Summary:





NtAddAtom(>)  1 
NtUserGetProcessWindowStation(>)  1 
NtEnumerateKey(>)  6 
NtProtectVirtualMemory(>)  23 


NtCallbackReturn(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetEvent(>)  6 
NtCreateFile(>)  24 


NtConnectPort(>)  1 
NtAccessCheck(>)  2 
NtCreateMutant(>)  7 
NtOpenProcessTokenEx(>)  26 


NtCreateProcessEx(>)  1 
NtContinue(>)  2 
NtQueryDirectoryFile(>)  7 
NtOpenThreadTokenEx(>)  26 


NtCreateThread(>)  1 
NtDelayExecution(>)  2 
NtSetInformationProcess(>)  8 
NtQueryDebugFilterState(>)  26 


NtDuplicateToken(>)  1 
NtDuplicateObject(>)  2 
NtCreateKey(>)  9 
NtFreeVirtualMemory(>)  30 


NtEnumerateValueKey(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtCreateSemaphore(>)  10 
NtQueryInformationToken(>)  32 


NtFsControlFile(>)  1 
NtOpenDirectoryObject(>)  2 
NtFlushInstructionCache(>)  10 
NtQuerySection(>)  32 


NtGdiCreateBitmap(>)  1 
NtOpenProcess(>)  2 
NtOpenMutant(>)  10 
NtQuerySystemInformation(>)  33 


NtGdiInit(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtCreateSection(>)  44 


NtGdiQueryFontAssocInfo(>)  1 
NtQueryInstallUILanguage(>)  2 
NtReleaseMutant(>)  10 
NtUserUnregisterClass(>)  46 


NtGdiSelectBitmap(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtUserSystemParametersInfo(>)  10 
NtUserFindExistingCursorIcon(>)  48 


NtOpenKeyedEvent(>)  1 
NtReadVirtualMemory(>)  2 
NtRequestWaitReplyPort(>)  11 
NtQueryVirtualMemory(>)  52 


NtQueryEvent(>)  1 
NtTerminateProcess(>)  2 
NtQueryVolumeInformationFile(>)  12 
NtOpenSection(>)  54 


NtQueryInformationJobObject(>)  1 
NtClearEvent(>)  3 
NtSetInformationThread(>)  13 
NtUserRegisterClassExWOW(>)  63 


NtQueryObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetValueKey(>)  13 
NtMapViewOfSection(>)  69 


NtQueryPerformanceCounter(>)  1 
NtNotifyChangeKey(>)  3 
NtQueryInformationProcess(>)  14 
NtOpenFile(>)  73 


NtQueryTimerResolution(>)  1 
NtOpenEvent(>)  3 
NtSetInformationFile(>)  15 
NtUserGetClassInfo(>)  82 


NtRegisterThreadTerminatePort(>)  1 
NtReleaseSemaphore(>)  3 
NtReadFile(>)  18 
NtAllocateVirtualMemory(>)  113 


NtResumeThread(>)  1 
NtSetInformationObject(>)  3 
NtWaitForSingleObject(>)  18 
NtQueryAttributesFile(>)  123 


NtSecureConnectPort(>)  1 
NtWaitForMultipleObjects(>)  3 
NtQueryDefaultLocale(>)  19 
NtOpenKey(>)  193 


NtTestAlert(>)  1 
NtWriteVirtualMemory(>)  4 
NtUnmapViewOfSection(>)  20 
NtClose(>)  335 


NtUserCallNoParam(>)  1 
NtGdiGetStockObject(>)  5 
NtUserRegisterWindowMessage(>)  20 
NtQueryValueKey(>)  340 


NtUserCallOneParam(>)  1 
NtOpenProcessToken(>)  5 
NtQueryInformationFile(>)  21 


NtUserGetDC(>)  1 
NtOpenThreadToken(>)  5 
NtWriteFile(>)  21 


NtUserGetObjectInformation(>)  1 



Trace:

