ... ) == 0x0
 00552   408   NtQueryDefaultUILanguage  (1236388, ...
 00553   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00554   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00555   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00556   408   NtClose  (-2147482020, ... ) == 0x0
 00557   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00558   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00560   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00561   408   NtClose  (-2147482032, ... ) == 0x0
 00562   408   NtClose  (-2147482020, ... ) == 0x0
 00552   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00563   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00564   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 112, {status=0x0, info=1}, ) }, 1, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00565   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 112, ... 116, ) == 0x0
 00566   408   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa70000), 0x0, 8323072, ) == 0x0
 00567   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00568   408   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00569   408   NtQueryDefaultLocale  (1, 1234424, ... ) == 0x0
 00570   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235280, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235280, 1, 96, 0} "\210\6\34\1\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\34\1p\0\0\0\377\377\377\377\0\0\0\0\20\311\336\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\34\1\0\0\0\0\0\0\0\0P\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 408, 1502, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\34\1p\0\0\0\377\377\377\377\0\0\0\0\20\311\336\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\34\1\0\0\0\0\0\0\0\0P\340\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 408, 1502, 0}  (24, {128, 156, new_msg, 0, 1235280, 1, 96, 0} "\210\6\34\1\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\34\1p\0\0\0\377\377\377\377\0\0\0\0\20\311\336\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\34\1\0\0\0\0\0\0\0\0P\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 408, 1502, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\34\1p\0\0\0\377\377\377\377\0\0\0\0\20\311\336\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\34\1\0\0\0\0\0\0\0\0P\340\22\0\0\0\0\0" )  ) == 0x0
 00572   408   NtClose  (112, ... ) == 0x0
 00573   408   NtClose  (116, ... ) == 0x0
 00574   408   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 00575   408   NtUnmapViewOfSection  (-1, 0x12e050, ... ) == STATUS_NOT_MAPPED_VIEW
 00576   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00577   408   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00578   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00580   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00581   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233508, ... ) }, 1233508, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00583   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00584   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00585   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1234100, ... ) }, 1234100, ... ) == 0x0
 00586   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 116, {status=0x0, info=1}, ) }, 3, 33, ... 116, {status=0x0, info=1}, ) == 0x0
 00587   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00588   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00589   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 120, ) == 0x0
 00590   408   NtClose  (112, ... ) == 0x0
 00591   408   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa70000), 0x0, 921600, ) == 0x0
 00592   408   NtClose  (120, ... ) == 0x0
 00593   408   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 00594   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00595   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 120, ... 112, ) == 0x0
 00596   408   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00597   408   NtClose  (120, ... ) == 0x0
 00598   408   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00599   408   NtClose  (112, ... ) == 0x0
 00600   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00601   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00602   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00603   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00604   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00605   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00606   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00607   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00608   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00609   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00610   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00611   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00612   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00613   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00614   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00615   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00616   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00617   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00618   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00619   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00620   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00621   408   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1235284, ... ) , 42, 1235284, ... ) == 0x0
 00622   408   NtQueryDefaultUILanguage  (1234000, ...
 00623   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00624   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00625   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00626   408   NtClose  (-2147482020, ... ) == 0x0
 00627   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00628   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00629   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00630   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00631   408   NtClose  (-2147482032, ... ) == 0x0
 00632   408   NtClose  (-2147482020, ... ) == 0x0
 00622   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00633   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00634   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1232852, ... ) }, 1232852, ... ) == 0x0
 00635   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00636   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 120, ) == 0x0
 00637   408   NtClose  (112, ... ) == 0x0
 00638   408   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa70000), 0x0, 4096, ) == 0x0
 00639   408   NtClose  (120, ... ) == 0x0
 00640   408   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 00641   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1232492, ... ) }, 1232492, ... ) == 0x0
 00642   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233192,  (0x80100080, {24, 0, 0x40, 0, 1233192, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 00643   408   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 120, ... 112, ) == 0x0
 00644   408   NtClose  (120, ... ) == 0x0
 00645   408   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa70000), {0, 0}, 4096, ) == 0x0
 00646   408   NtClose  (112, ... ) == 0x0
 00647   408   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 00648   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 112, {status=0x0, info=1}, ) }, 1, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00649   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 112, ... 120, ) == 0x0
 00650   408   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa70000), 0x0, 4096, ) == 0x0
 00651   408   NtQueryInformationFile  (112, 1232812, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00652   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00653   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1232892, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1232892, 1, 96, 0} "\210\6\34\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\34\1p\0\0\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\34\1\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 408, 1503, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\34\1p\0\0\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\34\1\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 408, 1503, 0}  (24, {128, 156, new_msg, 0, 1232892, 1, 96, 0} "\210\6\34\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\34\1p\0\0\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\34\1\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 408, 1503, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\34\1p\0\0\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\34\1\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0" )  ) == 0x0
 00654   408   NtClose  (112, ... ) == 0x0
 00655   408   NtClose  (120, ... ) == 0x0
 00656   408   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 00657   408   NtUnmapViewOfSection  (-1, 0x12d6fc, ... ) == STATUS_NOT_MAPPED_VIEW
 00658   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00659   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00660   408   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00661   408   NtUserGetDC  (0, ... ) == 0x1010054
 00662   408   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00663   408   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00664   408   NtContinue  (1232856, 0, ...
 00665   408   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00666   408   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 00667   408   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00668   408   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00669   408   NtClose  (116, ... ) == 0x0
 00670   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc03b
 00671   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc03d
 00672   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc03f
 00673   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc041
 00674   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc043
 00675   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc045
 00676   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc047
 00677   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc049
 00678   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc04b
 00679   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc04d
 00680   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc04f
 00681   408   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc051
 00682   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc053
 00683   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc055
 00684   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc059
 00685   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc05b
 00686   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc05d
 00687   408   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc05f
 00688   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00689   408   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1354768, 0,  (0x1f0003, {24, 52, 0x80, 1354768, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 116, ) }, 0, 2147483647, ... 116, ) == STATUS_OBJECT_NAME_EXISTS
 00690   408   NtReleaseSemaphore  (116, 1, ... 0, ) == 0x0
 00691   408   NtWaitForSingleObject  (116, 0, {0, 0}, ... ) == 0x0
 00692   408   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 120, 2, ) }, 0, 0x0, 0, ... 120, 2, ) == 0x0
 00693   408   NtQueryValueKey  (120,  (120, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (120, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00694   408   NtClose  (120, ... ) == 0x0
 00695   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1238648, ... ) }, 1238648, ... ) == 0x0
 00696   408   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 120, 2, ) }, 0, 0x0, 0, ... 120, 2, ) == 0x0
 00697   408   NtSetValueKey  (120,  (120, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (120, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 00698   408   NtClose  (120, ... ) == 0x0
 00699   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239980, ... ) }, 1239980, ... ) == 0x0
 00700   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239712, ... ) }, 1239712, ... ) == 0x0
 00701   408   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 120, {status=0x0, info=1}, ) }, 7, 2113568, ... 120, {status=0x0, info=1}, ) == 0x0
 00702   408   NtSetInformationFile  (120, 1239688, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00703   408   NtClose  (120, ... ) == 0x0
 00704   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1239712, ... ) }, 1239712, ... ) == 0x0
 00705   408   NtQueryValueKey  (108,  (108, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00706   408   NtQueryValueKey  (108,  (108, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00707   408   NtQueryValueKey  (108,  (108, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 00708   408   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 120, ) }, ... 120, ) == 0x0
 00709   408   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Paths"}, ... 112, ) }, ... 112, ) == 0x0
 00710   408   NtOpenKey  (0xf, {24, 112, 0x40, 0, 0,  (0xf, {24, 112, 0x40, 0, 0, "Path1"}, ... 124, ) }, ... 124, ) == 0x0
 00711   408   NtOpenKey  (0xf, {24, 112, 0x40, 0, 0,  (0xf, {24, 112, 0x40, 0, 0, "Path2"}, ... 128, ) }, ... 128, ) == 0x0
 00712   408   NtOpenKey  (0xf, {24, 112, 0x40, 0, 0,  (0xf, {24, 112, 0x40, 0, 0, "Path3"}, ... 132, ) }, ... 132, ) == 0x0
 00713   408   NtOpenKey  (0xf, {24, 112, 0x40, 0, 0,  (0xf, {24, 112, 0x40, 0, 0, "Path4"}, ... 136, ) }, ... 136, ) == 0x0
 00714   408   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Special Paths"}, ... 140, ) }, ... 140, ) == 0x0
 00715   408   NtSetValueKey  (112,  (112, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (112, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 00716   408   NtSetValueKey  (112,  (112, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (112, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 00717   408   NtSetValueKey  (124,  (124, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (124, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00718   408   NtSetValueKey  (128,  (128, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (128, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00719   408   NtSetValueKey  (132,  (132, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (132, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00720   408   NtSetValueKey  (136,  (136, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (136, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00721   408   NtSetValueKey  (124,  (124, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (124, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00722   408   NtSetValueKey  (128,  (128, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (128, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00723   408   NtSetValueKey  (132,  (132, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (132, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00724   408   NtSetValueKey  (136,  (136, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (136, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00725   408   NtClose  (136, ... ) == 0x0
 00726   408   NtClose  (132, ... ) == 0x0
 00727   408   NtClose  (128, ... ) == 0x0
 00728   408   NtClose  (124, ... ) == 0x0
 00729   408   NtClose  (112, ... ) == 0x0
 00730   408   NtClose  (140, ... ) == 0x0
 00731   408   NtClose  (120, ... ) == 0x0
 00732   408   NtOpenKey  (0xf, {24, 100, 0x40, 0, 0,  (0xf, {24, 100, 0x40, 0, 0, "Cookies"}, ... 120, ) }, ... 120, ) == 0x0
 00733   408   NtQueryValueKey  (120,  (120, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (120, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00734   408   NtClose  (120, ... ) == 0x0
 00735   408   NtClose  (108, ... ) == 0x0
 00736   408   NtOpenKey  (0xf, {24, 100, 0x40, 0, 0,  (0xf, {24, 100, 0x40, 0, 0, "Cookies"}, ... 108, ) }, ... 108, ) == 0x0
 00737   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00738   408   NtReleaseSemaphore  (116, 1, ... 0, ) == 0x0
 00739   408   NtWaitForSingleObject  (116, 0, {0, 0}, ... ) == 0x0
 00740   408   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 120, 2, ) }, 0, 0x0, 0, ... 120, 2, ) == 0x0
 00741   408   NtQueryValueKey  (120,  (120, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (120, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00742   408   NtClose  (120, ... ) == 0x0
 00743   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1238648, ... ) }, 1238648, ... ) == 0x0
 00744   408   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 120, 2, ) }, 0, 0x0, 0, ... 120, 2, ) == 0x0
 00745   408   NtSetValueKey  (120,  (120, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (120, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 00746   408   NtClose  (120, ... ) == 0x0
 00747   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1239980, ... ) }, 1239980, ... ) == 0x0
 00748   408   NtQueryValueKey  (108,  (108, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 00749   408   NtQueryValueKey  (108,  (108, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 00750   408   NtQueryValueKey  (108,  (108, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00751   408   NtOpenKey  (0xf, {24, 100, 0x40, 0, 0,  (0xf, {24, 100, 0x40, 0, 0, "History"}, ... 120, ) }, ... 120, ) == 0x0
 00752   408   NtQueryValueKey  (120,  (120, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (120, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00753   408   NtClose  (120, ... ) == 0x0
 00754   408   NtClose  (108, ... ) == 0x0
 00755   408   NtOpenKey  (0xf, {24, 100, 0x40, 0, 0,  (0xf, {24, 100, 0x40, 0, 0, "History"}, ... 108, ) }, ... 108, ) == 0x0
 00756   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00757   408   NtReleaseSemaphore  (116, 1, ... 0, ) == 0x0
 00758   408   NtWaitForSingleObject  (116, 0, {0, 0}, ... ) == 0x0
 00759   408   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 120, 2, ) }, 0, 0x0, 0, ... 120, 2, ) == 0x0
 00760   408   NtQueryValueKey  (120,  (120, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (120, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00761   408   NtClose  (120, ... ) == 0x0
 00762   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1238648, ... ) }, 1238648, ... ) == 0x0
 00763   408   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 120, 2, ) }, 0, 0x0, 0, ... 120, 2, ) == 0x0
 00764   408   NtSetValueKey  (120,  (120, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (120, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 00765   408   NtClose  (120, ... ) == 0x0
 00766   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239980, ... ) }, 1239980, ... ) == 0x0
 00767   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239712, ... ) }, 1239712, ... ) == 0x0
 00768   408   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 120, {status=0x0, info=1}, ) }, 7, 2113568, ... 120, {status=0x0, info=1}, ) == 0x0
 00769   408   NtSetInformationFile  (120, 1239688, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00770   408   NtClose  (120, ... ) == 0x0
 00771   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1239712, ... ) }, 1239712, ... ) == 0x0
 00772   408   NtQueryValueKey  (108,  (108, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 00773   408   NtQueryValueKey  (108,  (108, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 00774   408   NtQueryValueKey  (108,  (108, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00775   408   NtClose  (108, ... ) == 0x0
 00776   408   NtClose  (104, ... ) == 0x0
 00777   408   NtClose  (96, ... ) == 0x0
 00778   408   NtClose  (100, ... ) == 0x0
 00779   408   NtClose  (92, ... ) == 0x0
 00780   408   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 92, ) }, ... 92, ) == 0x0
 00781   408   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 100, ) }, ... 100, ) == 0x0
 00782   408   NtWaitForSingleObject  (100, 0, 0x0, ... ) == 0x0
 00783   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 96, {status=0x0, info=1}, ) }, 3, 8388641, ... 96, {status=0x0, info=1}, ) == 0x0
 00784   408   NtQueryVolumeInformationFile  (96, 1241232, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00785   408   NtClose  (96, ... ) == 0x0
 00786   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 96, {status=0x0, info=1}, ) }, 3, 8388641, ... 96, {status=0x0, info=1}, ) == 0x0
 00787   408   NtQueryVolumeInformationFile  (96, 1241256, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00788   408   NtClose  (96, ... ) == 0x0
 00789   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241584, ... ) }, 1241584, ... ) == 0x0
 00790   408   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 96, {status=0x0, info=1}, ) }, 7, 2113568, ... 96, {status=0x0, info=1}, ) == 0x0
 00791   408   NtSetInformationFile  (96, 1241560, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00792   408   NtClose  (96, ... ) == 0x0
 00793   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1354768, 1241576,  (0xc0100080, {24, 0, 0x40, 1354768, 1241576, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 96, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 96, {status=0x0, info=1}, ) == 0x0
 00794   408   NtSetInformationFile  (96, 1241628, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00795   408   NtQueryInformationFile  (96, 1241628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00796   408   NtClose  (96, ... ) == 0x0
 00797   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1354768, 1241560,  (0xc0100080, {24, 0, 0x40, 1354768, 1241560, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 96, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 96, {status=0x0, info=1}, ) == 0x0
 00798   408   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 104, ) }, ... 104, ) == 0x0
 00799   408   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 32768, ) == 0x0
 00800   408   NtReleaseMutant  (100, ... 0x0, ) == 0x0
 00801   408   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 108, ) }, ... 108, ) == 0x0
 00802   408   NtWaitForSingleObject  (108, 0, 0x0, ... ) == 0x0
 00803   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 120, {status=0x0, info=1}, ) }, 3, 8388641, ... 120, {status=0x0, info=1}, ) == 0x0