 00001   452   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   452   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   452   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   452   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   452   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   452   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   452   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   452   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   452   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   452   NtClose  (12, ... ) == 0x0
 00014   452   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   452   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   452   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   452   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   452   NtClose  (16, ... ) == 0x0
 00021   452   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   452   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   452   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   452   NtClose  (16, ... ) == 0x0
 00026   452   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   452   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   452   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   452   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   452   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 444, 452, 1493, 0} "\3603\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 444, 452, 1493, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 444, 452, 1493, 0} "\3603\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   452   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   452   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   452   NtClose  (16, ... ) == 0x0
 00036   452   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   452   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   452   NtClose  (28, ... ) == 0x0
 00041   452   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   452   NtClose  (28, ... ) == 0x0
 00045   452   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   452   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   452   NtClose  (28, ... ) == 0x0
 00049   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   452   NtClose  (28, ... ) == 0x0
 00052   452   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   452   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 444, 452, 1494, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 444, 452, 1494, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 444, 452, 1494, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   452   NtProtectVirtualMemory  (-1, (0x47c000), 8192, 4, ... (0x47c000), 8192, 128, ) == 0x0
 00057   452   NtProtectVirtualMemory  (-1, (0x47c000), 8192, 128, ... (0x47c000), 8192, 4, ) == 0x0
 00058   452   NtFlushInstructionCache  (-1, 4702208, 8192, ... ) == 0x0
 00059   452   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   452   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   452   NtClose  (28, ... ) == 0x0
 00062   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   452   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   452   NtClose  (28, ... ) == 0x0
 00065   452   NtTestAlert  (... ) == 0x0
 00066   452   NtContinue  (1244464, 1, ...
 00067   452   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x47e000,}, 4, ... ) == 0x0
 00068   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   452   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   452   NtClose  (28, ... ) == 0x0
 00071   452   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00072   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00073   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00074   452   NtClose  (28, ... ) == 0x0
 00075   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00076   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00077   452   NtClose  (28, ... ) == 0x0
 00078   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00079   452   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00080   452   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00081   452   NtClose  (28, ... ) == 0x0
 00082   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00083   452   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084   452   NtClose  (28, ... ) == 0x0
 00085   452   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00086   452   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00087   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00088   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00089   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 32, ) == 0x0
 00090   452   NtQueryInformationToken  (32, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00091   452   NtClose  (32, ... ) == 0x0
 00092   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 32, ) }, ... 32, ) == 0x0
 00093   452   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00094   452   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 36, ) }, ... 36, ) == 0x0
 00095   452   NtQueryValueKey  (36,  (36, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   452   NtClose  (36, ... ) == 0x0
 00097   452   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00098   452   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00099   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 36, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 36, {status=0x0, info=1}, ) == 0x0
 00100   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00101   452   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 3, 2, 11, 1311808}  (24, {20, 48, new_msg, 0, 3, 2, 11, 1311808} "\0\0\0\0\2\0\1\0d\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 444, 452, 1497, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 444, 452, 1497, 0}  (24, {20, 48, new_msg, 0, 3, 2, 11, 1311808} "\0\0\0\0\2\0\1\0d\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 444, 452, 1497, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00102   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oja1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 40, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 40, {status=0x0, info=2}, ) == 0x0
 00103   452   NtClose  (40, ... ) == 0x0
 00104   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oja1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00105   452   NtClose  (-2147482208, ... ) == 0x0
 00104   452   NtCreateFile  ... 40, {status=0x0, info=3}, ) == 0x0
 00106   452   NtSetInformationFile  (36, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00107   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\16\236z\2A\304*\2G\304%\2\274;*\2\373\304*\2C\304*\2\3\3040\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\306*\2\371\324*\14\p#\317b|+N\216\345\272\222\27\254Cqc\264Xm$\266Koc\251_q7\344Hgc\266_lc\261Df&\266\12U*\252\310N\316\165C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2C\304*\2", ) , ) == 0x0
 00108   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00109   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "O;:\375W;\206\1\32\205mW\367\17<[\216\305w\366@\214E>d\3151\\17\211\177m1\275\32\13u\330\26\262.\331!\232\323\333\305n\274\227\360\363\326\205\32*)\200@\300\307\3761`?f\205="h\224\14\7w\202\312\203\242\241R\232\230n\250BF\237-/T\306W\257I\15\357B\206k\243oO\352\277W\372\337ws\354P1&\344yP\273\377\277C3@\301\q\320\26h\257\350k\354n\342\6l;\301\10\310\26\304S\352Qv\241\5\3209Q'_\254\356 J\330\304\220\243\234{\25{\234f\222[RF\27\373\10\354\330'\3552\221QF\213a\217\314\320\200\273\360E4b\37zf\263\234\244P@K\33\4%\255n6\232\342\312\20\10\327\322SjX\362I \376\242\3\3177b\221\256( B5+\23\300\225\346\236F*\251\31\217\2*ej\22\3722\352\357\266Qm\336jU\6\312\303\3v\360\376\222\331\36\346KV\301\7\316g\326\12]\226b\346Bz \246\341\353h\6\273\3\317\352\266M\220J\26\207F}\26\260\322w\1?|F\303+d,G\363y\347\314\353e\22\201;\234G2\3\354\362\23\255\216rd\37r\272\36\213\344t\26\274;\240\324\363f|\35\323\3247\311\2\374{n\365\340U\210\232(\247O\2577z\31\0r\214\276\1\347\302{\253sc\261~ \14\346\33\317\241\13\373\37_\0A\334N\231\317l\243@\33\312|\206\347"\271^\244\203('\3\226o\1\30qB\374\\302\16\362\4\242i\271H\204~{\365\360+\260V\256\232\15\367\220@\202\324\2375o?\26k\2\350\275\347%\276\22\211\16\205o\336\237\313\244\264\241} \250\2\200\375"\212\345\366[", ) h\224\14\7w\202\312\203\242\241R\232\230n\250BF\237-/T\306W\257I\15\357B\206k\243oO\352\277W\372\337ws\354P1&\344yP\273\377\277C3@\301\q\320\26h\257\350k\354n\342\6l;\301\10\310\26\304S\352Qv\241\5\3209Q'_\254\356 J\330\304\220\243\234{\25{\234f\222[RF\27\373\10\354\330'\3552\221Q207 :K\247\302BM\26l\304>F\213a\217\314\320\200\273\360E4b\37zf\263\234\244P@K\33\4%\255n6\232\342\312\20\10\327\322SjX\362I \376\242\3\3177b\221\256( B5+\23\300\225\346\236F*\251\31\217\2*ej\22\3722\352\357\266Qm\336jU\6\312\303\3v\360\376\222\331\36\346KV\301\7\316g\326\12]\226b\346Bz \246\341\353h\6\273\3\317\352\266M\220J\26\207F}\26\260\322w\1?|F\303+d,G\363y\347\314\353e\22\201;\234G2\3\354\362\23\255\216rd\37r\272\36\213\344t\26\274;\240\324\363f|\35\323\3247\311\2\374{n\365\340U\210\232(\247O\2577z\31\0r\214\276\1\347\302{\253sc\261~ \14\346\33\317\241\13\373\37_\0A\334N\231\317l\243@\33\312|\206\347 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "O;:\375W;\206\1\32\205mW\367\17<[\216\305w\366@\214E>d\3151\\17\211\177m1\275\32\13u\330\26\262.\331!\232\323\333\305n\274\227\360\363\326\205\32*)\200@\300\307\3761`?f\205="h\224\14\7w\202\312\203\242\241R\232\230n\250BF\237-/T\306W\257I\15\357B\206k\243oO\352\277W\372\337ws\354P1&\344yP\273\377\277C3@\301\q\320\26h\257\350k\354n\342\6l;\301\10\310\26\304S\352Qv\241\5\3209Q'_\254\356 J\330\304\220\243\234{\25{\234f\222[RF\27\373\10\354\330'\3552\221QF\213a\217\314\320\200\273\360E4b\37zf\263\234\244P@K\33\4%\255n6\232\342\312\20\10\327\322SjX\362I \376\242\3\3177b\221\256( B5+\23\300\225\346\236F*\251\31\217\2*ej\22\3722\352\357\266Qm\336jU\6\312\303\3v\360\376\222\331\36\346KV\301\7\316g\326\12]\226b\346Bz \246\341\353h\6\273\3\317\352\266M\220J\26\207F}\26\260\322w\1?|F\303+d,G\363y\347\314\353e\22\201;\234G2\3\354\362\23\255\216rd\37r\272\36\213\344t\26\274;\240\324\363f|\35\323\3247\311\2\374{n\365\340U\210\232(\247O\2577z\31\0r\214\276\1\347\302{\253sc\261~ \14\346\33\317\241\13\373\37_\0A\334N\231\317l\243@\33\312|\206\347"\271^\244\203('\3\226o\1\30qB\374\\302\16\362\4\242i\271H\204~{\365\360+\260V\256\232\15\367\220@\202\324\2375o?\26k\2\350\275\347%\276\22\211\16\205o\336\237\313\244\264\241} \250\2\200\375"\212\345\366[", ) \212\345\366[", ) == 0x0
 00110   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\14\377\20\377\24\377\254\3YAGU\264\313\26Y\315\1]\364\3Ho<'\11\33^LMUory0\116\34<\260m\35\13\230\220\37\357l\377S\332\361\225A0(jDj\302\204:\33b|\242\257?a\254\276\16D\263\250\310\300f\213P\331\D\252\1\202\265/l\220\354U\354\215'\355\1BA\241,\213\300\275\24>\365u0(z3e SR\370;\225Ap\204\353^2\24\312U\0y\350\22\262\213\7\223\375{%\34h\304"\11\34\356\222\340XQ\278XL\220\30\226l\25\270\314\306\332d)\30\223\22\370\177C\304\344\20I\344\6hOU\250\356<\5\325\31c\314\10\372\202\3704o6!\333Pd\360X>6\23\204a\31G\341\207lu^\310\310S\314\375\320\20\256r\360\12\344\324\240@\13\35`\322j\2"\1\361\1\21\203Q\314\234\5\356\203\33\314\306\0g)\326\3200\251+\234S.\32@WE\16\351\154\324\220\232\332\314I\25\5-\314$\22 _\325\246\314@9\344\214\343\250\254,\271@\13\300\264\16T`\24\304\202W\24\363\26]\3|\270l\301h\240\6E\260\275\315\316\250\2418\203xXm0@(\330\21\356JXf\\266\220\34\310 ^\24\377\377\212\326\260\242V\37\220\20\35\313A8Ql\266$\177\212\331\354\215M\354\363P\33C\266\246\274B#\350y\350\267I\263=\344&\344X\13\213\11\270\333u\2\2\30d\233\214\250\211BX\16V\204\244\346\223\\347G\2%@RE\3[\265h\376\37\6$\360GfC\273\13@Ty\2664\1\262\25j\260\17\264\326\32B\301\20\2657,\373350\22\262\213\7\223\375{%\34h\304 (40, 0, 0, 0, "\14\377\20\377\24\377\254\3YAGU\264\313\26Y\315\1]\364\3Ho<'\11\33^LMUory0\116\34<\260m\35\13\230\220\37\357l\377S\332\361\225A0(jDj\302\204:\33b|\242\257?a\254\276\16D\263\250\310\300f\213P\331\D\252\1\202\265/l\220\354U\354\215'\355\1BA\241,\213\300\275\24>\365u0(z3e SR\370;\225Ap\204\353^2\24\312U\0y\350\22\262\213\7\223\375{%\34h\304"\11\34\356\222\340XQ\278XL\220\30\226l\25\270\314\306\332d)\30\223\22\370\177C\304\344\20I\344\6hOU\250\356<\5\325\31c\314\10\372\202\3704o6!\333Pd\360X>6\23\204a\31G\341\207lu^\310\310S\314\375\320\20\256r\360\12\344\324\240@\13\35`\322j\2"\1\361\1\21\203Q\314\234\5\356\203\33\314\306\0g)\326\3200\251+\234S.\32@WE\16\351\154\324\220\232\332\314I\25\5-\314$\22 _\325\246\314@9\344\214\343\250\254,\271@\13\300\264\16T`\24\304\202W\24\363\26]\3|\270l\301h\240\6E\260\275\315\316\250\2418\203xXm0@(\330\21\356JXf\\266\220\34\310 ^\24\377\377\212\326\260\242V\37\220\20\35\313A8Ql\266$\177\212\331\354\215M\354\363P\33C\266\246\274B#\350y\350\267I\263=\344&\344X\13\213\11\270\333u\2\2\30d\233\214\250\211BX\16V\204\244\346\223\\347G\2%@RE\3[\265h\376\37\6$\360GfC\273\13@Ty\2664\1\262\25j\260\17\264\326\32B\301\20\2657,\3731\361\1\21\203Q\314\234\5\356\203\33\314\306\0g)\326\3200\251+\234S.\32@WE\16\351\154\324\220\232\332\314I\25\5-\314$\22 _\325\246\314@9\344\214\343\250\254,\271@\13\300\264\16T`\24\304\202W\24\363\26]\3|\270l\301h\240\6E\260\275\315\316\250\2418\203xXm0@(\330\21\356JXf\\266\220\34\310 ^\24\377\377\212\326\260\242V\37\220\20\35\313A8Ql\266$\177\212\331\354\215M\354\363P\33C\266\246\274B#\350y\350\267I\263=\344&\344X\13\213\11\270\333u\2\2\30d\233\214\250\211BX\16V\204\244\346\223\\347G\2%@RE\3[\265h\376\37\6$\360GfC\273\13@Ty\2664\1\262\25j\260\17\264\326\32B\301\20\2657,\373227\345fz8\213MAE\334\334\17\216\266\342\271\12\252AD\327 \311!\334Y", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00111   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\10\247~RoCF!!\320\34f#v6\260\317\256\13n+\16X\312q\266&v3a\11\33o\17P~v\214\17\22\320\274i\200\14\3472}\306Z\267\246\347\310\350\27M\177\331;\351\200(\363\367\224\23\36\3013\352)\310B\23\230\300\214KB,\356\253\244\274+\224*\311\203"8\223\260\23\364\5\177\31\232\26W\200_\237\223.\373\232N\220lG\202\36\361\5\333\354o\306\354Z\272s\320/\16\15\334P\12m\216|25h\314\31\265\34=\11\303\217jZ\200\3176\225\177h\220\261\367\7A\2722Pr\215\247\341\222z\327\305\335\163\5\225\346\5\245Fq\304\227]\311c\333~p6\241+,@\365\370\210\7\340R\251\23\322n\22A\363\17,\267\237]9r\15\240J\0\200"]\241;=\270C\314\247wLOV\12D\365\352\210M\377`\3766y\337\11\236Jv\10\261\330$\364\200\33\265K65;}\230\236\323\25\3\340$\3z\317\240E\311\356\253\343\274\33U5;\355]\331\311\234I\226\311\232 n?\332\325\300\356m!\24[K4\17z\2340\202\244\33\23\311B>\334\4\277s*MR\3341w\257u\334\3645\337\12\225\250\14\25\202\246\33\20\30\250&7~\30$\334\210/\336\273n[\206\357\220\244\217_\362\222\273\313\6\314g\20\211|w.\202|\303\361\0\230j\251\323\14\305\235\15\261\216:x\243{:\303D:\30pH\263'\15\374\15)^\312\237\237>\204;\373\214\315\231\321]\353\375+\303\311\305\252\371A\266 |D\300\212\330\255\34X\0E\2675\210\324.C\362\205>g\306\341\344\260\366\22e] \373&\7\274cq\352\2647\365\325", ) 8\223\260\23\364\5\177\31\232\26W\200_\237\223.\373\232N\220lG\202\36\361\5\333\354o\306\354Z\272s\320/\16\15\334P\12m\216|25h\314\31\265\34=\11\303\217jZ\200\3176\225\177h\220\261\367\7A\2722Pr\215\247\341\222z\327\305\335\163\5\225\346\5\245Fq\304\227]\311c\333~p6\241+,@\365\370\210\7\340R\251\23\322n\22A\363\17,\267\237]9r\15\240J\0\200 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\10\247~RoCF!!\320\34f#v6\260\317\256\13n+\16X\312q\266&v3a\11\33o\17P~v\214\17\22\320\274i\200\14\3472}\306Z\267\246\347\310\350\27M\177\331;\351\200(\363\367\224\23\36\3013\352)\310B\23\230\300\214KB,\356\253\244\274+\224*\311\203"8\223\260\23\364\5\177\31\232\26W\200_\237\223.\373\232N\220lG\202\36\361\5\333\354o\306\354Z\272s\320/\16\15\334P\12m\216|25h\314\31\265\34=\11\303\217jZ\200\3176\225\177h\220\261\367\7A\2722Pr\215\247\341\222z\327\305\335\163\5\225\346\5\245Fq\304\227]\311c\333~p6\241+,@\365\370\210\7\340R\251\23\322n\22A\363\17,\267\237]9r\15\240J\0\200"]\241;=\270C\314\247wLOV\12D\365\352\210M\377`\3766y\337\11\236Jv\10\261\330$\364\200\33\265K65;}\230\236\323\25\3\340$\3z\317\240E\311\356\253\343\274\33U5;\355]\331\311\234I\226\311\232 n?\332\325\300\356m!\24[K4\17z\2340\202\244\33\23\311B>\334\4\277s*MR\3341w\257u\334\3645\337\12\225\250\14\25\202\246\33\20\30\250&7~\30$\334\210/\336\273n[\206\357\220\244\217_\362\222\273\313\6\314g\20\211|w.\202|\303\361\0\230j\251\323\14\305\235\15\261\216:x\243{:\303D:\30pH\263'\15\374\15)^\312\237\237>\204;\373\214\315\231\321]\353\375+\303\311\305\252\371A\266 |D\300\212\330\255\34X\0E\2675\210\324.C\362\205>g\306\341\344\260\366\22e] \373&\7\274cq\352\2647\365\325", ) \317\240E\311\356\253\343\274\33U5;\355]\331\311\234I\226\311\232 n?\332\325\300\356m!\24[K4\17z\2340\202\244\33\23\311B>\334\4\277s*MR\3341w\257u\334\3645\337\12\225\250\14\25\202\246\33\20\30\250&7~\30$\334\210/\336\273n[\206\357\220\244\217_\362\222\273\313\6\314g\20\211|w.\202|\303\361\0\230j\251\323\14\305\235\15\261\216:x\243{:\303D:\30pH\263'\15\374\15)^\312\237\237>\204;\373\214\315\231\321]\353\375+\303\311\305\252\371A\266 |D\300\212\330\255\34X\0E\2675\210\324.C\362\205>g\306\341\344\260\366\22e] \373&\7\274cq\352\2647\365\325", ) == 0x0
 00112   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "KcTP,\207l#b\246d`\262\34\262\214j!lh\312r\3102r\14tp\245#\31,\313z|5H%\20\223xC\202O#\30\177\205\236\235\244\244\14\302\25\16\273\3639\252D\2\361\264P9\34\202\367\300+\213\2069\232\203Ha@o*\201\246\377\357\276(\212G\10:\320t9\366F\2733\230U\223\252]\334W\4\371\331\212\272n\4F4\363F\37\306m\205(p\2700\24\5\14N\30z\10.JV0v\254\346\33\366\330\27\13\200K@X\303\13\34\227<\254\272\263\264\303k\270q\224X\217\344%\270x\224\1\367\14p\301\277\344Fals\207Sw\313 \37True\1.\31\322\212D$x\253P\26D\20\27%.\364[w;1\311\212HCD\10_\342\377\27\272\0\10\215u\17\213|\10\71\300\212\16;J\374u\275\365\13\335\216\\12\362\34\16\366\303\337\237Iu\361\21\177\333Z\371\27@$\16\19\370~\335*=+h\304;\2008'\301Wj\330\373\3022\6d\376\270\367\267\333_\257\211\321\11a\13\212G\212*\201\341\377\337\1777x)w\333\212Xc\224\212^\12l|\36\377\302\255\251\13\26\30\217\36\159X\32\200\347\3379\313\1\372\366\6\374\267\0O\21\30\33u\354\261\366\366v\33 \227\353\310?\200\345\337:\32\353\342\35|[\340\366\212l\32\221l\30B\305\222\347Ku\360\321\177\341\4\217\243:\213?\263\4\200?\7\333\2\333\256\203\321O\1\267\17\362J\20z\340\277\20\301\7\3762r\13w\15\17\277\311\3\\211[\265<\307\377\321\216\216]\373_\2509\1\301\212\1\200\373\2r\12~\7\4\240\332\356\330r\2\6s\37\23s\20\4A\261A\24e\205%\316\262\265\326O_c?\14\5\377\247[\350\367\363\337\327", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00113   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\313N\247\227}l\322\365\217!\242\2612\356\3522Z\230\271$\303\3(\210\314\262\241\314\307\376M\12\313\300s.\342fh=\304f\205\350g5^a\21\340(6\235^\333WK\226\37\212\317\201fvV\375>\216\311\310\375oR5\250\4\22\316\327\202rh7\114\320\271\210\26?\32\264\265B=S\6\262\37\203f\242\353k\247\365\355z\1\230\\216o\3069\206\301\336\215\230\307\317\322\24\303\277\37\2643]\200\24j\371\177\224\303R^\22\300\206B[\3\367\15y\316\301>#\320"\351\300e\212(\375%e\3666%c@I\236\26\12\366V\316\22\366\223\16(\7(\314:\324n\35\356\335G\356E\2x\224\260K\265\22-o\263\26\205\317\330\30:\177\374\26`\21p\16:\344\274\232\237Q#\21u\30\312\276\34\237=\256\343B\321n\231K\276\13\342A\256,.\206\247\2135\371\3|\270\265\6:\362\22IBC\342\336\374\312\247\376\321\6u\230\270Z\263/6\32\343B\26iId:\37p\15+r\373\336~\15\324(2#\251d\222\3\210p\351\||_\232n\305\1\273\26:\12\337d\213\336\24\2722o\3744\222\7b'\213\362\351i\325\326\241\200\7\210\24\235\271!b\327d\243\324t\335`M\322\200\310\22\363%w\27K\330\+\5\346k\366\0N8\22(T*\14\267\236E\23\273\305db)4\206Wmf\270\2\303\300.*\335T\215\3T\304\336\200&\200!%@\321\216\13\344,\262n\344\236\13\361)1,\362vm\302\236\257\27+\30C3j\372\337\227]|v\250|c\253\273:\35_!0\272\221<\177\353\23\3134r\267\13\4\313V\0nd\264\3("\362\211\235\13\26\271\35`\275/\4\14\0p\217\212O\4\355u5\351\367qN\22"\262", ) \351\300e\212(\375%e\3666%c@I\236\26\12\366V\316\22\366\223\16(\7(\314:\324n\35\356\335G\356E\2x\224\260K\265\22-o\263\26\205\317\330\30:\177\374\26`\21p\16:\344\274\232\237Q#\21u\30\312\276\34\237=\256\343B\321n\231K\276\13\342A\256,.\206\247\2135\371\3|\270\265\6:\362\22IBC\342\336\374\312\247\376\321\6u\230\270Z\263/6\32\343B\26iId:\37p\15+r\373\336~\15\324(2#\251d\222\3\210p\351\||_\232n\305\1\273\26:\12\337d\213\336\24\2722o\3744\222\7b'\213\362\351i\325\326\241\200\7\210\24\235\271!b\327d\243\324t\335`M\322\200\310\22\363%w\27K\330\+\5\346k\366\0N8\22(T*\14\267\236E\23\273\305db)4\206Wmf\270\2\303\300.*\335T\215\3T\304\336\200&\200!%@\321\216\13\344,\262n\344\236\13\361)1,\362vm\302\236\257\27+\30C3j\372\337\227]|v\250|c\253\273:\35_!0\272\221<\177\353\23\3134r\267\13\4\313V\0nd\264\3( (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\313N\247\227}l\322\365\217!\242\2612\356\3522Z\230\271$\303\3(\210\314\262\241\314\307\376M\12\313\300s.\342fh=\304f\205\350g5^a\21\340(6\235^\333WK\226\37\212\317\201fvV\375>\216\311\310\375oR5\250\4\22\316\327\202rh7\114\320\271\210\26?\32\264\265B=S\6\262\37\203f\242\353k\247\365\355z\1\230\\216o\3069\206\301\336\215\230\307\317\322\24\303\277\37\2643]\200\24j\371\177\224\303R^\22\300\206B[\3\367\15y\316\301>#\320"\351\300e\212(\375%e\3666%c@I\236\26\12\366V\316\22\366\223\16(\7(\314:\324n\35\356\335G\356E\2x\224\260K\265\22-o\263\26\205\317\330\30:\177\374\26`\21p\16:\344\274\232\237Q#\21u\30\312\276\34\237=\256\343B\321n\231K\276\13\342A\256,.\206\247\2135\371\3|\270\265\6:\362\22IBC\342\336\374\312\247\376\321\6u\230\270Z\263/6\32\343B\26iId:\37p\15+r\373\336~\15\324(2#\251d\222\3\210p\351\||_\232n\305\1\273\26:\12\337d\213\336\24\2722o\3744\222\7b'\213\362\351i\325\326\241\200\7\210\24\235\271!b\327d\243\324t\335`M\322\200\310\22\363%w\27K\330\+\5\346k\366\0N8\22(T*\14\267\236E\23\273\305db)4\206Wmf\270\2\303\300.*\335T\215\3T\304\336\200&\200!%@\321\216\13\344,\262n\344\236\13\361)1,\362vm\302\236\257\27+\30C3j\372\337\227]|v\250|c\253\273:\35_!0\272\221<\177\353\23\3134r\267\13\4\313V\0nd\264\3("\362\211\235\13\26\271\35`\275/\4\14\0p\217\212O\4\355u5\351\367qN\22"\262", ) \262", ) == 0x0
 00114   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\210\212\215\225>\250\370\367\314\345\210\263q*\3000\31\\223&\200\307\2\212\217v\213\316\204:g\10\210\4Y,\241\242B?\207\242\257\352$\361tcR$\24\336\232\361U\10R5\210\214ELt\259\24\214\212\14\327m\21\361\202\6Q\12\375\2001\254\35\13w\24\223\212U\3730\266\366\206\27QEv5\201%f\301i\3441\307xB\v\214,\2\23\204\202\32\247\232\204\13\370\26\200{5\266p\231\252\26)=U\226\200\226t\20\203BhY@3'{\215\5\24!\223\346\303\302&N\2\377f\241\3344f\247jK\335\322 \364\25\128\364\320\312\2\5k\10\20\326-\331\304\337\4*o\0;P<2\10q8/,w<\207\214\3428<8A\364C\212\22\20k\220\0\16\364Zo\21\370\1N`j\360\254U.\242\222\0\200\4\4(\236\220\247\1\27\0\364\202eD\13'\3\25\244\11\247\350\230l\247Z!\363j\365\6\3605\251\350\234\354\323\1\32\0\367@\370\234Sw~5lVa\350\177\20\37\34\345\32\270\322\370U\351P\17\36p\364\317.\311\25\304Df\367\307\2 \261M\267\11U}7b\376\353.\16C\264\245\210\14\300\307wv-\335s\15\326\10\260", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) A\364C\212\22\20k\220\0\16\364Zo\21\370\1N`j\360\254U.\242\222\0\200\4\4(\236\220\247\1\27\0\364\202eD\13'\3\25\244\11\247\350\230l\247Z!\363j\365\6\3605\251\350\234\354\323\1\32\0\367@\370\234Sw~5lVa\350\177\20\37\34\345\32\270\322\370U\351P\17\36p\364\317.\311\25\304Df\367\307\2 \261M\267\11U}7b\376\353.\16C\264\245\210\14\300\307wv-\335s\15\326\10\260", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00115   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=4866},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=4866}, "\313\363PufMr$4\22\247r[\306\35tu\3 \213_\15\245\333\1338\11c\314|\231Q\221Q\261\202\251'\3448\4\27I\230H@\36\237\30\2\5\371j\220\27\313\306.\305\36\304\224m\225\332\27\2523\376L\35O\3223\216\21607\376\11\226o4\351n*W\34O\200\245\221T\343]7\7\250B\360\333}Af\277\233\352\362\250\260:\250\347D\7\363\231h`\257j\300\7\360\27B@t;\331\316b(pV\276\330\16\247/\12_\324H+\341\1O@j\205ac\16\32#\330\20\243\247(\320\323 XR-$&\360F\301\361\3Y$\230\15\304Y\362\10\217\377^0\275Ds\10\332$\35Q\233\277\33u\345\325\226(\330\250\243\263\267\273&\224\20\270|\240\200\3122\11\13\266}\30\2415\340\242\177\237X\203U\302q\260\262\15<\316j'k\13\252\204\211rz@\212b\205\2672\0\2W\22\362k~J\332B\217iq@\373\22\261N-\241\352\3024\315l\363w"\303|\272u\315SU\340\236", ) \303|\272u\315SU\340\236", ) == 0x0