 00804   408   NtQueryVolumeInformationFile  (120, 1241232, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00805   408   NtClose  (120, ... ) == 0x0
 00806   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 120, {status=0x0, info=1}, ) }, 3, 8388641, ... 120, {status=0x0, info=1}, ) == 0x0
 00807   408   NtQueryVolumeInformationFile  (120, 1241256, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00808   408   NtClose  (120, ... ) == 0x0
 00809   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1241584, ... ) }, 1241584, ... ) == 0x0
 00810   408   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 120, {status=0x0, info=1}, ) }, 7, 2113568, ... 120, {status=0x0, info=1}, ) == 0x0
 00811   408   NtSetInformationFile  (120, 1241560, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00812   408   NtClose  (120, ... ) == 0x0
 00813   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1354768, 1241576,  (0xc0100080, {24, 0, 0x40, 1354768, 1241576, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 00814   408   NtSetInformationFile  (120, 1241628, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00815   408   NtQueryInformationFile  (120, 1241628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00816   408   NtClose  (120, ... ) == 0x0
 00817   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1354768, 1241560,  (0xc0100080, {24, 0, 0x40, 1354768, 1241560, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 00818   408   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 140, ) }, ... 140, ) == 0x0
 00819   408   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa70000), {0, 0}, 16384, ) == 0x0
 00820   408   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 00821   408   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 112, ) }, ... 112, ) == 0x0
 00822   408   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00823   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 124, {status=0x0, info=1}, ) }, 3, 8388641, ... 124, {status=0x0, info=1}, ) == 0x0
 00824   408   NtQueryVolumeInformationFile  (124, 1241232, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00825   408   NtClose  (124, ... ) == 0x0
 00826   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 124, {status=0x0, info=1}, ) }, 3, 8388641, ... 124, {status=0x0, info=1}, ) == 0x0
 00827   408   NtQueryVolumeInformationFile  (124, 1241256, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00828   408   NtClose  (124, ... ) == 0x0
 00829   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241584, ... ) }, 1241584, ... ) == 0x0
 00830   408   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 124, {status=0x0, info=1}, ) }, 7, 2113568, ... 124, {status=0x0, info=1}, ) == 0x0
 00831   408   NtSetInformationFile  (124, 1241560, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00832   408   NtClose  (124, ... ) == 0x0
 00833   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1354768, 1241576,  (0xc0100080, {24, 0, 0x40, 1354768, 1241576, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 00834   408   NtSetInformationFile  (124, 1241628, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00835   408   NtQueryInformationFile  (124, 1241628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00836   408   NtClose  (124, ... ) == 0x0
 00837   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1354768, 1241560,  (0xc0100080, {24, 0, 0x40, 1354768, 1241560, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 00838   408   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 128, ) }, ... 128, ) == 0x0
 00839   408   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa90000), {0, 0}, 32768, ) == 0x0
 00840   408   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00841   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241640, ... ) }, 1241640, ... ) == 0x0
 00842   408   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 132, {status=0x0, info=1}, ) }, 7, 2113568, ... 132, {status=0x0, info=1}, ) == 0x0
 00843   408   NtSetInformationFile  (132, 1241616, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00844   408   NtClose  (132, ... ) == 0x0
 00845   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1241640, ... ) }, 1241640, ... ) == 0x0
 00846   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241640, ... ) }, 1241640, ... ) == 0x0
 00847   408   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 132, {status=0x0, info=1}, ) }, 7, 2113568, ... 132, {status=0x0, info=1}, ) == 0x0
 00848   408   NtSetInformationFile  (132, 1241616, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00849   408   NtClose  (132, ... ) == 0x0
 00850   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1241640, ... ) }, 1241640, ... ) == 0x0
 00851   408   NtWaitForSingleObject  (100, 0, 0x0, ... ) == 0x0
 00852   408   NtQueryInformationFile  (96, 1240024, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00853   408   NtReleaseMutant  (100, ... 0x0, ) == 0x0
 00854   408   NtOpenKey  (0xf, {24, 68, 0x40, 0, 0,  (0xf, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 132, ) }, ... 132, ) == 0x0
 00855   408   NtOpenKey  (0xf, {24, 132, 0x40, 0, 0,  (0xf, {24, 132, 0x40, 0, 0, "Extensible Cache"}, ... 136, ) }, ... 136, ) == 0x0
 00856   408   NtClose  (132, ... ) == 0x0
 00857   408   NtWaitForSingleObject  (92, 0, {-600000000, -1}, ... ) == 0x0
 00858   408   NtEnumerateKey  (136, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (136, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 00859   408   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "MSHist012007051420070521"}, ... 132, ) }, ... 132, ) == 0x0
 00860   408   NtQueryValueKey  (132,  (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00861   408   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00862   408   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00863   408   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00864   408   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00865   408   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00866   408   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00867   408   NtQueryValueKey  (132,  (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00868   408   NtQueryValueKey  (132,  (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00869   408   NtClose  (132, ... ) == 0x0
 00870   408   NtEnumerateKey  (136, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (136, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 00871   408   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "MSHist012007052120070528"}, ... 132, ) }, ... 132, ) == 0x0
 00872   408   NtQueryValueKey  (132,  (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00873   408   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00874   408   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00875   408   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00876   408   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00877   408   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00878   408   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00879   408   NtQueryValueKey  (132,  (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00880   408   NtQueryValueKey  (132,  (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00881   408   NtClose  (132, ... ) == 0x0
 00882   408   NtEnumerateKey  (136, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (136, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 00883   408   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "MSHist012007053120070601"}, ... 132, ) }, ... 132, ) == 0x0
 00884   408   NtQueryValueKey  (132,  (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00885   408   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00886   408   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00887   408   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00888   408   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00889   408   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00890   408   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00891   408   NtQueryValueKey  (132,  (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00892   408   NtQueryValueKey  (132,  (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00893   408   NtClose  (132, ... ) == 0x0
 00894   408   NtEnumerateKey  (136, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 00895   408   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 00896   408   NtClose  (136, ... ) == 0x0
 00897   408   NtWaitForSingleObject  (100, 0, 0x0, ... ) == 0x0
 00898   408   NtQueryInformationFile  (96, 1241952, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00899   408   NtReleaseMutant  (100, ... 0x0, ) == 0x0
 00900   408   NtWaitForSingleObject  (100, 0, 0x0, ... ) == 0x0
 00901   408   NtQueryInformationFile  (96, 1242024, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00902   408   NtReleaseMutant  (100, ... 0x0, ) == 0x0
 00903   408   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   408   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   408   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00906   408   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907   408   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 136, ) }, ... 136, ) == 0x0
 00909   408   NtQueryValueKey  (136,  (136, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   408   NtClose  (136, ... ) == 0x0
 00911   408   NtQueryValueKey  (80,  (80, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   408   NtQueryValueKey  (80,  (80, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913   408   NtQueryValueKey  (80,  (80, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   408   NtQueryValueKey  (80,  (80, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915   408   NtQueryValueKey  (80,  (80, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   408   NtQueryValueKey  (80,  (80, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   408   NtQueryValueKey  (80,  (80, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   408   NtQueryValueKey  (80,  (80, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   408   NtQueryValueKey  (80,  (80, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   408   NtQueryValueKey  (80,  (80, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   408   NtQueryValueKey  (80,  (80, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   408   NtQueryValueKey  (80,  (80, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   408   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 136, ) }, ... 136, ) == 0x0
 00924   408   NtQueryValueKey  (136,  (136, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   408   NtClose  (136, ... ) == 0x0
 00926   408   NtQueryValueKey  (80,  (80, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927   408   NtQueryValueKey  (80,  (80, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928   408   NtQueryValueKey  (80,  (80, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929   408   NtQueryValueKey  (80,  (80, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930   408   NtQueryValueKey  (80,  (80, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   408   NtQueryValueKey  (80,  (80, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932   408   NtQueryValueKey  (80,  (80, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   408   NtQueryValueKey  (80,  (80, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   408   NtQueryValueKey  (80,  (80, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 136, ) }, ... 136, ) == 0x0
 00936   408   NtQueryValueKey  (136,  (136, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937   408   NtClose  (136, ... ) == 0x0
 00938   408   NtQueryValueKey  (80,  (80, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   408   NtQueryValueKey  (80,  (80, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   408   NtQueryValueKey  (80,  (80, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00941   408   NtQueryValueKey  (80,  (80, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00942   408   NtQueryValueKey  (80,  (80, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00943   408   NtQueryValueKey  (80,  (80, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00944   408   NtQueryValueKey  (80,  (80, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   408   NtQueryValueKey  (80,  (80, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   408   NtQueryValueKey  (80,  (80, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   408   NtQueryValueKey  (80,  (80, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   408   NtQueryValueKey  (80,  (80, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (80, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00949   408   NtQueryValueKey  (80,  (80, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   408   NtQueryValueKey  (80,  (80, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   408   NtQueryValueKey  (80,  (80, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   408   NtQueryValueKey  (80,  (80, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   408   NtQueryValueKey  (80,  (80, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954   408   NtQueryValueKey  (80,  (80, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   408   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetStartupMutex"}, ... 136, ) }, ... 136, ) == 0x0
 00956   408   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 132, ) == 0x0
 00957   408   NtQueryValueKey  (80,  (80, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   408   NtWaitForSingleObject  (100, 0, 0x0, ... ) == 0x0
 00959   408   NtQueryInformationFile  (96, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00960   408   NtReleaseMutant  (100, ... 0x0, ) == 0x0
 00961   408   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetConnectionMutex"}, ... 144, ) }, ... 144, ) == 0x0
 00962   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 148, ) == 0x0
 00963   408   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 152, ) }, ... 152, ) == 0x0
 00964   408   NtQueryValueKey  (80,  (80, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00965   408   NtQueryValueKey  (80,  (80, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00966   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 156, ) }, ... 156, ) == 0x0
 00967   408   NtQueryValueKey  (156,  (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 00968   408   NtQueryValueKey  (156,  (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 00969   408   NtClose  (156, ... ) == 0x0
 00970   408   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00971   408   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 156, ) == 0x0
 00972   408   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 00973   408   NtClearEvent  (156, ... ) == 0x0
 00974   408   NtSetEvent  (156, ... 0x0, ) == 0x0
 00975   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1239932, ... ) }, 1239932, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 1239932, ... ) }, 1239932, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 1239932, ... ) }, 1239932, ... ) == 0x0
 00979   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 00980   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 160, ... 164, ) == 0x0
 00981   408   NtQuerySection  (164, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00982   408   NtClose  (160, ... ) == 0x0
 00983   408   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00984   408   NtClose  (164, ... ) == 0x0
 00985   408   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 164, ) }, ... 164, ) == 0x0
 00986   408   NtQueryValueKey  (164,  (164, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00987   408   NtQueryValueKey  (164,  (164, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00988   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 00989   408   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "Protocol_Catalog9"}, ... 168, ) }, ... 168, ) == 0x0
 00990   408   NtQueryValueKey  (168,  (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00991   408   NtNotifyChangeKey  (168, 160, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00992   408   NtQueryValueKey  (168,  (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00993   408   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0,  (0x2000000, {24, 168, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   408   NtQueryValueKey  (168,  (168, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00995   408   NtQueryValueKey  (168,  (168, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00996   408   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0,  (0x2000000, {24, 168, 0x40, 0, 0, "Catalog_Entries"}, ... 172, ) }, ... 172, ) == 0x0
 00997   408   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000001"}, ... 176, ) }, ... 176, ) == 0x0
 00998   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00999   408   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01000   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01001   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\352\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\352\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\353\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\354\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\354\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\355\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\352\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\352\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\353\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\354\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\354\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\355\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\354\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\355\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\352\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\352\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\353\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\354\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\354\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\355\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01002   408   NtClose  (176, ... ) == 0x0
 01003   408   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000002"}, ... 176, ) }, ... 176, ) == 0x0
 01004   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01005   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01006   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\357\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\357\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\360\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\361\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\357\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\357\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\360\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\361\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\357\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\357\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\360\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\361\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01007   408   NtClose  (176, ... ) == 0x0
 01008   408   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000003"}, ... 176, ) }, ... 176, ) == 0x0
 01009   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01010   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01011   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\364\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\364\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\365\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\365\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\366\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\366\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\367\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\364\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\364\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\365\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\365\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\366\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\366\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\367\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\366\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\367\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\364\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\364\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\365\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\365\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\366\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\366\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\367\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01012   408   NtClose  (176, ... ) == 0x0
 01013   408   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000004"}, ... 176, ) }, ... 176, ) == 0x0
 01014   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01015   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01016   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\371\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\371\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\372\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\373\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\373\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\374\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\371\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\371\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\372\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\373\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\373\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\374\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\373\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\374\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\371\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\371\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\372\3\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\373\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\373\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\374\3\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01017   408   NtClose  (176, ... ) == 0x0
 01018   408   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000005"}, ... 176, ) }, ... 176, ) == 0x0