 00116   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\2107zw%\211X&w\326\215p\30\27v6\307\12\211\34\311\217\331H\367\22\13 \10V\233\22U{\263\301m\15\346{\300=K\333\214j\34\334\334(\7\272\256\272\25\210\2\4\307]\0\276o\326\36=\250p:f\37\14\26\31\214\315\364\35\374JRE6\252\252\0U_\213\252\247\322\220\311_t\303\202@\263\37WC%{\261\350\261l\2328\353#n\5\260]\26{\300m\15Pr\35\23^\262]\354\353=\261\272\370\207\333p\356\20t\11F\10\246'\25\334\303\354\303\253y\362ld\265\347\252\226$\372\300@\271\14|\19\204\231\11\276v\264\22cLF\14I\324qW~Q\300\11S;\237uIa\17\341\317\244;E\200u>Tv4J\0(\220\265T\303\300\250!\366\352\4:r\252\252a\365p\15h\241j`Ul\360\217\253\311HP0\366\236rO\320d\260\15\234\2143n\222o\204\333\265\33\200\364\352\31m2\330a\13\3145z. \30UOq\265\352Y\232\21,\27\335qh\210j\23\305\250I\4\25\274`I\0\25P\344%\20\357\3458pE\344d\313\2\336\27&\216\16#M\306\360\205`\211\24j#k@\302D4=@\3\260\21\333\215\246\2r\25z\362\14\344\353 ]\227\214\1\343B\213jh\306\245I\14Y\347\362\22\340c\2\322\220\344rPn\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\314;t2\376\200Y\12\231\3407S\330{1w\246\21\274*\233l\211\261\364\177\14\226S|V\242\303\16\30\13HrW\32\342\361\312\240<[r\201\26\6[\262\361\311\26\314)\343A\11\351@\243p9\204\240`\306s\30\2A\2238\360(\272`\330\1KCs\3?8\263\15\351\213\350\201\360\347n\260\263\10\301?~_\317\20\221\312\234", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00117   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00118   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\313\363PufMr$4\22\247r[\306\35tu\3 \213_\15\245\333\1338\11c\314|\231Q\221Q\261\202\251'\3448\4\27I\230H@\36\237\30\2\5\371j\220\27\313\306.\305\36\304\224m\225\332\27\2523\376L\35O\3223\216\21607\376\11\226o4\351n*W\34O\200\245\221T\343]7\7\250B\360\333}Af\277\233\352\362\250\260:\250\347D\7\363\231h`\257j\300\7\360\27B@t;\331\316b(pV\276\330\16\247/\12_\324H+\341\1O@j\205ac\16\32#\330\20\243\247(\320\323 XR-$&\360F\301\361\3Y$\230\15\304Y\362\10\217\377^0\275Ds\10\332$\35Q\233\277\33u\345\325\226(\330\250\243\263\267\273&\224\20\270|\240\200\3122\11\13\266}\30\2415\340\242\177\237X\203U\302q\260\262\15<\316j'k\13\252\204\211rz@\212b\205\2672\0\2W\22\362k~J\332B\217iq@\373\22\261N-\241\352\3024\315l\363w"\303|\272u\315SU\340\236", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \303|\272u\315SU\340\236", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00119   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00120   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\2107zw%\211X&w\326\215p\30\27v6\307\12\211\34\311\217\331H\367\22\13 \10V\233\22U{\263\301m\15\346{\300=K\333\214j\34\334\334(\7\272\256\272\25\210\2\4\307]\0\276o\326\36=\250p:f\37\14\26\31\214\315\364\35\374JRE6\252\252\0U_\213\252\247\322\220\311_t\303\202@\263\37WC%{\261\350\261l\2328\353#n\5\260]\26{\300m\15Pr\35\23^\262]\354\353=\261\272\370\207\333p\356\20t\11F\10\246'\25\334\303\354\303\253y\362ld\265\347\252\226$\372\300@\271\14|\19\204\231\11\276v\264\22cLF\14I\324qW~Q\300\11S;\237uIa\17\341\317\244;E\200u>Tv4J\0(\220\265T\303\300\250!\366\352\4:r\252\252a\365p\15h\241j`Ul\360\217\253\311HP0\366\236rO\320d\260\15\234\2143n\222o\204\333\265\33\200\364\352\31m2\330a\13\3145z. \30UOq\265\352Y\232\21,\27\335qh\210j\23\305\250I\4\25\274`I\0\25P\344%\20\357\3458pE\344d\313\2\336\27&\216\16#M\306\360\205`\211\24j#k@\302D4=@\3\260\21\333\215\246\2r\25z\362\14\344\353 ]\227\214\1\343B\213jh\306\245I\14Y\347\362\22\340c\2\322\220\344rPn\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\314;t2\376\200Y\12\231\3407S\330{1w\246\21\274*\233l\211\261\364\177\14\226S|V\242\303\16\30\13HrW\32\342\361\312\240<[r\201\26\6[\262\361\311\26\314)\343A\11\351@\243p9\204\240`\306s\30\2A\2238\360(\272`\330\1KCs\3?8\263\15\351\213\350\201\360\347n\260\263\10\301?~_\317\20\221\312\234", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00121   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00122   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\313\363PufMr$4\22\247r[\306\35tu\3 \213_\15\245\333\1338\11c\314|\231Q\221Q\261\202\251'\3448\4\27I\230H@\36\237\30\2\5\371j\220\27\313\306.\305\36\304\224m\225\332\27\2523\376L\35O\3223\216\21607\376\11\226o4\351n*W\34O\200\245\221T\343]7\7\250B\360\333}Af\277\233\352\362\250\260:\250\347D\7\363\231h`\257j\300\7\360\27B@t;\331\316b(pV\276\330\16\247/\12_\324H+\341\1O@j\205ac\16\32#\330\20\243\247(\320\323 XR-$&\360F\301\361\3Y$\230\15\304Y\362\10\217\377^0\275Ds\10\332$\35Q\233\277\33u\345\325\226(\330\250\243\263\267\273&\224\20\270|\240\200\3122\11\13\266}\30\2415\340\242\177\237X\203U\302q\260\262\15<\316j'k\13\252\204\211rz@\212b\205\2672\0\2W\22\362k~J\332B\217iq@\373\22\261N-\241\352\3024\315l\363w"\303|\272u\315SU\340\236", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \303|\272u\315SU\340\236", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00123   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00124   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\2107zw%\211X&w\326\215p\30\27v6\307\12\211\34\311\217\331H\367\22\13 \10V\233\22U{\263\301m\15\346{\300=K\333\214j\34\334\334(\7\272\256\272\25\210\2\4\307]\0\276o\326\36=\250p:f\37\14\26\31\214\315\364\35\374JRE6\252\252\0U_\213\252\247\322\220\311_t\303\202@\263\37WC%{\261\350\261l\2328\353#n\5\260]\26{\300m\15Pr\35\23^\262]\354\353=\261\272\370\207\333p\356\20t\11F\10\246'\25\334\303\354\303\253y\362ld\265\347\252\226$\372\300@\271\14|\19\204\231\11\276v\264\22cLF\14I\324qW~Q\300\11S;\237uIa\17\341\317\244;E\200u>Tv4J\0(\220\265T\303\300\250!\366\352\4:r\252\252a\365p\15h\241j`Ul\360\217\253\311HP0\366\236rO\320d\260\15\234\2143n\222o\204\333\265\33\200\364\352\31m2\330a\13\3145z. \30UOq\265\352Y\232\21,\27\335qh\210j\23\305\250I\4\25\274`I\0\25P\344%\20\357\3458pE\344d\313\2\336\27&\216\16#M\306\360\205`\211\24j#k@\302D4=@\3\260\21\333\215\246\2r\25z\362\14\344\353 ]\227\214\1\343B\213jh\306\245I\14Y\347\362\22\340c\2\322\220\344rPn\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\314;t2\376\200Y\12\231\3407S\330{1w\246\21\274*\233l\211\261\364\177\14\226S|V\242\303\16\30\13HrW\32\342\361\312\240<[r\201\26\6[\262\361\311\26\314)\343A\11\351@\243p9\204\240`\306s\30\2A\2238\360(\272`\330\1KCs\3?8\263\15\351\213\350\201\360\347n\260\263\10\301?~_\317\20\221\312\234", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00125   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00126   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\313\363PufMr$4\22\247r[\306\35tu\3 \213_\15\245\333\1338\11c\314|\231Q\221Q\261\202\251'\3448\4\27I\230H@\36\237\30\2\5\371j\220\27\313\306.\305\36\304\224m\225\332\27\2523\376L\35O\3223\216\21607\376\11\226o4\351n*W\34O\200\245\221T\343]7\7\250B\360\333}Af\277\233\352\362\250\260:\250\347D\7\363\231h`\257j\300\7\360\27B@t;\331\316b(pV\276\330\16\247/\12_\324H+\341\1O@j\205ac\16\32#\330\20\243\247(\320\323 XR-$&\360F\301\361\3Y$\230\15\304Y\362\10\217\377^0\275Ds\10\332$\35Q\233\277\33u\345\325\226(\330\250\243\263\267\273&\224\20\270|\240\200\3122\11\13\266}\30\2415\340\242\177\237X\203U\302q\260\262\15<\316j'k\13\252\204\211rz@\212b\205\2672\0\2W\22\362k~J\332B\217iq@\373\22\261N-\241\352\3024\315l\363w"\303|\272u\315SU\340\236", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \303|\272u\315SU\340\236", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00127   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00128   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\2107zw%\211X&w\326\215p\30\27v6\307\12\211\34\311\217\331H\367\22\13 \10V\233\22U{\263\301m\15\346{\300=K\333\214j\34\334\334(\7\272\256\272\25\210\2\4\307]\0\276o\326\36=\250p:f\37\14\26\31\214\315\364\35\374JRE6\252\252\0U_\213\252\247\322\220\311_t\303\202@\263\37WC%{\261\350\261l\2328\353#n\5\260]\26{\300m\15Pr\35\23^\262]\354\353=\261\272\370\207\333p\356\20t\11F\10\246'\25\334\303\354\303\253y\362ld\265\347\252\226$\372\300@\271\14|\19\204\231\11\276v\264\22cLF\14I\324qW~Q\300\11S;\237uIa\17\341\317\244;E\200u>Tv4J\0(\220\265T\303\300\250!\366\352\4:r\252\252a\365p\15h\241j`Ul\360\217\253\311HP0\366\236rO\320d\260\15\234\2143n\222o\204\333\265\33\200\364\352\31m2\330a\13\3145z. \30UOq\265\352Y\232\21,\27\335qh\210j\23\305\250I\4\25\274`I\0\25P\344%\20\357\3458pE\344d\313\2\336\27&\216\16#M\306\360\205`\211\24j#k@\302D4=@\3\260\21\333\215\246\2r\25z\362\14\344\353 ]\227\214\1\343B\213jh\306\245I\14Y\347\362\22\340c\2\322\220\344rPn\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\314;t2\376\200Y\12\231\3407S\330{1w\246\21\274*\233l\211\261\364\177\14\226S|V\242\303\16\30\13HrW\32\342\361\312\240<[r\201\26\6[\262\361\311\26\314)\343A\11\351@\243p9\204\240`\306s\30\2A\2238\360(\272`\330\1KCs\3?8\263\15\351\213\350\201\360\347n\260\263\10\301?~_\317\20\221\312\234", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00129   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00130   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\313\363PufMr$4\22\247r[\306\35tu\3 \213_\15\245\333\1338\11c\314|\231Q\221Q\261\202\251'\3448\4\27I\230H@\36\237\30\2\5\371j\220\27\313\306.\305\36\304\224m\225\332\27\2523\376L\35O\3223\216\21607\376\11\226o4\351n*W\34O\200\245\221T\343]7\7\250B\360\333}Af\277\233\352\362\250\260:\250\347D\7\363\231h`\257j\300\7\360\27B@t;\331\316b(pV\276\330\16\247/\12_\324H+\341\1O@j\205ac\16\32#\330\20\243\247(\320\323 XR-$&\360F\301\361\3Y$\230\15\304Y\362\10\217\377^0\275Ds\10\332$\35Q\233\277\33u\345\325\226(\330\250\243\263\267\273&\224\20\270|\240\200\3122\11\13\266}\30\2415\340\242\177\237X\203U\302q\260\262\15<\316j'k\13\252\204\211rz@\212b\205\2672\0\2W\22\362k~J\332B\217iq@\373\22\261N-\241\352\3024\315l\363w"\303|\272u\315SU\340\236", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \303|\272u\315SU\340\236", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00131   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00132   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\2107zw%\211X&w\326\215p\30\27v6\307\12\211\34\311\217\331H\367\22\13 \10V\233\22U{\263\301m\15\346{\300=K\333\214j\34\334\334(\7\272\256\272\25\210\2\4\307]\0\276o\326\36=\250p:f\37\14\26\31\214\315\364\35\374JRE6\252\252\0U_\213\252\247\322\220\311_t\303\202@\263\37WC%{\261\350\261l\2328\353#n\5\260]\26{\300m\15Pr\35\23^\262]\354\353=\261\272\370\207\333p\356\20t\11F\10\246'\25\334\303\354\303\253y\362ld\265\347\252\226$\372\300@\271\14|\19\204\231\11\276v\264\22cLF\14I\324qW~Q\300\11S;\237uIa\17\341\317\244;E\200u>Tv4J\0(\220\265T\303\300\250!\366\352\4:r\252\252a\365p\15h\241j`Ul\360\217\253\311HP0\366\236rO\320d\260\15\234\2143n\222o\204\333\265\33\200\364\352\31m2\330a\13\3145z. \30UOq\265\352Y\232\21,\27\335qh\210j\23\305\250I\4\25\274`I\0\25P\344%\20\357\3458pE\344d\313\2\336\27&\216\16#M\306\360\205`\211\24j#k@\302D4=@\3\260\21\333\215\246\2r\25z\362\14\344\353 ]\227\214\1\343B\213jh\306\245I\14Y\347\362\22\340c\2\322\220\344rPn\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\314;t2\376\200Y\12\231\3407S\330{1w\246\21\274*\233l\211\261\364\177\14\226S|V\242\303\16\30\13HrW\32\342\361\312\240<[r\201\26\6[\262\361\311\26\314)\343A\11\351@\243p9\204\240`\306s\30\2A\2238\360(\272`\330\1KCs\3?8\263\15\351\213\350\201\360\347n\260\263\10\301?~_\317\20\221\312\234", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00133   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00134   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\313\363PufMr$4\22\247r[\306\35tu\3 \213_\15\245\333\1338\11c\314|\231Q\221Q\261\202\251'\3448\4\27I\230H@\36\237\30\2\5\371j\220\27\313\306.\305\36\304\224m\225\332\27\2523\376L\35O\3223\216\21607\376\11\226o4\351n*W\34O\200\245\221T\343]7\7\250B\360\333}Af\277\233\352\362\250\260:\250\347D\7\363\231h`\257j\300\7\360\27B@t;\331\316b(pV\276\330\16\247/\12_\324H+\341\1O@j\205ac\16\32#\330\20\243\247(\320\323 XR-$&\360F\301\361\3Y$\230\15\304Y\362\10\217\377^0\275Ds\10\332$\35Q\233\277\33u\345\325\226(\330\250\243\263\267\273&\224\20\270|\240\200\3122\11\13\266}\30\2415\340\242\177\237X\203U\302q\260\262\15<\316j'k\13\252\204\211rz@\212b\205\2672\0\2W\22\362k~J\332B\217iq@\373\22\261N-\241\352\3024\315l\363w"\303|\272u\315SU\340\236", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \303|\272u\315SU\340\236", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00135   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00136   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\2107zw%\211X&w\326\215p\30\27v6\307\12\211\34\311\217\331H\367\22\13 \10V\233\22U{\263\301m\15\346{\300=K\333\214j\34\334\334(\7\272\256\272\25\210\2\4\307]\0\276o\326\36=\250p:f\37\14\26\31\214\315\364\35\374JRE6\252\252\0U_\213\252\247\322\220\311_t\303\202@\263\37WC%{\261\350\261l\2328\353#n\5\260]\26{\300m\15Pr\35\23^\262]\354\353=\261\272\370\207\333p\356\20t\11F\10\246'\25\334\303\354\303\253y\362ld\265\347\252\226$\372\300@\271\14|\19\204\231\11\276v\264\22cLF\14I\324qW~Q\300\11S;\237uIa\17\341\317\244;E\200u>Tv4J\0(\220\265T\303\300\250!\366\352\4:r\252\252a\365p\15h\241j`Ul\360\217\253\311HP0\366\236rO\320d\260\15\234\2143n\222o\204\333\265\33\200\364\352\31m2\330a\13\3145z. \30UOq\265\352Y\232\21,\27\335qh\210j\23\305\250I\4\25\274`I\0\25P\344%\20\357\3458pE\344d\313\2\336\27&\216\16#M\306\360\205`\211\24j#k@\302D4=@\3\260\21\333\215\246\2r\25z\362\14\344\353 ]\227\214\1\343B\213jh\306\245I\14Y\347\362\22\340c\2\322\220\344rPn\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\314;t2\376\200Y\12\231\3407S\330{1w\246\21\274*\233l\211\261\364\177\14\226S|V\242\303\16\30\13HrW\32\342\361\312\240<[r\201\26\6[\262\361\311\26\314)\343A\11\351@\243p9\204\240`\306s\30\2A\2238\360(\272`\330\1KCs\3?8\263\15\351\213\350\201\360\347n\260\263\10\301?~_\317\20\221\312\234", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00137   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00138   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\313\363PufMr$4\22\247r[\306\35tu\3 \213_\15\245\333\1338\11c\314|\231Q\221Q\261\202\251'\3448\4\27I\230H@\36\237\30\2\5\371j\220\27\313\306.\305\36\304\224m\225\332\27\2523\376L\35O\3223\216\21607\376\11\226o4\351n*W\34O\200\245\221T\343]7\7\250B\360\333}Af\277\233\352\362\250\260:\250\347D\7\363\231h`\257j\300\7\360\27B@t;\331\316b(pV\276\330\16\247/\12_\324H+\341\1O@j\205ac\16\32#\330\20\243\247(\320\323 XR-$&\360F\301\361\3Y$\230\15\304Y\362\10\217\377^0\275Ds\10\332$\35Q\233\277\33u\345\325\226(\330\250\243\263\267\273&\224\20\270|\240\200\3122\11\13\266}\30\2415\340\242\177\237X\203U\302q\260\262\15<\316j'k\13\252\204\211rz@\212b\205\2672\0\2W\22\362k~J\332B\217iq@\373\22\261N-\241\352\3024\315l\363w"\303|\272u\315SU\340\236", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \303|\272u\315SU\340\236", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00139   452   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00140   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\2107zw%\211X&w\326\215p\30\27v6\307\12\211\34\311\217\331H\367\22\13 \10V\233\22U{\263\301m\15\346{\300=K\333\214j\34\334\334(\7\272\256\272\25\210\2\4\307]\0\276o\326\36=\250p:f\37\14\26\31\214\315\364\35\374JRE6\252\252\0U_\213\252\247\322\220\311_t\303\202@\263\37WC%{\261\350\261l\2328\353#n\5\260]\26{\300m\15Pr\35\23^\262]\354\353=\261\272\370\207\333p\356\20t\11F\10\246'\25\334\303\354\303\253y\362ld\265\347\252\226$\372\300@\271\14|\19\204\231\11\276v\264\22cLF\14I\324qW~Q\300\11S;\237uIa\17\341\317\244;E\200u>Tv4J\0(\220\265T\303\300\250!\366\352\4:r\252\252a\365p\15h\241j`Ul\360\217\253\311HP0\366\236rO\320d\260\15\234\2143n\222o\204\333\265\33\200\364\352\31m2\330a\13\3145z. \30UOq\265\352Y\232\21,\27\335qh\210j\23\305\250I\4\25\274`I\0\25P\344%\20\357\3458pE\344d\313\2\336\27&\216\16#M\306\360\205`\211\24j#k@\302D4=@\3\260\21\333\215\246\2r\25z\362\14\344\353 ]\227\214\1\343B\213jh\306\245I\14Y\347\362\22\340c\2\322\220\344rPn\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\314;t2\376\200Y\12\231\3407S\330{1w\246\21\274*\233l\211\261\364\177\14\226S|V\242\303\16\30\13HrW\32\342\361\312\240<[r\201\26\6[\262\361\311\26\314)\343A\11\351@\243p9\204\240`\306s\30\2A\2238\360(\272`\330\1KCs\3?8\263\15\351\213\350\201\360\347n\260\263\10\301?~_\317\20\221\312\234", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00141   452   NtReadFile  (36, 0, 0, 0, 2048, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00142   452   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\313\363PufMr$4\22\247r[\306\35tu\3 \213_\15\245\333\1338\11c\314|\231Q\221Q\261\202\251'\3448\4\27I\230H@\36\237\30\2\5\371j\220\27\313\306.\305\36\304\224m\225\332\27\2523\376L\35O\3223\216\21607\376\11\226o4\351n*W\34O\200\245\221T\343]7\7\250B\360\333}Af\277\233\352\362\250\260:\250\347D\7\363\231h`\257j\300\7\360\27B@t;\331\316b(pV\276\330\16\247/\12_\324H+\341\1O@j\205ac\16\32#\330\20\243\247(\320\323 XR-$&\360F\301\361\3Y$\230\15\304Y\362\10\217\377^0\275Ds\10\332$\35Q\233\277\33u\345\325\226(\330\250\243\263\267\273&\224\20\270|\240\200\3122\11\13\266}\30\2415\340\242\177\237X\203U\302q\260\262\15<\316j'k\13\252\204\211rz@\212b\205\2672\0\2W\22\362k~J\332B\217iq@\373\22\261N-\241\352\3024\315l\363w"\303|\272u\315SU\340\236", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \303|\272u\315SU\340\236", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00143   452   NtClose  (40, ... ) == 0x0
 00144   452   NtClose  (36, ... ) == 0x0
 00145   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oja1.tmp"}, 1242416, ... ) }, 1242416, ... ) == 0x0
 00146   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oja1.tmp"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00147   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 36, ... 40, ) == 0x0
 00148   452   NtClose  (36, ... ) == 0x0
 00149   452   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x320000), 0x0, 176128, ) == 0x0
 00150   452   NtClose  (40, ... ) == 0x0
 00151   452   NtUnmapViewOfSection  (-1, 0x320000, ... ) == 0x0
 00152   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oja1.tmp"}, 1242732, ... ) }, 1242732, ... ) == 0x0
 00153   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oja1.tmp"}, 1242732, ... ) }, 1242732, ... ) == 0x0
 00154   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oja1.tmp"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00155   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 40, ... 36, ) == 0x0
 00156   452   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00157   452   NtOpenProcessToken  (-1, 0x8, ... 44, ) == 0x0
 00158   452   NtQueryInformationToken  (44, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00159   452   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 48, ) }, ... 48, ) == 0x0
 00161   452   NtQueryValueKey  (48,  (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00162   452   NtClose  (48, ... ) == 0x0
 00163   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00164   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00165   452   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00166   452   NtClose  (48, ... ) == 0x0
 00167   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   452   NtClose  (44, ... ) == 0x0
 00169   452   NtClose  (40, ... ) == 0x0
 00170   452   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x320000), 0x0, 475136, ) == STATUS_IMAGE_NOT_AT_BASE
 00171   452   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00172   452   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00173   452   NtContinue  (1240976, 0, ...
 00174   452   NtUnmapViewOfSection  (-1, 0x320000, ... ) == 0x0
 00175   452   NtClose  (36, ... ) == 0x0
 00176   452   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00177   452   NtProtectVirtualMemory  (-1, (0x4000e0), 4096, 4, ... (0x400000), 8192, 2, ) == 0x0
 00178   452   NtProtectVirtualMemory  (-1, (0x4000e0), 4096, 4, ... (0x400000), 8192, 4, ) == 0x0
 00179   452   NtAllocateVirtualMemory  (-1, 0, 0, 16777216, 4096, 64, ... 4718592, 16777216, ) == 0x0
 00180   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1243084, ... ) }, 1243084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1243084, ... ) }, 1243084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00183   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1243084, ... ) }, 1243084, ... ) == 0x0
 00184   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00185   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 40, ) == 0x0
 00186   452   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00187   452   NtClose  (36, ... ) == 0x0
 00188   452   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00189   452   NtClose  (40, ... ) == 0x0
 00190   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00191   452   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00192   452   NtClose  (40, ... ) == 0x0
 00193   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242280, ... ) }, 1242280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1242280, ... ) }, 1242280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00196   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1242280, ... ) }, 1242280, ... ) == 0x0
 00197   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00198   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 40, ... 36, ) == 0x0
 00199   452   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00200   452   NtClose  (40, ... ) == 0x0
 00201   452   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00202   452   NtClose  (36, ... ) == 0x0
 00203   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00204   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00205   452   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00206   452   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00207   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 36, ) }, ... 36, ) == 0x0
 00208   452   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00209   452   NtClose  (36, ... ) == 0x0
 00210   452   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00211   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00213   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00214   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3407872, 65536, ) == 0x0
 00215   452   NtAllocateVirtualMemory  (-1, 3407872, 0, 4096, 4096, 4, ... 3407872, 4096, ) == 0x0
 00216   452   NtAllocateVirtualMemory  (-1, 3411968, 0, 8192, 4096, 4, ... 3411968, 8192, ) == 0x0
 00217   452   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00218   452   NtAllocateVirtualMemory  (-1, 3420160, 0, 4096, 4096, 4, ... 3420160, 4096, ) == 0x0
 00219   452   NtQueryPerformanceCounter  (... {89112526, 0}, {3579545, 0}, ) == 0x0
 00220   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00221   452   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00222   452   NtClose  (36, ... ) == 0x0
 00223   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00224   452   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00225   452   NtClose  (36, ... ) == 0x0
 00226   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00227   452   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 16641016, 1327552, 1311096}  (24, {28, 56, new_msg, 0, 2, 16641016, 1327552, 1311096} "\210\6\31\1\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 444, 452, 1508, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 444, 452, 1508, 0}  (24, {28, 56, new_msg, 0, 2, 16641016, 1327552, 1311096} "\210\6\31\1\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 444, 452, 1508, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00228   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   452   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1550000), 0x0, 1060864, ) == 0x0
 00230   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00231   452   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00232   452   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00233   452   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00234   452   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00235   452   NtClose  (-2147482208, ... ) == 0x0
 00236   452   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3473408, 4096, ) == 0x0
 00237   452   NtFreeVirtualMemory  (-1, (0x350000), 4096, 32768, ... (0x350000), 4096, ) == 0x0
 00238   452   NtDuplicateObject  (-1, 44, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00239   452   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00240   452   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   452   NtClose  (-2147482208, ... ) == 0x0
 00242   452   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00243   452   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00244   452   NtClose  (-2147482208, ... ) == 0x0
 00245   452   NtQueryDefaultLocale  (0, -130971124, ... ) == 0x0
 00246   452   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00247   452   NtUserCallNoParam  (24, ... ) == 0x0
 00248   452   NtGdiCreateCompatibleDC  (0, ...
 00249   452   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00248   452   NtGdiCreateCompatibleDC  ... ) == 0x140103c9
 00250   452   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00251   452   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00252   452   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x140503fd
 00253   452   NtGdiCreateSolidBrush  (0, 0, ...
 00254   452   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3538944, 4096, ) == 0x0
 00253   452   NtGdiCreateSolidBrush  ... ) == 0x1d100403
 00255   452   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00256   452   NtGdiCreateCompatibleDC  (0, ... ) == 0xe01040b
 00257   452   NtGdiSelectBitmap  (234947595, 335873021, ... ) == 0x185000f
 00258   452   NtUserGetThreadDesktop  (452, 0, ... ) == 0x30
 00259   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 56, ) }, ... 56, ) == 0x0
 00260   452   NtQueryValueKey  (56,  (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00261   452   NtClose  (56, ... ) == 0x0
 00262   452   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00263   452   NtUserRegisterClassExWOW  (1238632, 1238712, 1238696, 1238728, 673, 128, 0, ... ) == 0x810dc017
 00264   452   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00265   452   NtUserRegisterClassExWOW  (1238632, 1238712, 1238696, 1238728, 674, 128, 0, ... ) == 0x810dc01c
 00266   452   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00267   452   NtUserRegisterClassExWOW  (1238632, 1238712, 1238696, 1238728, 675, 128, 0, ... ) == 0x810dc01e
 00268   452   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00269   452   NtUserRegisterClassExWOW  (1238632, 1238712, 1238696, 1238728, 676, 128, 0, ... ) == 0x810d8002
 00270   452   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10013