 01019   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01020   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01021   408   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01022   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\377\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\377\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\0\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\1\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\1\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\2\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\377\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\377\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\0\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\1\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\1\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\2\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\1\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\2\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\377\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\377\3\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\0\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\1\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\1\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\2\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01023   408   NtClose  (176, ... ) == 0x0
 01024   408   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000006"}, ... 176, ) }, ... 176, ) == 0x0
 01025   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01026   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01027   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\4\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\4\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\5\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\5\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\6\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\6\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\0\207\0\11\0\0\0\0\10\0\0\\0s\0\24\0\0\0\0\360\375\177\211e@\0\0\2\0\0\4\0\0\0t\0r\08\275D\0\12D@\0:n@\0\2\0\0\0\300\12\210\0@\12\210\0\\0s\0t\0r\0\0\360\375\177"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\4\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\4\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\5\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\5\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\6\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\6\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\0\207\0\11\0\0\0\0\10\0\0\\0s\0\24\0\0\0\0\360\375\177\211e@\0\0\2\0\0\4\0\0\0t\0r\08\275D\0\12D@\0:n@\0\2\0\0\0\300\12\210\0@\12\210\0\\0s\0t\0r\0\0\360\375\177"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\6\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\0\207\0\11\0\0\0\0\10\0\0\\0s\0\24\0\0\0\0\360\375\177\211e@\0\0\2\0\0\4\0\0\0t\0r\08\275D\0\12D@\0:n@\0\2\0\0\0\300\12\210\0@\12\210\0\\0s\0t\0r\0\0\360\375\177"}, 900, ) == 0x0
 01028   408   NtClose  (176, ... ) == 0x0
 01029   408   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000007"}, ... 176, ) }, ... 176, ) == 0x0
 01030   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01031   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01032   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\11\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\11\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\12\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\12\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\13\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\13\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\11\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\11\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\12\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\12\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\13\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\13\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\13\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\11\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\11\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\12\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\12\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\13\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\13\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01033   408   NtClose  (176, ... ) == 0x0
 01034   408   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000008"}, ... 176, ) }, ... 176, ) == 0x0
 01035   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01036   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01037   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\16\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\16\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\17\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\17\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\20\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\20\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\21\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\16\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\16\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\17\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\17\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\20\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\20\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\21\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\20\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\21\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\16\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\16\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\17\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\17\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\20\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\20\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\21\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01038   408   NtClose  (176, ... ) == 0x0
 01039   408   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000009"}, ... 176, ) }, ... 176, ) == 0x0
 01040   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01041   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01042   408   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01043   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\24\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\24\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\25\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\26\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\26\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\24\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\24\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\25\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\26\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\26\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\26\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\24\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\24\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\25\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\26\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\26\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01044   408   NtClose  (176, ... ) == 0x0
 01045   408   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000010"}, ... 176, ) }, ... 176, ) == 0x0
 01046   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01047   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01048   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\31\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\31\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\32\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\33\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\33\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\34\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\31\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\31\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\32\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\33\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\33\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\34\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\33\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\34\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\31\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\31\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0L\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0P\311\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\32\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\33\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\33\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\34\4\0\0\204\1\0\0\230\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01049   408   NtClose  (176, ... ) == 0x0
 01050   408   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000011"}, ... 176, ) }, ... 176, ) == 0x0
 01051   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01052   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01053   408   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\36\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\36\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\254\0\0\0\37\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0 \4\0\0\204\1\0\0\230\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \4\0\0\204\1\0\0\230\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0!\4\0\0\204\1\0\0\230\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0!\4\0\0\204\1\0\0\230\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\254\0\0\0"\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\244\0\0\0h\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0 \311\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\36\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\36\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\254\0\0\0\37\4\0\0\204\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0 \4\0\0\204\1\0\0\230\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \4\0\0\204\1\0\0\230\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0!\4\0\0\204\1\0\0\230\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0!\4\0\0\204\1\0\0\230\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\254\0\0\0"\4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\244\0\0\0h\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0 \311\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\204\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\244\0\0\0h\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0 \311\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 01054   408   NtClose  (176, ... ) == 0x0
 01055   408   NtClose  (172, ... ) == 0x0
 01056   408   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x102
 01057   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01058   408   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 176, ) }, ... 176, ) == 0x0
 01059   408   NtQueryValueKey  (176,  (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01060   408   NtNotifyChangeKey  (176, 172, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01061   408   NtQueryValueKey  (176,  (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01062   408   NtOpenKey  (0x2000000, {24, 176, 0x40, 0, 0,  (0x2000000, {24, 176, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01063   408   NtQueryValueKey  (176,  (176, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01064   408   NtOpenKey  (0x2000000, {24, 176, 0x40, 0, 0,  (0x2000000, {24, 176, 0x40, 0, 0, "Catalog_Entries"}, ... 180, ) }, ... 180, ) == 0x0
 01065   408   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "000000000001"}, ... 184, ) }, ... 184, ) == 0x0
 01066   408   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01067   408   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01068   408   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01069   408   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01070   408   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01071   408   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01072   408   NtQueryValueKey  (184,  (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01073   408   NtQueryValueKey  (184,  (184, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01074   408   NtQueryValueKey  (184,  (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01075   408   NtQueryValueKey  (184,  (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01076   408   NtQueryValueKey  (184,  (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01077   408   NtQueryValueKey  (184,  (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01078   408   NtClose  (184, ... ) == 0x0
 01079   408   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "000000000002"}, ... 184, ) }, ... 184, ) == 0x0
 01080   408   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01081   408   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01082   408   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01083   408   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01084   408   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01085   408   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01086   408   NtQueryValueKey  (184,  (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01087   408   NtQueryValueKey  (184,  (184, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01088   408   NtQueryValueKey  (184,  (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01089   408   NtQueryValueKey  (184,  (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01090   408   NtQueryValueKey  (184,  (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01091   408   NtQueryValueKey  (184,  (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01092   408   NtClose  (184, ... ) == 0x0
 01093   408   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "000000000003"}, ... 184, ) }, ... 184, ) == 0x0
 01094   408   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01095   408   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01096   408   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01097   408   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01098   408   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01099   408   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01100   408   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01101   408   NtQueryValueKey  (184,  (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01102   408   NtQueryValueKey  (184,  (184, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01103   408   NtQueryValueKey  (184,  (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01104   408   NtQueryValueKey  (184,  (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01105   408   NtQueryValueKey  (184,  (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01106   408   NtQueryValueKey  (184,  (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01107   408   NtClose  (184, ... ) == 0x0
 01108   408   NtClose  (180, ... ) == 0x0
 01109   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x102
 01110   408   NtClose  (164, ... ) == 0x0
 01111   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01112   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01113   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 164, ) }, ... 164, ) == 0x0
 01114   408   NtQueryValueKey  (164,  (164, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   408   NtClose  (164, ... ) == 0x0
 01116   408   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 164, ) == 0x0
 01117   408   NtClearEvent  (132, ... ) == 0x0
 01118   408   NtSetEvent  (132, ... 0x0, ) == 0x0
 01119   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\icmp.dll"}, 1240464, ... ) }, 1240464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01121   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "icmp.dll"}, 1240464, ... ) }, 1240464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 1240464, ... ) }, 1240464, ... ) == 0x0
 01123   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01124   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01125   408   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01126   408   NtClose  (180, ... ) == 0x0
 01127   408   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 01128   408   NtClose  (184, ... ) == 0x0
 01129   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01130   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1240928, ... ) }, 1240928, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01131   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "iphlpapi.dll"}, 1240928, ... ) }, 1240928, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 1240928, ... ) }, 1240928, ... ) == 0x0
 01133   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01134   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01135   408   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01136   408   NtClose  (184, ... ) == 0x0
 01137   408   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 01138   408   NtClose  (180, ... ) == 0x0
 01139   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01140   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 1240124, ... ) }, 1240124, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netman.dll"}, 1240124, ... ) }, 1240124, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01142   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 1240124, ... ) }, 1240124, ... ) == 0x0
 01143   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01144   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01145   408   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01146   408   NtClose  (180, ... ) == 0x0
 01147   408   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 01148   408   NtClose  (184, ... ) == 0x0
 01149   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01150   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 1239320, ... ) }, 1239320, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01151   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MPRAPI.dll"}, 1239320, ... ) }, 1239320, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01152   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 1239320, ... ) }, 1239320, ... ) == 0x0
 01153   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01154   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01155   408   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01156   408   NtClose  (184, ... ) == 0x0
 01157   408   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 01158   408   NtClose  (180, ... ) == 0x0
 01159   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ACTIVEDS.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 01163   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01164   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01165   408   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01166   408   NtClose  (180, ... ) == 0x0
 01167   408   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 01168   408   NtClose  (184, ... ) == 0x0
 01169   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 1237712, ... ) }, 1237712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "adsldpc.dll"}, 1237712, ... ) }, 1237712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 1237712, ... ) }, 1237712, ... ) == 0x0
 01173   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01174   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01175   408   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01176   408   NtClose  (184, ... ) == 0x0
 01177   408   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 01178   408   NtClose  (180, ... ) == 0x0
 01179   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01180   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1236908, ... ) }, 1236908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1236908, ... ) }, 1236908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1236908, ... ) }, 1236908, ... ) == 0x0
 01183   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01184   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01185   408   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01186   408   NtClose  (180, ... ) == 0x0
 01187   408   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01188   408   NtClose  (184, ... ) == 0x0
 01189   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 184, ) }, ... 184, ) == 0x0
 01190   408   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01191   408   NtClose  (184, ... ) == 0x0
 01192   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237712, ... ) }, 1237712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01194   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237712, ... ) }, 1237712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01195   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237712, ... ) }, 1237712, ... ) == 0x0
 01196   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01197   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01198   408   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01199   408   NtClose  (184, ... ) == 0x0
 01200   408   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01201   408   NtClose  (180, ... ) == 0x0
 01202   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 01206   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01207   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01208   408   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01209   408   NtClose  (180, ... ) == 0x0
 01210   408   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 01211   408   NtClose  (184, ... ) == 0x0
 01212   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SAMLIB.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 01216   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01217   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01218   408   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01219   408   NtClose  (184, ... ) == 0x0
 01220   408   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 01221   408   NtClose  (180, ... ) == 0x0