 00271   452   NtUserRegisterClassExWOW  (1238632, 1238712, 1238696, 1238728, 677, 128, 0, ... ) == 0x810dc018
 00272   452   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00273   452   NtUserRegisterClassExWOW  (1238632, 1238712, 1238696, 1238728, 678, 128, 0, ... ) == 0x810dc01a
 00274   452   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00275   452   NtUserRegisterClassExWOW  (1238632, 1238712, 1238696, 1238728, 679, 128, 0, ... ) == 0x810dc01d
 00276   452   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00277   452   NtUserRegisterClassExWOW  (1238632, 1238712, 1238696, 1238728, 681, 128, 0, ... ) == 0x810dc026
 00278   452   NtUserFindExistingCursorIcon  (1238112, 1238128, 1238696, ... ) == 0x10011
 00279   452   NtUserRegisterClassExWOW  (1238632, 1238712, 1238696, 1238728, 680, 128, 0, ... ) == 0x810dc019
 00280   452   NtUserRegisterClassExWOW  (1238584, 1238664, 1238648, 1238680, 0, 128, 0, ...
 00281   452   NtAllocateVirtualMemory  (-1, 23556096, 0, 4096, 4096, 32, ... 23556096, 4096, ) == 0x0
 00280   452   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00282   452   NtUserRegisterClassExWOW  (1238584, 1238660, 1238676, 1238648, 0, 130, 0, ... ) == 0x810dc022
 00283   452   NtUserRegisterClassExWOW  (1238584, 1238664, 1238648, 1238680, 0, 128, 0, ... ) == 0x810dc023
 00284   452   NtUserRegisterClassExWOW  (1238584, 1238660, 1238676, 1238648, 0, 130, 0, ... ) == 0x810dc024
 00285   452   NtUserRegisterClassExWOW  (1238584, 1238664, 1238648, 1238680, 0, 128, 0, ... ) == 0x810dc025
 00286   452   NtCallbackReturn  (0, 0, 0, ...
 00287   452   NtGdiInit  (... ) == 0x1
 00288   452   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00289   452   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00290   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00291   452   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00292   452   NtClose  (56, ... ) == 0x0
 00293   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00294   452   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00295   452   NtClose  (56, ... ) == 0x0
 00296   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00297   452   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00298   452   NtClose  (56, ... ) == 0x0
 00299   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00300   452   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00301   452   NtClose  (56, ... ) == 0x0
 00302   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00303   452   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00304   452   NtClose  (56, ... ) == 0x0
 00305   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 56, ) }, ... 56, ) == 0x0
 00306   452   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00307   452   NtClose  (56, ... ) == 0x0
 00308   452   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   452   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00311   452   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00312   452   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00313   452   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 56, ) }, ... 56, ) == 0x0
 00314   452   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 1240440, 0,  (0x1f0003, {24, 56, 0x80, 1240440, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00315   452   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 60, ) }, ... 60, ) == 0x0
 00316   452   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00317   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00318   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00319   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00320   452   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00321   452   NtClose  (64, ... ) == 0x0
 00322   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00323   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00324   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00325   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00326   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 00327   452   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00328   452   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   452   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330   452   NtClose  (64, ... ) == 0x0
 00331   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 00332   452   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00333   452   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   452   NtClose  (64, ... ) == 0x0
 00335   452   NtOpenEvent  (0x1f0003, {24, 56, 0x0, 0, 0,  (0x1f0003, {24, 56, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   452   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00337   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00338   452   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00339   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00340   452   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00341   452   NtCreateKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00342   452   NtQueryDefaultUILanguage  (1238676, ...
 00343   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00344   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00345   452   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00346   452   NtClose  (-2147482208, ... ) == 0x0
 00347   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00348   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00349   452   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00350   452   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00351   452   NtClose  (-2147482196, ... ) == 0x0
 00352   452   NtClose  (-2147482208, ... ) == 0x0
 00342   452   NtQueryDefaultUILanguage  ... ) == 0x0
 00353   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00354   452   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00355   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00356   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00357   452   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1960000), 0x0, 593920, ) == 0x0
 00358   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00359   452   NtQueryDefaultUILanguage  (2013024600, ...
 00360   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00361   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00362   452   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00363   452   NtClose  (-2147482208, ... ) == 0x0
 00364   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00365   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366   452   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00367   452   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00368   452   NtClose  (-2147482196, ... ) == 0x0
 00369   452   NtClose  (-2147482208, ... ) == 0x0
 00359   452   NtQueryDefaultUILanguage  ... ) == 0x0
 00370   452   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00371   452   NtQueryDefaultLocale  (1, 1236712, ... ) == 0x0
 00372   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00373   452   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237568, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237568, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\345\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0@\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1509, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\345\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0@\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 452, 1509, 0}  (24, {128, 156, new_msg, 0, 1237568, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\345\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0@\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1509, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\345\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\1\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0@\351\22\0\0\0\0\0" )  ) == 0x0
 00374   452   NtClose  (68, ... ) == 0x0
 00375   452   NtClose  (72, ... ) == 0x0
 00376   452   NtUnmapViewOfSection  (-1, 0x1960000, ... ) == 0x0
 00377   452   NtUnmapViewOfSection  (-1, 0x12e940, ... ) == STATUS_NOT_MAPPED_VIEW
 00378   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00379   452   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00380   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00381   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00382   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1235252, ... ) }, 1235252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00384   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00385   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00386   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1235844, ... ) }, 1235844, ... ) == 0x0
 00387   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00388   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00389   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00390   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00391   452   NtClose  (68, ... ) == 0x0
 00392   452   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1960000), 0x0, 921600, ) == 0x0
 00393   452   NtClose  (76, ... ) == 0x0
 00394   452   NtUnmapViewOfSection  (-1, 0x1960000, ... ) == 0x0
 00395   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00396   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00397   452   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00398   452   NtClose  (76, ... ) == 0x0
 00399   452   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00400   452   NtClose  (68, ... ) == 0x0
 00401   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00402   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00403   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00404   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00405   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00406   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00407   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00408   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00409   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00410   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00411   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00412   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00413   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00414   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00415   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00416   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00417   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00418   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00419   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00420   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00421   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00422   452   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1237028, ... ) , 42, 1237028, ... ) == 0x0
 00423   452   NtQueryDefaultUILanguage  (1235744, ...
 00424   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00425   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00426   452   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00427   452   NtClose  (-2147482208, ... ) == 0x0
 00428   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00429   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00430   452   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00431   452   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00432   452   NtClose  (-2147482196, ... ) == 0x0
 00433   452   NtClose  (-2147482208, ... ) == 0x0
 00423   452   NtQueryDefaultUILanguage  ... ) == 0x0
 00434   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00435   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234596, ... ) }, 1234596, ... ) == 0x0
 00436   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00437   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00438   452   NtClose  (68, ... ) == 0x0
 00439   452   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x380000), 0x0, 4096, ) == 0x0
 00440   452   NtClose  (76, ... ) == 0x0
 00441   452   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00442   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234236, ... ) }, 1234236, ... ) == 0x0
 00443   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234936,  (0x80100080, {24, 0, 0x40, 0, 1234936, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00444   452   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00445   452   NtClose  (76, ... ) == 0x0
 00446   452   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x380000), {0, 0}, 4096, ) == 0x0
 00447   452   NtClose  (68, ... ) == 0x0