 01222   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01223   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01224   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 01226   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01227   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01228   408   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01229   408   NtClose  (180, ... ) == 0x0
 01230   408   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01231   408   NtClose  (184, ... ) == 0x0
 01232   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01233   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 1239320, ... ) }, 1239320, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01234   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.dll"}, 1239320, ... ) }, 1239320, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 1239320, ... ) }, 1239320, ... ) == 0x0
 01236   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01237   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01238   408   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01239   408   NtClose  (184, ... ) == 0x0
 01240   408   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 01241   408   NtClose  (180, ... ) == 0x0
 01242   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01243   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01244   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01245   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 01246   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01247   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01248   408   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01249   408   NtClose  (180, ... ) == 0x0
 01250   408   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 01251   408   NtClose  (184, ... ) == 0x0
 01252   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01253   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01254   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01255   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 01256   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01257   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01258   408   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01259   408   NtClose  (184, ... ) == 0x0
 01260   408   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 01261   408   NtClose  (180, ... ) == 0x0
 01262   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1237712, ... ) }, 1237712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01264   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 1237712, ... ) }, 1237712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 1237712, ... ) }, 1237712, ... ) == 0x0
 01266   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01267   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01268   408   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01269   408   NtClose  (180, ... ) == 0x0
 01270   408   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 01271   408   NtClose  (184, ... ) == 0x0
 01272   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 1239320, ... ) }, 1239320, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WZCSvc.DLL"}, 1239320, ... ) }, 1239320, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 1239320, ... ) }, 1239320, ... ) == 0x0
 01276   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01277   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01278   408   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01279   408   NtClose  (184, ... ) == 0x0
 01280   408   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 01281   408   NtClose  (180, ... ) == 0x0
 01282   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01284   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WMI.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 01286   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01287   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01288   408   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01289   408   NtClose  (180, ... ) == 0x0
 01290   408   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 01291   408   NtClose  (184, ... ) == 0x0
 01292   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01294   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DHCPCSVC.DLL"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 01296   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01297   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01298   408   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01299   408   NtClose  (184, ... ) == 0x0
 01300   408   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 01301   408   NtClose  (180, ... ) == 0x0
 01302   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1237712, ... ) }, 1237712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 1237712, ... ) }, 1237712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1237712, ... ) }, 1237712, ... ) == 0x0
 01306   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01307   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01308   408   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01309   408   NtClose  (180, ... ) == 0x0
 01310   408   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01311   408   NtClose  (184, ... ) == 0x0
 01312   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01313   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01314   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1238516, ... ) }, 1238516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01315   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 01316   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01317   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01318   408   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01319   408   NtClose  (184, ... ) == 0x0
 01320   408   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01321   408   NtClose  (180, ... ) == 0x0
 01322   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01323   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1237712, ... ) }, 1237712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01324   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1237712, ... ) }, 1237712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01325   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1237712, ... ) }, 1237712, ... ) == 0x0
 01326   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01327   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01328   408   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01329   408   NtClose  (180, ... ) == 0x0
 01330   408   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 01331   408   NtClose  (184, ... ) == 0x0
 01332   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 184, ) == 0x0
 01333   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 180, ) }, ... 180, ) == 0x0
 01334   408   NtQueryValueKey  (180,  (180, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (180, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01335   408   NtClose  (180, ... ) == 0x0
 01336   408   NtQueryDefaultLocale  (1, 1241572, ... ) == 0x0
 01337   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01338   408   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11141120, 262144, ) == 0x0
 01339   408   NtAllocateVirtualMemory  (-1, 11141120, 0, 4096, 4096, 4, ... 11141120, 4096, ) == 0x0
 01340   408   NtAllocateVirtualMemory  (-1, 11145216, 0, 8192, 4096, 4, ... 11145216, 8192, ) == 0x0
 01341   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01342   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01343   408   NtQueryDefaultLocale  (1, 1241532, ... ) == 0x0
 01344   408   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01345   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01346   408   NtQueryValueKey  (180,  (180, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (180, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01347   408   NtClose  (180, ... ) == 0x0
 01348   408   NtUserGetProcessWindowStation  (... ) == 0x28
 01349   408   NtUserGetObjectInformation  (40, 1, 1241204, 12, 1241216, ... ) == 0x1
 01350   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 180, ) }, ... 180, ) == 0x0
 01351   408   NtQueryValueKey  (180,  (180, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (180, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01352   408   NtClose  (180, ... ) == 0x0
 01353   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01354   408   NtQueryValueKey  (180,  (180, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01355   408   NtQueryValueKey  (180,  (180, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01356   408   NtClose  (180, ... ) == 0x0
 01357   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01358   408   NtQueryValueKey  (180,  (180, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01359   408   NtQueryValueKey  (180,  (180, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01360   408   NtClose  (180, ... ) == 0x0
 01361   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01362   408   NtQueryValueKey  (180,  (180, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01363   408   NtQueryValueKey  (180,  (180, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01364   408   NtClose  (180, ... ) == 0x0
 01365   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01366   408   NtQueryValueKey  (180,  (180, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01367   408   NtQueryValueKey  (180,  (180, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01368   408   NtClose  (180, ... ) == 0x0
 01369   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01370   408   NtQueryValueKey  (180,  (180, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (180, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01371   408   NtQueryValueKey  (180,  (180, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (180, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01372   408   NtClose  (180, ... ) == 0x0
 01373   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 180, ) }, ... 180, ) == 0x0
 01374   408   NtQueryValueKey  (180,  (180, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (180, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01375   408   NtClose  (180, ... ) == 0x0
 01376   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01377   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 188, ) == 0x0
 01378   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 01379   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 196, ) == 0x0
 01380   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01381   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 204, ) == 0x0
 01382   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 208, ) }, ... 208, ) == 0x0
 01383   408   NtQueryValueKey  (208,  (208, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01384   408   NtQueryValueKey  (208,  (208, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01385   408   NtOpenKey  (0x1, {24, 208, 0x40, 0, 0,  (0x1, {24, 208, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01386   408   NtClose  (208, ... ) == 0x0
 01387   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1241124, ... ) }, 1241124, ... ) == 0x0
 01388   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 208, ) }, ... 208, ) == 0x0
 01389   408   NtQueryValueKey  (208,  (208, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (208, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (208, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01390   408   NtClose  (208, ... ) == 0x0
 01391   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 208, ) }, ... 208, ) == 0x0
 01392   408   NtQueryValueKey  (208,  (208, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (208, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (208, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01393   408   NtClose  (208, ... ) == 0x0
 01394   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01395   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 208, ) }, ... 208, ) == 0x0
 01396   408   NtQueryValueKey  (208,  (208, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (208, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (208, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01397   408   NtClose  (208, ... ) == 0x0
 01398   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01399   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 212, ) == 0x0
 01400   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 216, ) == 0x0
 01401   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 220, ) }, ... 220, ) == 0x0
 01402   408   NtQueryValueKey  (220,  (220, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01403   408   NtQueryValueKey  (220,  (220, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01404   408   NtQueryValueKey  (220,  (220, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405   408   NtQueryValueKey  (220,  (220, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406   408   NtQueryValueKey  (220,  (220, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01407   408   NtQueryValueKey  (220,  (220, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01408   408   NtQueryValueKey  (220,  (220, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409   408   NtQueryValueKey  (220,  (220, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01410   408   NtQueryValueKey  (220,  (220, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01411   408   NtQueryValueKey  (220,  (220, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01412   408   NtQueryValueKey  (220,  (220, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01413   408   NtQueryValueKey  (220,  (220, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01414   408   NtQueryValueKey  (220,  (220, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415   408   NtQueryValueKey  (220,  (220, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   408   NtQueryValueKey  (220,  (220, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   408   NtQueryValueKey  (220,  (220, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01418   408   NtQueryValueKey  (220,  (220, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419   408   NtQueryValueKey  (220,  (220, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01420   408   NtQueryValueKey  (220,  (220, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01421   408   NtQueryValueKey  (220,  (220, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01422   408   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 01423   408   NtQueryValueKey  (220,  (220, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01424   408   NtQueryValueKey  (220,  (220, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425   408   NtQueryValueKey  (220,  (220, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   408   NtQueryValueKey  (220,  (220, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01427   408   NtQueryValueKey  (220,  (220, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428   408   NtQueryValueKey  (220,  (220, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01429   408   NtQueryValueKey  (220,  (220, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   408   NtQueryValueKey  (220,  (220, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   408   NtQueryValueKey  (220,  (220, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   408   NtQueryValueKey  (220,  (220, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433   408   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 01434   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 224, ) }, ... 224, ) == 0x0
 01435   408   NtQueryValueKey  (224,  (224, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (224, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01436   408   NtClose  (224, ... ) == 0x0
 01437   408   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 0, 0,  (0x1f0003, {24, 52, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01438   408   NtQueryValueKey  (220,  (220, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   408   NtQueryValueKey  (220,  (220, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   408   NtQueryValueKey  (220,  (220, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   408   NtQueryValueKey  (220,  (220, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   408   NtQueryValueKey  (220,  (220, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   408   NtQueryValueKey  (220,  (220, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   408   NtQueryValueKey  (220,  (220, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   408   NtQueryValueKey  (220,  (220, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   408   NtQueryValueKey  (220,  (220, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447   408   NtQueryValueKey  (220,  (220, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448   408   NtQueryDefaultUILanguage  (1240092, ...
 01449   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01450   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01451   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01452   408   NtClose  (-2147482020, ... ) == 0x0
 01453   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01454   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01456   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457   408   NtClose  (-2147482032, ... ) == 0x0
 01458   408   NtClose  (-2147482020, ... ) == 0x0
 01448   408   NtQueryDefaultUILanguage  ... ) == 0x0
 01459   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 224, {status=0x0, info=1}, ) }, 1, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 01461   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 224, ... 228, ) == 0x0
 01462   408   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xae0000), 0x0, 163840, ) == 0x0
 01463   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   408   NtQueryDefaultLocale  (1, 1238128, ... ) == 0x0
 01465   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238984, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238984, 1, 96, 0} "\210\6\34\1\33\0\1\0\0\0\0\0\1\353\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\34\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\260\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\34\1\0\0\0\0\0\0\0\0\310\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 408, 1504, 0} " S\26\0\33\0\1\0\0\0\0\0\1\353\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\34\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\260\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\34\1\0\0\0\0\0\0\0\0\310\356\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 408, 1504, 0}  (24, {128, 156, new_msg, 0, 1238984, 1, 96, 0} "\210\6\34\1\33\0\1\0\0\0\0\0\1\353\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\34\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\260\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\34\1\0\0\0\0\0\0\0\0\310\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 408, 1504, 0} " S\26\0\33\0\1\0\0\0\0\0\1\353\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\34\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\260\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\34\1\0\0\0\0\0\0\0\0\310\356\22\0\0\0\0\0" )  ) == 0x0
 01467   408   NtClose  (224, ... ) == 0x0
 01468   408   NtClose  (228, ... ) == 0x0
 01469   408   NtUnmapViewOfSection  (-1, 0xae0000, ... ) == 0x0
 01470   408   NtUnmapViewOfSection  (-1, 0x12eec8, ... ) == STATUS_NOT_MAPPED_VIEW
 01471   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01472   408   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01473   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01475   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01476   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237212, ... ) }, 1237212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01478   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01479   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01480   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237804, ... ) }, 1237804, ... ) == 0x0
 01481   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 228, {status=0x0, info=1}, ) }, 3, 33, ... 228, {status=0x0, info=1}, ) == 0x0
 01482   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01483   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 224, {status=0x0, info=1}, ) }, 5, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 01484   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 224, ... 232, ) == 0x0
 01485   408   NtClose  (224, ... ) == 0x0
 01486   408   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb20000), 0x0, 921600, ) == 0x0
 01487   408   NtClose  (232, ... ) == 0x0
 01488   408   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 01489   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 01490   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 224, ) == 0x0
 01491   408   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01492   408   NtClose  (232, ... ) == 0x0
 01493   408   NtMapViewOfSection  (224, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 01494   408   NtClose  (224, ... ) == 0x0
 01495   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01496   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01497   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01498   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01499   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01500   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01501   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01502   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01503   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01504   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01505   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01506   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01507   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01508   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01509   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01510   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01511   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01512   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01513   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01514   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01515   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01516   408   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238988, ... ) , 42, 1238988, ... ) == 0x0
 01517   408   NtQueryDefaultUILanguage  (1237704, ...