 00448   452   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00449   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00450   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00451   452   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x380000), 0x0, 4096, ) == 0x0
 00452   452   NtQueryInformationFile  (68, 1234556, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00453   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00454   452   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234636, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234636, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\314\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1510, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\314\335\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 452, 1510, 0}  (24, {128, 156, new_msg, 0, 1234636, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\314\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1510, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\314\335\22\0\0\0\0\0" )  ) == 0x0
 00455   452   NtClose  (68, ... ) == 0x0
 00456   452   NtClose  (76, ... ) == 0x0
 00457   452   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00458   452   NtUnmapViewOfSection  (-1, 0x12ddcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00459   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00460   452   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00461   452   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00462   452   NtUserGetDC  (0, ... ) == 0x1010052
 00463   452   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00464   452   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00465   452   NtUserSystemParametersInfo  (66, 12, 1237048, 0, ... ) == 0x1
 00466   452   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00467   452   NtAccessCheck  (1345968, 76, 0x1, 1236452, 1236396, 56, 1236480, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00468   452   NtClose  (76, ... ) == 0x0
 00469   452   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00470   452   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00471   452   NtClose  (76, ... ) == 0x0
 00472   452   NtUserSystemParametersInfo  (41, 500, 1236548, 0, ... ) == 0x1
 00473   452   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00474   452   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00475   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00476   452   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   452   NtClose  (68, ... ) == 0x0
 00478   452   NtClose  (76, ... ) == 0x0
 00479   452   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00480   452   NtUserSystemParametersInfo  (4130, 0, 1237072, 0, ... ) == 0x1
 00481   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00482   452   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00483   452   NtClose  (76, ... ) == 0x0
 00484   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00485   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc03b
 00486   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc03d
 00487   452   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00488   452   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc03f
 00489   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00490   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc041
 00491   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00492   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc043
 00493   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc045
 00494   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00495   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc047
 00496   452   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00497   452   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc049
 00498   452   NtUserGetClassInfo  (1905590272, 1236968, 1236920, 1236996, 0, ... ) == 0xc049
 00499   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00500   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc04b
 00501   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00502   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc04d
 00503   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00504   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc04f
 00505   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc051
 00506   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00507   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc053
 00508   452   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00509   452   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc055
 00510   452   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc057
 00511   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00512   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc059
 00513   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10013
 00514   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc05b
 00515   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00516   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc05d
 00517   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00518   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc05f
 00519   452   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00520   452   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc017
 00521   452   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00522   452   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc019
 00523   452   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10013
 00524   452   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc018
 00525   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00526   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc01a
 00527   452   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00528   452   NtUserRegisterClassExWOW  (1236804, 1236884, 1236868, 1236900, 0, 384, 0, ... ) == 0x810dc01c
 00529   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00530   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ...
 00531   452   NtAllocateVirtualMemory  (-1, 23560192, 0, 4096, 4096, 32, ... 23560192, 4096, ) == 0x0
 00530   452   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00532   452   NtUserFindExistingCursorIcon  (1236352, 1236368, 1236936, ... ) == 0x10011
 00533   452   NtUserRegisterClassExWOW  (1236864, 1236944, 1236928, 1236960, 0, 384, 0, ... ) == 0x810dc01b
 00534   452   NtUserFindExistingCursorIcon  (1236348, 1236364, 1236932, ... ) == 0x10011
 00535   452   NtUserRegisterClassExWOW  (1236860, 1236940, 1236924, 1236956, 0, 384, 0, ... ) == 0x810dc068
 00536   452   NtUserFindExistingCursorIcon  (1236356, 1236372, 1236940, ... ) == 0x10011
 00537   452   NtUserRegisterClassExWOW  (1236808, 1236888, 1236872, 1236904, 0, 384, 0, ... ) == 0x810dc06a
 00538   452   NtCreateKey  (0x2001f, {24, 32, 0x40, 0, 0,  (0x2001f, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00539   452   NtQueryValueKey  (76,  (76, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00540   452   NtQueryValueKey  (76,  (76, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00541   452   NtQueryValueKey  (76,  (76, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00542   452   NtQueryValueKey  (76,  (76, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00543   452   NtQueryValueKey  (76,  (76, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   452   NtQueryValueKey  (76,  (76, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545   452   NtQueryValueKey  (76,  (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00546   452   NtQueryValueKey  (76,  (76, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00547   452   NtQueryValueKey  (76,  (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00548   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1239780, ... ) }, 1239780, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00550   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1239780, ... ) }, 1239780, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00551   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1239780, ... ) }, 1239780, ... ) == 0x0
 00552   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00553   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 80, ) == 0x0
 00554   452   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00555   452   NtClose  (68, ... ) == 0x0
 00556   452   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 00557   452   NtClose  (80, ... ) == 0x0
 00558   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 80, ) == 0x0
 00559   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00560   452   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 84, ) }, ... 84, ) == 0x0
 00561   452   NtQueryEvent  (84, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 00562   452   NtClose  (84, ... ) == 0x0
 00563   452   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1241264, 140, ... 84, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241264, 140, ... 84, 0x0, 0x0, 256, 140, ) == 0x0
 00564   452   NtRequestWaitReplyPort  (84, {28, 52, new_msg, 0, 0, 0, 0, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 444, 452, 1512, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 444, 452, 1512, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 444, 452, 1512, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 00565   452   NtQueryValueKey  (76,  (76, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00566   452   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 88, ) }, ... 88, ) == 0x0
 00567   452   NtQueryValueKey  (88,  (88, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00568   452   NtClose  (88, ... ) == 0x0
 00569   452   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 88, ) }, ... 88, ) == 0x0
 00570   452   NtQueryValueKey  (88,  (88, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   452   NtClose  (88, ... ) == 0x0
 00572   452   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 88, ) }, ... 88, ) == 0x0
 00573   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 92, ) }, ... 92, ) == 0x0
 00574   452   NtQueryValueKey  (92,  (92, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00575   452   NtClose  (92, ... ) == 0x0
 00576   452   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 92, ) }, ... 92, ) == 0x0
 00577   452   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 96, ) }, ... 96, ) == 0x0
 00578   452   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 100, ) }, ... 100, ) == 0x0
 00579   452   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 104, ) }, ... 104, ) == 0x0
 00580   452   NtQueryValueKey  (104,  (104, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00581   452   NtQueryValueKey  (104,  (104, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00582   452   NtClose  (104, ... ) == 0x0
 00583   452   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 104, ) }, ... 104, ) == 0x0
 00584   452   NtQueryValueKey  (104,  (104, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00585   452   NtQueryValueKey  (104,  (104, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00586   452   NtQueryValueKey  (104,  (104, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00587   452   NtQueryValueKey  (104,  (104, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00588   452   NtQueryValueKey  (104,  (104, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00589   452   NtQueryValueKey  (104,  (104, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00590   452   NtClose  (104, ... ) == 0x0
 00591   452   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "Content"}, ... 104, ) }, ... 104, ) == 0x0
 00592   452   NtQueryValueKey  (104,  (104, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00593   452   NtClose  (104, ... ) == 0x0
 00594   452   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "Content"}, ... 104, ) }, ... 104, ) == 0x0
 00595   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 108, ) }, ... 108, ) == 0x0
 00596   452   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00597   452   NtClose  (108, ... ) == 0x0
 00598   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 108, ) }, ... 108, ) == 0x0
 00599   452   NtQueryValueKey  (108,  (108, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00600   452   NtClose  (108, ... ) == 0x0
 00601   452   NtQueryDefaultUILanguage  (1236232, ...
 00602   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00603   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00604   452   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00605   452   NtClose  (-2147482208, ... ) == 0x0