 01518   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01519   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01520   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01521   408   NtClose  (-2147482020, ... ) == 0x0
 01522   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01523   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01525   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   408   NtClose  (-2147482032, ... ) == 0x0
 01527   408   NtClose  (-2147482020, ... ) == 0x0
 01517   408   NtQueryDefaultUILanguage  ... ) == 0x0
 01528   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01529   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236556, ... ) }, 1236556, ... ) == 0x0
 01530   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 224, {status=0x0, info=1}, ) }, 5, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 01531   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 224, ... 232, ) == 0x0
 01532   408   NtClose  (224, ... ) == 0x0
 01533   408   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xae0000), 0x0, 4096, ) == 0x0
 01534   408   NtClose  (232, ... ) == 0x0
 01535   408   NtUnmapViewOfSection  (-1, 0xae0000, ... ) == 0x0
 01536   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236196, ... ) }, 1236196, ... ) == 0x0
 01537   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236896,  (0x80100080, {24, 0, 0x40, 0, 1236896, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 232, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 232, {status=0x0, info=1}, ) == 0x0
 01538   408   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 232, ... 224, ) == 0x0
 01539   408   NtClose  (232, ... ) == 0x0
 01540   408   NtMapViewOfSection  (224, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xae0000), {0, 0}, 4096, ) == 0x0
 01541   408   NtClose  (224, ... ) == 0x0
 01542   408   NtUnmapViewOfSection  (-1, 0xae0000, ... ) == 0x0
 01543   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 224, {status=0x0, info=1}, ) }, 1, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 01544   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 224, ... 232, ) == 0x0
 01545   408   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xae0000), 0x0, 4096, ) == 0x0
 01546   408   NtQueryInformationFile  (224, 1236516, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 01547   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236596, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236596, 1, 96, 0} "\210\6\34\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\34\1\340\0\0\0\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\34\1\0\0\0\0\0\0\0\0t\345\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 408, 1505, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\34\1\340\0\0\0\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\34\1\0\0\0\0\0\0\0\0t\345\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 388, 408, 1505, 0}  (24, {128, 156, new_msg, 0, 1236596, 1, 96, 0} "\210\6\34\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\34\1\340\0\0\0\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\34\1\0\0\0\0\0\0\0\0t\345\22\0\0\0\0\0" ... {128, 156, reply, 0, 388, 408, 1505, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\34\1\340\0\0\0\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\34\1\0\0\0\0\0\0\0\0t\345\22\0\0\0\0\0" )  ) == 0x0
 01549   408   NtClose  (224, ... ) == 0x0
 01550   408   NtClose  (232, ... ) == 0x0
 01551   408   NtUnmapViewOfSection  (-1, 0xae0000, ... ) == 0x0
 01552   408   NtUnmapViewOfSection  (-1, 0x12e574, ... ) == STATUS_NOT_MAPPED_VIEW
 01553   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01554   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01555   408   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 01556   408   NtUserGetDC  (0, ... ) == 0x1010051
 01557   408   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01558   408   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01559   408   NtContinue  (1236560, 0, ...
 01560   408   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01561   408   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 01562   408   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01563   408   NtUnmapViewOfSection  (-1, 0xb10000, ... ) == 0x0
 01564   408   NtClose  (228, ... ) == 0x0
 01565   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 228, ) }, ... 228, ) == 0x0
 01566   408   NtQueryValueKey  (228,  (228, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567   408   NtQueryValueKey  (228,  (228, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568   408   NtClose  (228, ... ) == 0x0
 01569   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 228, ) == 0x0
 01570   408   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1381568, 0,  (0x1f0001, {24, 52, 0x80, 1381568, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 01571   408   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "RasPbFile"}, ... 232, ) }, ... 232, ) == 0x0
 01572   408   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 224, ) == 0x0
 01573   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 236, ) == 0x0
 01574   408   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 240, ) == 0x0
 01575   408   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 244, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 244, 2, ) , 0, ... 244, 2, ) == 0x0
 01576   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 248, ) }, ... 248, ) == 0x0
 01577   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01578   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   408   NtQueryValueKey  (248,  (248, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01580   408   NtQueryValueKey  (244,  (244, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581   408   NtQueryValueKey  (248,  (248, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01582   408   NtQueryValueKey  (244,  (244, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01583   408   NtQueryValueKey  (248,  (248, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584   408   NtQueryValueKey  (244,  (244, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585   408   NtQueryValueKey  (248,  (248, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   408   NtQueryValueKey  (244,  (244, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01587   408   NtQueryValueKey  (248,  (248, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588   408   NtQueryValueKey  (248,  (248, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589   408   NtQueryValueKey  (248,  (248, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590   408   NtQueryValueKey  (248,  (248, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591   408   NtQueryValueKey  (248,  (248, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   408   NtQueryValueKey  (248,  (248, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   408   NtQueryValueKey  (248,  (248, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01594   408   NtQueryValueKey  (244,  (244, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01595   408   NtQueryValueKey  (248,  (248, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01596   408   NtQueryValueKey  (248,  (248, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01597   408   NtQueryValueKey  (244,  (244, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598   408   NtQueryValueKey  (248,  (248, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599   408   NtQueryValueKey  (244,  (244, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600   408   NtQueryValueKey  (248,  (248, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601   408   NtQueryValueKey  (244,  (244, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01602   408   NtQueryValueKey  (248,  (248, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01603   408   NtQueryValueKey  (244,  (244, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01604   408   NtQueryValueKey  (248,  (248, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01605   408   NtQueryValueKey  (244,  (244, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01606   408   NtQueryValueKey  (248,  (248, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01607   408   NtQueryValueKey  (244,  (244, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01608   408   NtQueryValueKey  (248,  (248, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01609   408   NtQueryValueKey  (244,  (244, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01610   408   NtQueryValueKey  (248,  (248, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01611   408   NtQueryValueKey  (244,  (244, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01612   408   NtQueryValueKey  (248,  (248, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   408   NtQueryValueKey  (248,  (248, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01614   408   NtQueryValueKey  (248,  (248, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01615   408   NtQueryValueKey  (248,  (248, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01616   408   NtQueryValueKey  (248,  (248, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01617   408   NtQueryValueKey  (248,  (248, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01618   408   NtQueryValueKey  (248,  (248, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01619   408   NtQueryValueKey  (248,  (248, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01620   408   NtQueryValueKey  (248,  (248, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01621   408   NtQueryValueKey  (248,  (248, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01622   408   NtQueryValueKey  (248,  (248, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01623   408   NtQueryValueKey  (248,  (248, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   408   NtQueryValueKey  (248,  (248, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01625   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 252, ) }, ... 252, ) == 0x0
 01626   408   NtQueryValueKey  (252,  (252, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01627   408   NtClose  (252, ... ) == 0x0
 01628   408   NtClose  (244, ... ) == 0x0
 01629   408   NtClose  (248, ... ) == 0x0
 01630   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 248, ) }, ... 248, ) == 0x0
 01631   408   NtQueryValueKey  (248,  (248, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01632   408   NtQueryValueKey  (248,  (248, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01633   408   NtQueryValueKey  (248,  (248, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01634   408   NtClose  (248, ... ) == 0x0
 01635   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 248, ) == 0x0
 01636   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 244, ) == 0x0
 01637   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 252, ) == 0x0
 01638   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01639   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11403264, 65536, ) == 0x0
 01640   408   NtAllocateVirtualMemory  (-1, 11403264, 0, 4096, 4096, 4, ... 11403264, 4096, ) == 0x0
 01641   408   NtAllocateVirtualMemory  (-1, 11407360, 0, 8192, 4096, 4, ... 11407360, 8192, ) == 0x0
 01642   408   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 256, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 256, {status=0x0, info=0}, ) == 0x0
 01643   408   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 260, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 260, {status=0x0, info=0}, ) == 0x0
 01644   408   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) == 0x0
 01645   408   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 268, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 268, {status=0x0, info=0}, ) == 0x0
 01646   408   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1241656,  (0x20100080, {24, 0, 0x40, 0, 1241656, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 01647   408   NtAllocateVirtualMemory  (-1, 11415552, 0, 36864, 4096, 4, ... 11415552, 36864, ) == 0x0
 01648   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 276, ) == 0x0
 01649   408   NtDeviceIoControlFile  (256, 276, 0x0, 0x0, 0x120003,  (256, 276, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (256, 276, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01650   408   NtClose  (276, ... ) == 0x0
 01651   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 276, ) == 0x0
 01652   408   NtDeviceIoControlFile  (256, 276, 0x0, 0x0, 0x120003,  (256, 276, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0)Ty\344\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (256, 276, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0)Ty\344\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01653   408   NtClose  (276, ... ) == 0x0
 01654   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 276, ) == 0x0
 01655   408   NtDeviceIoControlFile  (256, 276, 0x0, 0x0, 0x120003,  (256, 276, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0PTy\344Yx\2\0\337\0\0\0/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264|\0\0\265\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (256, 276, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0PTy\344Yx\2\0\337\0\0\0/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264|\0\0\265\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01656   408   NtClose  (276, ... ) == 0x0
 01657   408   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01658   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 276, ) == 0x0
 01659   408   NtDeviceIoControlFile  (256, 276, 0x0, 0x0, 0x120003,  (256, 276, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (256, 276, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01660   408   NtClose  (276, ... ) == 0x0
 01661   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 276, ) == 0x0
 01662   408   NtDeviceIoControlFile  (256, 276, 0x0, 0x0, 0x120003,  (256, 276, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (256, 276, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01663   408   NtClose  (276, ... ) == 0x0
 01664   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 276, ) == 0x0
 01665   408   NtDeviceIoControlFile  (256, 276, 0x0, 0x0, 0x120003,  (256, 276, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (256, 276, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01666   408   NtClose  (276, ... ) == 0x0
 01667   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01668   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01669   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01670   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01671   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01672   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01673   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01674   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01675   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01676   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01677   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01678   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01679   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01680   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01681   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01682   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01683   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01684   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01685   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01686   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01687   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01688   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01689   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01690   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01691   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01692   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01693   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01694   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01695   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01696   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01697   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01698   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01699   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01700   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01701   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01702   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01703   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01704   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01705   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01706   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01707   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01708   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01709   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01710   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01711   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01712   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01713   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01714   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01715   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01716   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01717   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01718   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01719   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01720   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01721   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01722   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01723   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01724   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01725   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01726   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01727   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01728   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01729   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01730   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01731   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01732   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01733   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01734   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01735   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01736   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01737   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01738   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01739   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01740   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01741   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01742   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01743   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01744   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01745   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01746   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01747   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01748   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01749   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01750   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01751   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01752   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01753   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01754   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01755   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01756   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01757   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01758   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01759   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01760   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01761   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01762   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01763   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01764   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01765   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01766   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01767   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01768   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01769   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01770   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01771   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01772   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01773   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01774   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01775   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01776   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01777   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01778   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01779   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01780   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01781   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01782   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01783   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01784   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01785   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01786   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01787   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11534336, 65536, ) == 0x0
 01788   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01789   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 1, 4096, 4, ... 11534336, 4096, ) == 0x0
 01790   408   NtQueryVirtualMemory  (-1, 0xb00000, Basic, 28, ... {BaseAddress=0xb00000,AllocationBase=0xb00000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01791   408   NtFreeVirtualMemory  (-1, (0xb00000), 0, 32768, ... (0xb00000), 65536, ) == 0x0
 01792   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 276, ) }, ... 276, ) == 0x0
 01793   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 280, ) }, ... 280, ) == 0x0
 01794   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 284, ) }, ... 284, ) == 0x0
 01795   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 288, ) }, ... 288, ) == 0x0
 01796   408   NtQueryDefaultLocale  (1, 1241592, ... ) == 0x0
 01797   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 292, ) }, ... 292, ) == 0x0
 01798   408   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 01799   408   NtClose  (292, ... ) == 0x0
 01800   408   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 292, ) == 0x0
 01801   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 296, ) == 0x0
 01802   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 300, ) }, ... 300, ) == 0x0
 01803   408   NtNotifyChangeKey  (300, 296, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 01804   408   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01805   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 304, ) == 0x0
 01806   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 308, ) == 0x0
 01807   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\odbc32.dll"}, 1240464, ... ) }, 1240464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01809   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "odbc32.dll"}, 1240464, ... ) }, 1240464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01810   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 1240464, ... ) }, 1240464, ... ) == 0x0
 01811   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01812   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 01813   408   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01814   408   NtClose  (312, ... ) == 0x0
 01815   408   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 01816   408   NtClose  (316, ... ) == 0x0
 01817   408   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 01818   408   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 01819   408   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 01820   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 316, ) }, ... 316, ) == 0x0
 01821   408   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 01822   408   NtClose  (316, ... ) == 0x0
 01823   408   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 01824   408   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 01825   408   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 01826   408   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 01827   408   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 01828   408   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 01829   408   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 01830   408   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 01831   408   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 01832   408   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 01833   408   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 01834   408   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 01835   408   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 01836   408   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 01837   408   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 01838   408   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 01839   408   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 01840   408   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 01841   408   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 01842   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01843   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01844   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01845   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01846   408   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11534336, 262144, ) == 0x0
 01847   408   NtAllocateVirtualMemory  (-1, 11534336, 0, 4096, 4096, 4, ... 11534336, 4096, ) == 0x0
 01848   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01849   408   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11796480, 262144, ) == 0x0
 01850   408   NtAllocateVirtualMemory  (-1, 11796480, 0, 4096, 4096, 4, ... 11796480, 4096, ) == 0x0
 01851   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01852   408   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 12058624, 262144, ) == 0x0
 01853   408   NtAllocateVirtualMemory  (-1, 12058624, 0, 4096, 4096, 4, ... 12058624, 4096, ) == 0x0
 01854   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01855   408   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 12320768, 262144, ) == 0x0
 01856   408   NtAllocateVirtualMemory  (-1, 12320768, 0, 4096, 4096, 4, ... 12320768, 4096, ) == 0x0
 01857   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01858   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01859   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01860   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01861   408   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01862   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1236436, ... ) }, 1236436, ... ) == 0x0
 01863   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01864   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 01865   408   NtClose  (316, ... ) == 0x0
 01866   408   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc00000), 0x0, 90112, ) == 0x0
 01867   408   NtClose  (312, ... ) == 0x0
 01868   408   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 01869   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1236752, ... ) }, 1236752, ... ) == 0x0
 01870   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01871   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 01872   408   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01873   408   NtClose  (312, ... ) == 0x0
 01874   408   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 01875   408   NtClose  (316, ... ) == 0x0
 01876   408   NtQueryDefaultLocale  (1, 1238440, ... ) == 0x0
 01877   408   NtAllocateVirtualMemory  (-1, 11538432, 0, 4096, 4096, 4, ... 11538432, 4096, ) == 0x0
 01878   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 316, ) }, ... 316, ) == 0x0
 01879   408   NtClose  (316, ... ) == 0x0
 01880   408   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01881   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01882   408   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01883   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01884   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "avicap32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01885   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\avicap32.dll"}, 1240464, ... ) }, 1240464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01886   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "avicap32.dll"}, 1240464, ... ) }, 1240464, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01887   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\avicap32.dll"}, 1240464, ... ) }, 1240464, ... ) == 0x0
 01888   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\avicap32.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01889   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 312, ) == 0x0
 01890   408   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01891   408   NtClose  (316, ... ) == 0x0
 01892   408   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73b80000), 0x0, 73728, ) == 0x0
 01893   408   NtClose  (312, ... ) == 0x0
 01894   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 312, ) }, ... 312, ) == 0x0
 01895   408   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01896   408   NtClose  (312, ... ) == 0x0
 01897   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVFW32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01898   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVFW32.dll"}, 1239660, ... ) }, 1239660, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01899   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MSVFW32.dll"}, 1239660, ... ) }, 1239660, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01900   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSVFW32.dll"}, 1239660, ... ) }, 1239660, ... ) == 0x0
 01901   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSVFW32.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01902   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 01903   408   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01904   408   NtClose  (312, ... ) == 0x0
 01905   408   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73bd0000), 0x0, 126976, ) == 0x0
 01906   408   NtClose  (316, ... ) == 0x0
 01907   408   NtProtectVirtualMemory  (-1, (0x73bd1000), 952, 4, ... (0x73bd1000), 4096, 32, ) == 0x0
 01908   408   NtProtectVirtualMemory  (-1, (0x73bd1000), 4096, 32, ... (0x73bd1000), 4096, 4, ) == 0x0
 01909   408   NtFlushInstructionCache  (-1, 1941770240, 952, ... ) == 0x0
 01910   408   NtQueryDefaultLocale  (1, 1240416, ... ) == 0x0
 01911   408   NtQueryDefaultLocale  (1, 1240420, ... ) == 0x0
 01912   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01913   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01914   408   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "FEnR"}, 0, ... 316, ) }, 0, ... 316, ) == 0x0
 01915   408   NtWaitForSingleObject  (316, 0, {-300000000, -1}, ... ) == 0x0
 01916   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tackexhusk.exe"}, 1242408, ... ) }, 1242408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01917   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241324,  (0x80100080, {24, 0, 0x40, 0, 1241324, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 312, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 312, {status=0x0, info=1}, ) == 0x0
 01918   408   NtQueryInformationFile  (312, 1242260, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01919   408   NtQueryInformationFile  (312, 1242232, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01920   408   NtQueryInformationFile  (312, 1242184, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01921   408   NtAllocateVirtualMemory  (-1, 1388544, 0, 8192, 4096, 4, ... 1388544, 8192, ) == 0x0
 01922   408   NtQueryInformationFile  (312, 1385632, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01923   408   NtQueryInformationFile  (312, 1240728, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01924   408   NtQueryInformationFile  (312, 1240572, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01925   408   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240580,  (0x40110080, {24, 0, 0x40, 0, 1240580, "\??\C:\WINDOWS\System32\tackexhusk.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01926   408   NtClose  (-2147482020, ... ) == 0x0
 01925   408   NtCreateFile  ... 320, {status=0x0, info=2}, ) == 0x0
 01927   408   NtQueryVolumeInformationFile  (320, 1239952, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01928   408   NtQueryInformationFile  (320, 1239912, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01929   408   NtQueryVolumeInformationFile  (312, 1239952, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01930   408   NtQueryVolumeInformationFile  (312, 1239636, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01931   408   NtSetInformationFile  (320, 1239740, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01932   408   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 312, ... 324, ) == 0x0
 01933   408   NtMapViewOfSection  (324, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xc00000), {0, 0}, 135168, ) == 0x0
 01934   408   NtClose  (324, ... ) == 0x0
 01935   408   NtWriteFile  (320, 0, 0, 0,  (320, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0{\310\205\302?\251\353\221?\251\353\221?\251\353\221?\251\352\221\254\251\353\221]\266\370\221:\251\353\221D\265\347\221=\251\353\221\274\265\345\221&\251\353\221\327\266\341\221\271\251\353\221\327\266\340\221\13\251\353\221Rich?\251\353\221\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\375\313\375F\0\0\0\0\0\0\0\0\340\0\16\1\13\1\6\0\0\0\0\0\0d\6\0\0\0\0\0\326k\11\0\0\20\0\0\0 \3\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\11\0\0\4\0\0\374\332\2\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\342k\11\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0~l\11\0\10\0\0\0\0 \3\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0.text\0\0\0\0\20\3\0\0\20\0\0\0n\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01936   408   NtWriteFile  (320, 0, 0, 0,  (320, 0, 0, 0, "h\311\212\3535\232\374O+Xg\3522\277\26\306\213\333y\202\49\264}\222'\322\352Q\324\341\211`U$\263\177^J\12;\307\217\3303eG\270.\4\7\360\236XG\250\253s;\2411f\262\313\216\316\314Kbk\37`\332Q\213\25\242\245\314$\347\240=\212\344ax\204\6-\27;5k\340\244\22-\247u\3571\252fs\374JKa\335\344+L\32\26O\23\202o\234\340\270\214\37\15[\7?\227\15[8.V\337\30\277'\341{\365\375\310\257v\200\216\334!\206\211\13\24\233\225\301l`\221\4\373de\362\27w/I\214\16\352\330\5\220\221\3\12\375\327\371\323\303\201\32\250$\227\343\345o\31\206\237\27>\211\345\261\336\266;\312\245\311\13\11\31\300\3\325B\265\270F\330\237\370\305\220\335\321 0\331\17\214\3\366\207\225F\244L82\316\213\2554\337\206\354\253\1\303\37\321I%U\26\247\313\366\264\365\254+|G\26Stq\214\315\272_\330H\252\324\302\205\221\26Q\4\351\0\276\7\206\265\330G,!\320"\272Pq|\224:\245\241\1 \337\30\1\261\16V\7Q\272\206t\335F\353\246\352,\3J\356\221\343\366\351\222\4\306\372\342\241z`\6\304\244\235\270\345\2\231\324Y\20\2\\364M[z\30\323Y\220\220\201i\222\217A\35'\311gM\270\177\214hS*w\273\227z<\13\230Zy\25\227\230\232*\231w\13\215a\375\370\270G\265\262\310\253\324t\36\315\12\232+\327\270\377&w!]\274-\2245\305mn\33[\273(\265\16\245\360jTV\370l\234\213\336\357,\274\2746\330{\0f\305\314\12\216\3\252\354x\33\236\24\7\16Dwg\26\367\254p\262\311({\255\234aR\306\223t\26\370\3720\357\31\365\31#\362\376'\14\225;\305\22\320?\230\304$\3248-", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \272Pq|\224:\245\241\1 \337\30\1\261\16V\7Q\272\206t\335F\353\246\352,\3J\356\221\343\366\351\222\4\306\372\342\241z`\6\304\244\235\270\345\2\231\324Y\20\2\\364M[z\30\323Y\220\220\201i\222\217A\35'\311gM\270\177\214hS*w\273\227z<\13\230Zy\25\227\230\232*\231w\13\215a\375\370\270G\265\262\310\253\324t\36\315\12\232+\327\270\377&w!]\274-\2245\305mn\33[\273(\265\16\245\360jTV\370l\234\213\336\357,\274\2746\330{\0f\305\314\12\216\3\252\354x\33\236\24\7\16Dwg\26\367\254p\262\311({\255\234aR\306\223t\26\370\3720\357\31\365\31#\362\376'\14\225;\305\22\320?\230\304$\3248-", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01937   408   NtWriteFile  (320, 0, 0, 0,  (320, 0, 0, 0, "n\17\\313\217OrE\33\5\311\305b\226#\216L\312\32\375\24\213\234\346\13_\212>P@\35\35yW\363\312\237_\207b%\233A\344Qa&\306\236\10\277X]N\23\2017v\323\25\4\261\367_\15\266\202\257d\264s\365\177j\277\15H3\2\1\333\256\204\370\373\6\302\1\313B\263(\250\7\273\340!\270\220\243\2\214\252a\320\12\224Qh\340\234Eh\206 \351o\367\241\253x\222\222\325\215\334.\30\3\324`?~\365\223-\\222\333\34\206P\252{\3=T\2274\0\207n\31;\375\376\272\220ts\12+\241\312\372\313i\315\344\241\236 c\303\353\362\370u\274\10\206PGm7S\214]\246igD,\243&g\32\233\370t\207G\336\204\262\360S\320<^\214c\366i\360\27~\340\2576\371\301\330h\245c\362\326j\313)\221\226\343\305\2545\207\37\262\200\356\11\32\26\22\255_s\3654o\0\244\2278QN\361\364?\332\210\222^\0Fq>\2710\352\3221:\313\212\372zq`\226\350/?\25\0\302S\352"\177\242\362\305\0OcH\253t\327\214\262\370\307\327)|+h\250\17\344\200\25\375nv(\213\303X\341\244kS\360\322=p2+\243\335\346\262\276\335\333\0wn\225\31b4\274\321\342\21\373W\276T?\35W\246\251*\246\213\321\3165$1\337\316Z\361O\1\303m\251\14\332\362\5k\17\b\352QRr&X\335\357\315\341|}\333Ee\341\257b?[\234A\6\230\3@(Q\305O\244\274,\17\201\330\375Q0\277+f\0q\330w\304@=5:\36\352)\226\353n\37\357\13\3\212\233K\307&\270\323G@\307L\\377 \26\372\2520Ku\262V\270\372k\375D\336o\241t\377K\305\371\13\263\16\3\300\207'\37\3360\341\3c+\363y\327\13z", 11264, 0x0, 0, ... {status=0x0, info=11264}, ) \177\242\362\305\0OcH\253t\327\214\262\370\307\327)|+h\250\17\344\200\25\375nv(\213\303X\341\244kS\360\322=p2+\243\335\346\262\276\335\333\0wn\225\31b4\274\321\342\21\373W\276T?\35W\246\251*\246\213\321\3165$1\337\316Z\361O\1\303m\251\14\332\362\5k\17\b\352QRr&X\335\357\315\341|}\333Ee\341\257b?[\234A\6\230\3@(Q\305O\244\274,\17\201\330\375Q0\277+f\0q\330w\304@=5:\36\352)\226\353n\37\357\13\3\212\233K\307&\270\323G@\307L\\377 \26\372\2520Ku\262V\270\372k\375D\336o\241t\377K\305\371\13\263\16\3\300\207'\37\3360\341\3c+\363y\327\13z", 11264, 0x0, 0, ... {status=0x0, info=11264}, ) == 0x0
 01938   408   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 01939   408   NtSetInformationFile  (320, 1242184, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01940   408   NtClose  (312, ... ) == 0x0
 01941   408   NtClose  (320, ... ) == 0x0
 01942   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\explorer.exe"}, 1241324, ... ) }, 1241324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01943   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "explorer.exe"}, 1241324, ... ) }, 1241324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01944   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 1241324, ... ) }, 1241324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01945   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\explorer.exe"}, 1241324, ... ) }, 1241324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01946   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe"}, 1241324, ... ) }, 1241324, ... ) == 0x0
 01947   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242080,  (0x80100080, {24, 0, 0x40, 0, 1242080, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 01948   408   NtQueryInformationFile  (320, 1242132, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01949   408   NtClose  (320, ... ) == 0x0
 01950   408   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1242080,  (0x40100080, {24, 0, 0x40, 0, 1242080, "\??\C:\WINDOWS\System32\tackexhusk.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 01951   408   NtSetInformationFile  (320, 1242132, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01952   408   NtClose  (320, ... ) == 0x0
 01953   408   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tackexhusk.exe"}, 7, 2113568, ... 320, {status=0x0, info=1}, ) }, 7, 2113568, ... 320, {status=0x0, info=1}, ) == 0x0
 01954   408   NtSetInformationFile  (320, 1242384, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01955   408   NtClose  (320, ... ) == 0x0
 01956   408   NtOpenProcess  (0x100000, {24, 0, 0x2, 0, 0, 0x0}, {388, 0}, ... 320, ) == 0x0
 01957   408   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01958   408   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tackexhusk.exe"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01959   408   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 312, ... 324, ) == 0x0
 01960   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01961   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 328, ) }, ... 328, ) == 0x0
 01962   408   NtQueryValueKey  (328,  (328, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01963   408   NtClose  (328, ... ) == 0x0
 01964   408   NtQueryVolumeInformationFile  (312, 1238880, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01965   408   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 328, ) }, ... 328, ) == 0x0
 01966   408   NtWaitForSingleObject  (328, 0, {-1000000, -1}, ... ) == 0x0
 01967   408   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 332, ) }, ... 332, ) == 0x0
 01968   408   NtMapViewOfSection  (332, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc00000), {0, 0}, 57344, ) == 0x0
 01969   408   NtReleaseMutant  (328, ... 0x0, ) == 0x0
 01970   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1236864, ... ) }, 1236864, ... ) == 0x0
 01971   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 336, {status=0x0, info=1}, ) }, 5, 96, ... 336, {status=0x0, info=1}, ) == 0x0
 01972   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 336, ... 340, ) == 0x0
 01973   408   NtClose  (336, ... ) == 0x0
 01974   408   NtMapViewOfSection  (340, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc10000), 0x0, 106496, ) == 0x0
 01975   408   NtClose  (340, ... ) == 0x0
 01976   408   NtUnmapViewOfSection  (-1, 0xc10000, ... ) == 0x0
 01977   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237180, ... ) }, 1237180, ... ) == 0x0
 01978   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 340, {status=0x0, info=1}, ) }, 5, 96, ... 340, {status=0x0, info=1}, ) == 0x0
 01979   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 340, ... 336, ) == 0x0
 01980   408   NtQuerySection  (336, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01981   408   NtClose  (340, ... ) == 0x0
 01982   408   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01983   408   NtClose  (336, ... ) == 0x0
 01984   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 336, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 336, {status=0x0, info=1}, ) == 0x0
 01985   408   NtQueryInformationFile  (336, 1237468, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01986   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 336, ... 340, ) == 0x0
 01987   408   NtMapViewOfSection  (340, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc10000), 0x0, 1028096, ) == 0x0
 01988   408   NtQueryInformationFile  (336, 1237564, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01989   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01990   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01991   408   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01992   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 344, {status=0x0, info=1}, ) }, 3, 16417, ... 344, {status=0x0, info=1}, ) == 0x0
 01993   408   NtQueryDirectoryFile  (344, 0, 0, 0, 1235128, 616, BothDirectory, 1,  (344, 0, 0, 0, 1235128, 616, BothDirectory, 1, "tackexhusk.exe", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01994   408   NtClose  (344, ... ) == 0x0
 01995   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01996   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01997   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tackexhusk.exe"}, 1234516, ... ) }, 1234516, ... ) == 0x0
 01998   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 344, {status=0x0, info=1}, ) }, 3, 16417, ... 344, {status=0x0, info=1}, ) == 0x0
 01999   408   NtQueryDirectoryFile  (344, 0, 0, 0, 1233876, 616, BothDirectory, 1,  (344, 0, 0, 0, 1233876, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02000   408   NtClose  (344, ... ) == 0x0
 02001   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 344, {status=0x0, info=1}, ) }, 3, 16417, ... 344, {status=0x0, info=1}, ) == 0x0
 02002   408   NtQueryDirectoryFile  (344, 0, 0, 0, 1233876, 616, BothDirectory, 1,  (344, 0, 0, 0, 1233876, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02003   408   NtClose  (344, ... ) == 0x0
 02004   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02005   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02006   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02007   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02008   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02009   408   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02010   408   NtClose  (344, ... ) == 0x0
 02011   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02012   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\tackexhusk.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02013   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02014   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02015   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tackexhusk.exe"}, 1236796, ... ) }, 1236796, ... ) == 0x0
 02016   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 344, {status=0x0, info=1}, ) }, 3, 16417, ... 344, {status=0x0, info=1}, ) == 0x0
 02017   408   NtQueryDirectoryFile  (344, 0, 0, 0, 1236156, 616, BothDirectory, 1,  (344, 0, 0, 0, 1236156, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02018   408   NtClose  (344, ... ) == 0x0
 02019   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 344, {status=0x0, info=1}, ) }, 3, 16417, ... 344, {status=0x0, info=1}, ) == 0x0
 02020   408   NtQueryDirectoryFile  (344, 0, 0, 0, 1236156, 616, BothDirectory, 1,  (344, 0, 0, 0, 1236156, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02021   408   NtClose  (344, ... ) == 0x0
 02022   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02023   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02024   408   NtWaitForSingleObject  (328, 0, {-1000000, -1}, ... ) == 0x0
 02025   408   NtQueryVolumeInformationFile  (312, 1237440, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02026   408   NtQueryInformationFile  (312, 1237420, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02027   408   NtQueryInformationFile  (312, 1237460, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02028   408   NtReleaseMutant  (328, ... 0x0, ) == 0x0
 02029   408   NtUnmapViewOfSection  (-1, 0xc10000, ... ) == 0x0
 02030   408   NtClose  (340, ... ) == 0x0
 02031   408   NtClose  (336, ... ) == 0x0
 02032   408   NtQuerySection  (324, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02033   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tackexhusk.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02034   408   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02035   408   NtOpenProcessToken  (-1, 0xa, ... 336, ) == 0x0
 02036   408   NtQueryInformationToken  (336, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 02037   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02038   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 340, ) }, ... 340, ) == 0x0
 02039   408   NtQueryValueKey  (340,  (340, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (340, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02040   408   NtQueryValueKey  (340,  (340, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (340, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02041   408   NtClose  (340, ... ) == 0x0
 02042   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 340, ) }, ... 340, ) == 0x0
 02043   408   NtQueryValueKey  (340,  (340, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02044   408   NtQueryValueKey  (340,  (340, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (340, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 02045   408   NtClose  (340, ... ) == 0x0
 02046   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02047   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 340, ) }, ... 340, ) == 0x0
 02048   408   NtQueryValueKey  (340,  (340, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02049   408   NtClose  (340, ... ) == 0x0
 02050   408   NtQueryDefaultLocale  (1, 1238252, ... ) == 0x0
 02051   408   NtQueryDefaultLocale  (1, 1238252, ... ) == 0x0
 02052   408   NtQueryDefaultLocale  (1, 1238252, ... ) == 0x0
 02053   408   NtQueryDefaultLocale  (1, 1238252, ... ) == 0x0
 02054   408   NtQueryDefaultLocale  (1, 1238252, ... ) == 0x0
 02055   408   NtQueryDefaultLocale  (1, 1238252, ... ) == 0x0
 02056   408   NtQueryDefaultLocale  (1, 1238252, ... ) == 0x0
 02057   408   NtQueryDefaultLocale  (1, 1238252, ... ) == 0x0
 02058   408   NtQueryDefaultLocale  (1, 1238252, ... ) == 0x0
 02059   408   NtQueryDefaultLocale  (1, 1238252, ... ) == 0x0
 02060   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 340, ) }, ... 340, ) == 0x0
 02061   408   NtEnumerateKey  (340, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (340, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02062   408   NtOpenKey  (0x20019, {24, 340, 0x40, 0, 0,  (0x20019, {24, 340, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 344, ) }, ... 344, ) == 0x0
 02063   408   NtQueryValueKey  (344,  (344, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (344, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02064   408   NtQueryValueKey  (344,  (344, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (344, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02065   408   NtClose  (344, ... ) == 0x0
 02066   408   NtEnumerateKey  (340, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02067   408   NtClose  (340, ... ) == 0x0
 02068   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02070   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02071   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02072   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02073   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02074   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02075   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02076   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02077   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02079   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02080   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02081   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02082   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02083   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02084   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02085   408   NtClose  (340, ... ) == 0x0
 02086   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02087   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02088   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02089   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02090   408   NtClose  (340, ... ) == 0x0
 02091   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02092   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02093   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02094   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02095   408   NtClose  (340, ... ) == 0x0
 02096   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02097   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02098   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02099   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02100   408   NtClose  (340, ... ) == 0x0
 02101   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02102   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02103   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02104   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02105   408   NtClose  (340, ... ) == 0x0
 02106   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02107   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02108   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02109   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02110   408   NtClose  (340, ... ) == 0x0
 02111   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02112   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02113   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02114   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02115   408   NtClose  (340, ... ) == 0x0
 02116   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02118   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02119   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02120   408   NtClose  (340, ... ) == 0x0
 02121   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02122   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02123   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02124   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02125   408   NtClose  (340, ... ) == 0x0
 02126   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02127   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02128   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02129   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02130   408   NtClose  (340, ... ) == 0x0
 02131   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02132   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02133   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02134   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02135   408   NtClose  (340, ... ) == 0x0
 02136   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02137   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02138   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02139   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02140   408   NtClose  (340, ... ) == 0x0
 02141   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02142   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02143   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02144   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02145   408   NtClose  (340, ... ) == 0x0
 02146   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02147   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02148   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02149   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02150   408   NtClose  (340, ... ) == 0x0
 02151   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02152   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02153   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02154   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02155   408   NtClose  (340, ... ) == 0x0
 02156   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 340, ) }, ... 340, ) == 0x0
 02158   408   NtQueryValueKey  (340,  (340, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (340, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (340, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02159   408   NtClose  (340, ... ) == 0x0
 02160   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02161   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 340, ) == 0x0
 02162   408   NtQueryInformationToken  (340, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02163   408   NtClose  (340, ... ) == 0x0
 02164   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02165   408   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02166   408   NtOpenProcessToken  (-1, 0xa, ... 340, ) == 0x0
 02167   408   NtDuplicateToken  (340, 0xc, {24, 0, 0x0, 0, 1238772, 0x0}, 0, 2, ... 344, ) == 0x0
 02168   408   NtClose  (340, ... ) == 0x0
 02169   408   NtAccessCheck  (1392320, 344, 0x1, 1238900, 1238844, 56, 1238928, ... (0x1), ) == 0x0
 02170   408   NtClose  (344, ... ) == 0x0
 02171   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 344, ) }, ... 344, ) == 0x0
 02172   408   NtQueryValueKey  (344,  (344, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (344, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02173   408   NtClose  (344, ... ) == 0x0
 02174   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 344, ) }, ... 344, ) == 0x0
 02175   408   NtQuerySymbolicLinkObject  (344, ...  (344, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02176   408   NtClose  (344, ... ) == 0x0
 02177   408   NtQueryInformationFile  (312, 1237232, 528, Name, ... {status=0x0, info=68}, ) == 0x0
 02178   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02179   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02180   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tackexhusk.exe"}, 1235912, ... ) }, 1235912, ... ) == 0x0
 02181   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 344, {status=0x0, info=1}, ) }, 3, 16417, ... 344, {status=0x0, info=1}, ) == 0x0
 02182   408   NtQueryDirectoryFile  (344, 0, 0, 0, 1235272, 616, BothDirectory, 1,  (344, 0, 0, 0, 1235272, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02183   408   NtClose  (344, ... ) == 0x0
 02184   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 344, {status=0x0, info=1}, ) }, 3, 16417, ... 344, {status=0x0, info=1}, ) == 0x0
 02185   408   NtQueryDirectoryFile  (344, 0, 0, 0, 1235272, 616, BothDirectory, 1,  (344, 0, 0, 0, 1235272, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02186   408   NtClose  (344, ... ) == 0x0
 02187   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02188   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02189   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02190   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02191   408   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02192   408   NtClose  (344, ... ) == 0x0
 02193   408   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 344, ) }, ... 344, ) == 0x0
 02194   408   NtOpenKey  (0x20019, {24, 344, 0x40, 0, 0,  (0x20019, {24, 344, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 340, ) }, ... 340, ) == 0x0
 02195   408   NtClose  (344, ... ) == 0x0
 02196   408   NtQueryValueKey  (340,  (340, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02197   408   NtQueryValueKey  (340,  (340, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (340, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02198   408   NtClose  (340, ... ) == 0x0
 02199   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 12648448, 4096, ) == 0x0
 02200   408   NtAllocateVirtualMemory  (-1, 12648448, 0, 4096, 4096, 4, ... 12648448, 4096, ) == 0x0
 02201   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 340, ) }, ... 340, ) == 0x0
 02202   408   NtQueryValueKey  (340,  (340, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   408   NtClose  (340, ... ) == 0x0
 02204   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02205   408   NtQueryInformationToken  (336, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02206   408   NtQueryInformationToken  (336, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02207   408   NtClose  (336, ... ) == 0x0
 02208   408   NtCreateProcessEx  (1241508, 2035711, 0, -1, 4, 324, 0, 0, 0, ... ) == 0x0
 02209   408   NtSetInformationProcess  (336, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 02210   408   NtQueryInformationProcess  (336, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=568,ParentPid=388,}, 0x0, ) == 0x0
 02211   408   NtReadVirtualMemory  (336, 0x7ffdf008, 4, ...  (336, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02212   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tackexhusk.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02213   408   NtAllocateVirtualMemory  (-1, 1396736, 0, 8192, 4096, 4, ... 1396736, 8192, ) == 0x0
 02214   408   NtReadVirtualMemory  (336, 0x400000, 4096, ...  (336, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0{\310\205\302?\251\353\221?\251\353\221?\251\353\221?\251\352\221\254\251\353\221]\266\370\221:\251\353\221D\265\347\221=\251\353\221\274\265\345\221&\251\353\221\327\266\341\221\271\251\353\221\327\266\340\221\13\251\353\221Rich?\251\353\221\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\375\313\375F\0\0\0\0\0\0\0\0\340\0\16\1\13\1\6\0\0\0\0\0\0d\6\0\0\0\0\0\326k\11\0\0\20\0\0\0 \3\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\11\0\0\4\0\0\374\332\2\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\342k\11\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0~l\11\0\10\0\0\0\0 \3\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0.text\0\0\0\0\20\3\0\0\20\0\0\0n\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02215   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02216   408   NtQueryInformationProcess  (336, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=568,ParentPid=388,}, 0x0, ) == 0x0
 02217   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1239572, ... ) }, 1239572, ... ) == 0x0
 02218   408   NtAllocateVirtualMemory  (-1, 0, 0, 1664, 4096, 4, ... 12713984, 4096, ) == 0x0
 02219   408   NtAllocateVirtualMemory  (336, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02220   408   NtWriteVirtualMemory  (336, 0x10000,  (336, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02221   408   NtAllocateVirtualMemory  (336, 0, 0, 1664, 4096, 4, ... 131072, 4096, ) == 0x0
 02222   408   NtWriteVirtualMemory  (336, 0x20000,  (336, 0x20000, "\0\20\0\0\200\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\374\0\376\0\230\4\0\0D\0F\0\230\5\0\0v\0x\0\340\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\2\0X\6\0\0\36\0 \0\\6\0\0\0\0\2\0|\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1664, ... 0x0, ) , 1664, ... 0x0, ) == 0x0
 02223   408   NtWriteVirtualMemory  (336, 0x7ffdf010,  (336, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02224   408   NtWriteVirtualMemory  (336, 0x7ffdf1e8,  (336, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02225   408   NtFreeVirtualMemory  (-1, (0xc20000), 0, 32768, ... (0xc20000), 4096, ) == 0x0
 02226   408   NtAllocateVirtualMemory  (336, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02227   408   NtAllocateVirtualMemory  (336, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 02228   408   NtProtectVirtualMemory  (336, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 02229   408   NtCreateThread  (0x1f03ff, 0x0, 336, 1239772, 1240492, 1, ... 340, {568, 584}, ) == 0x0
 02230   408   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1384056, 1241592}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1384056, 1241592} "\0\0\0\0\0\0\1\0\2$\370w U\367wS\1\0\0T\1\0\08\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 388, 408, 1506, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wP\1\0\0T\1\0\08\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 388, 408, 1506, 0}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1384056, 1241592} "\0\0\0\0\0\0\1\0\2$\370w U\367wS\1\0\0T\1\0\08\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 388, 408, 1506, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wP\1\0\0T\1\0\08\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02231   408   NtResumeThread  (340, ... 1, ) == 0x0
 02232   408   NtClose  (312, ... ) == 0x0
 02233   408   NtClose  (324, ... ) == 0x0
 02234   408   NtDelayExecution  (0, {-2000000, -1}, ... ) == 0x0
 02235   408   NtClose  (336, ... ) == 0x0
 02236   408   NtClose  (340, ... ) == 0x0
 02237   408   NtTerminateProcess  (0, 0, ... ) == 0x0
 02238   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x16,}, 4, ... ) == 0x0
 02239   408   NtFreeVirtualMemory  (-1, (0xae0000), 0, 32768, ... (0xae0000), 65536, ) == 0x0
 02240   408   NtClose  (256, ... ) == 0x0
 02241   408   NtClose  (260, ... ) == 0x0
 02242   408   NtClose  (268, ... ) == 0x0
 02243   408   NtClose  (264, ... ) == 0x0
 02244   408   NtClose  (272, ... ) == 0x0
 02245   408   NtClose  (244, ... ) == 0x0
 02246   408   NtClose  (252, ... ) == 0x0
 02247   408   NtClose  (288, ... ) == 0x0
 02248   408   NtClose  (284, ... ) == 0x0
 02249   408   NtClose  (280, ... ) == 0x0
 02250   408   NtClose  (276, ... ) == 0x0
 02251   408   NtClose  (248, ... ) == 0x0
 02252   408   NtClose  (224, ... ) == 0x0
 02253   408   NtClose  (232, ... ) == 0x0
 02254   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02255   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02256   408   NtClose  (228, ... ) == 0x0
 02257   408   NtClose  (220, ... ) == 0x0
 02258   408   NtClose  (208, ... ) == 0x0
 02259   408   NtClose  (212, ... ) == 0x0
 02260   408   NtClose  (216, ... ) == 0x0
 02261   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 02262   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 02263   408   NtWaitForMultipleObjects  (2, (180, 188, ), 1, 0, 0x0, ... ) == 0x1
 02264   408   NtClose  (188, ... ) == 0x0
 02265   408   NtSetEvent  (180, ... 0x0, ) == 0x0
 02266   408   NtClose  (180, ... ) == 0x0
 02267   408   NtWaitForMultipleObjects  (2, (192, 196, ), 1, 0, 0x0, ... ) == 0x1
 02268   408   NtClose  (196, ... ) == 0x0
 02269   408   NtSetEvent  (192, ... 0x0, ) == 0x0
 02270   408   NtClose  (192, ... ) == 0x0
 02271   408   NtWaitForMultipleObjects  (2, (200, 204, ), 1, 0, 0x0, ... ) == 0x1
 02272   408   NtClose  (204, ... ) == 0x0
 02273   408   NtSetEvent  (200, ... 0x0, ) == 0x0
 02274   408   NtClose  (200, ... ) == 0x0
 02275   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 02276   408   NtFreeVirtualMemory  (-1, (0xaa0000), 0, 32768, ... (0xaa0000), 262144, ) == 0x0
 02277   408   NtUserUnregisterClass  (1241892, 1991376896, 1241880, ... ) == 0x0
 02278   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02279   408   NtClose  (116, ... ) == 0x0
 02280   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 02281   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 02282   408   NtClose  (76, ... ) == 0x0
 02283   408   NtClose  (84, ... ) == 0x0
 02284   408   NtClose  (88, ... ) == 0x0
 02285   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc03b
 02286   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02287   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc03d
 02288   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02289   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc03f
 02290   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02291   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc041
 02292   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02293   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc043
 02294   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02295   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc045
 02296   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02297   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc047
 02298   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02299   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc049
 02300   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02301   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc04b
 02302   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02303   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc04d
 02304   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02305   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc04f
 02306   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02307   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc051
 02308   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02309   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc053
 02310   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02311   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc057
 02312   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02313   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc059
 02314   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02315   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc05b
 02316   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02317   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc05d
 02318   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02319   408   NtUserGetClassInfo  (1999896576, 1241980, 1241932, 1242008, 0, ... ) == 0xc05f
 02320   408   NtUserUnregisterClass  (1241984, 1999896576, 1241972, ... ) == 0x1
 02321   408   NtClose  (80, ... ) == 0x0
 02322   408   NtClose  (72, ... ) == 0x0
 02323   408   NtWaitForSingleObject  (132, 0, 0x0, ... ) == 0x0
 02324   408   NtClearEvent  (132, ... ) == 0x0
 02325   408   NtSetEvent  (132, ... 0x0, ) == 0x0
 02326   408   NtClose  (132, ... ) == 0x0
 02327   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 02328   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02329   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02330   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02331   408   NtFreeVirtualMemory  (-1, (0xc10000), 4096, 32768, ... (0xc10000), 4096, ) == 0x0
 02332   408   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 65536, 4791668, 1, 68}  (24, {20, 48, new_msg, 0, 65536, 4791668, 1, 68} "\0\0\0\0\3\0\1\0\10\25\25\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 388, 408, 1520, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 388, 408, 1520, 0}  (24, {20, 48, new_msg, 0, 65536, 4791668, 1, 68} "\0\0\0\0\3\0\1\0\10\25\25\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 388, 408, 1520, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02333   408   NtTerminateProcess  (-1, 0, ...
 02334   408   NtClose  (44, ... ) == 0x0