 00606   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00607   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00608   452   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00609   452   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00610   452   NtClose  (-2147482196, ... ) == 0x0
 00611   452   NtClose  (-2147482208, ... ) == 0x0
 00601   452   NtQueryDefaultUILanguage  ... ) == 0x0
 00612   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00613   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 108, {status=0x0, info=1}, ) }, 1, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00614   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 108, ... 112, ) == 0x0
 00615   452   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1960000), 0x0, 8323072, ) == 0x0
 00616   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617   452   NtQueryDefaultLocale  (1, 1234268, ... ) == 0x0
 00618   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   452   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235124, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235124, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\315\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\264\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1513, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\315\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\264\337\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 452, 1513, 0}  (24, {128, 156, new_msg, 0, 1235124, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\315\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\264\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1513, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\315\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\264\337\22\0\0\0\0\0" )  ) == 0x0
 00620   452   NtClose  (108, ... ) == 0x0
 00621   452   NtClose  (112, ... ) == 0x0
 00622   452   NtUnmapViewOfSection  (-1, 0x1960000, ... ) == 0x0
 00623   452   NtUnmapViewOfSection  (-1, 0x12dfb4, ... ) == STATUS_NOT_MAPPED_VIEW
 00624   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00625   452   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00626   452   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00627   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00628   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00629   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233352, ... ) }, 1233352, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00630   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00631   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00632   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00633   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233944, ... ) }, 1233944, ... ) == 0x0
 00634   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 112, {status=0x0, info=1}, ) }, 3, 33, ... 112, {status=0x0, info=1}, ) == 0x0
 00635   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00636   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 108, ) }, ... 108, ) == 0x0
 00637   452   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00638   452   NtClose  (108, ... ) == 0x0
 00639   452   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {444, 0}, ... 108, ) == 0x0
 00640   452   NtQueryInformationProcess  (108, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00641   452   NtClose  (108, ... ) == 0x0
 00642   452   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00643   452   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00644   452   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00645   452   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 00646   452   NtQueryValueKey  (108,  (108, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00647   452   NtClose  (108, ... ) == 0x0
 00648   452   NtUserSystemParametersInfo  (41, 500, 1235808, 0, ... ) == 0x1
 00649   452   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00650   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00651   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00652   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc03b
 00653   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00654   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc03d
 00655   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00656   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00657   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc03f
 00658   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00659   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00660   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc041
 00661   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00662   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00663   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc043
 00664   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00665   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc045
 00666   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00667   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00668   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc047
 00669   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00670   452   NtUserFindExistingCursorIcon  (1235596, 1235612, 1236180, ... ) == 0x10011
 00671   452   NtUserRegisterClassExWOW  (1236048, 1236128, 1236112, 1236144, 0, 384, 0, ... ) == 0x810dc049
 00672   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00673   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00674   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc04b
 00675   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00676   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00677   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc04d
 00678   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00679   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00680   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc04f
 00681   452   NtUserGetClassInfo  (1999896576, 1236220, 1236172, 1236248, 0, ... ) == 0x0
 00682   452   NtUserRegisterClassExWOW  (1236056, 1236136, 1236120, 1236152, 0, 384, 0, ... ) == 0x810dc051
 00683   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00684   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00685   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc053
 00686   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00687   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00688   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc055
 00689   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc057
 00690   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00691   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00692   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc059
 00693   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00694   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10013
 00695   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc05b
 00696   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00697   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00698   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc05d
 00699   452   NtUserGetClassInfo  (1999896576, 1236216, 1236168, 1236244, 0, ... ) == 0x0
 00700   452   NtUserFindExistingCursorIcon  (1235600, 1235616, 1236184, ... ) == 0x10011
 00701   452   NtUserRegisterClassExWOW  (1236052, 1236132, 1236116, 1236148, 0, 384, 0, ... ) == 0x810dc05f
 00702   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc03b
 00703   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc03d
 00704   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc03f
 00705   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc041
 00706   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc043
 00707   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc045
 00708   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc047
 00709   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc049
 00710   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc04b
 00711   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc04d
 00712   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc04f
 00713   452   NtUserGetClassInfo  (1999896576, 1237972, 1237924, 1238000, 0, ... ) == 0xc051
 00714   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc053
 00715   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc055
 00716   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc059
 00717   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc05b
 00718   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc05d
 00719   452   NtUserGetClassInfo  (1999896576, 1237968, 1237920, 1237996, 0, ... ) == 0xc05f
 00720   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00721   452   NtCreateSemaphore  (0x1f0003, {24, 56, 0x80, 1356424, 0,  (0x1f0003, {24, 56, 0x80, 1356424, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 108, ) }, 0, 2147483647, ... 108, ) == STATUS_OBJECT_NAME_EXISTS
 00722   452   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 00723   452   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 00724   452   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00725   452   NtQueryValueKey  (116,  (116, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (116, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00726   452   NtClose  (116, ... ) == 0x0
 00727   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1238492, ... ) }, 1238492, ... ) == 0x0
 00728   452   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00729   452   NtSetValueKey  (116,  (116, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (116, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 00730   452   NtClose  (116, ... ) == 0x0
 00731   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239824, ... ) }, 1239824, ... ) == 0x0
 00732   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239556, ... ) }, 1239556, ... ) == 0x0
 00733   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 00734   452   NtSetInformationFile  (116, 1239532, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00735   452   NtClose  (116, ... ) == 0x0
 00736   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1239556, ... ) }, 1239556, ... ) == 0x0
 00737   452   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00738   452   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00739   452   NtQueryValueKey  (104,  (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 00740   452   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 116, ) }, ... 116, ) == 0x0
 00741   452   NtOpenKey  (0xf, {24, 116, 0x40, 0, 0,  (0xf, {24, 116, 0x40, 0, 0, "Paths"}, ... 120, ) }, ... 120, ) == 0x0
 00742   452   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Path1"}, ... 124, ) }, ... 124, ) == 0x0
 00743   452   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Path2"}, ... 128, ) }, ... 128, ) == 0x0
 00744   452   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Path3"}, ... 132, ) }, ... 132, ) == 0x0
 00745   452   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Path4"}, ... 136, ) }, ... 136, ) == 0x0
 00746   452   NtOpenKey  (0xf, {24, 116, 0x40, 0, 0,  (0xf, {24, 116, 0x40, 0, 0, "Special Paths"}, ... 140, ) }, ... 140, ) == 0x0
 00747   452   NtSetValueKey  (120,  (120, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (120, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 00748   452   NtSetValueKey  (120,  (120, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (120, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 00749   452   NtSetValueKey  (124,  (124, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (124, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00750   452   NtSetValueKey  (128,  (128, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (128, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00751   452   NtSetValueKey  (132,  (132, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (132, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00752   452   NtSetValueKey  (136,  (136, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (136, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00753   452   NtSetValueKey  (124,  (124, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (124, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00754   452   NtSetValueKey  (128,  (128, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (128, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00755   452   NtSetValueKey  (132,  (132, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (132, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00756   452   NtSetValueKey  (136,  (136, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (136, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00757   452   NtClose  (136, ... ) == 0x0
 00758   452   NtClose  (132, ... ) == 0x0
 00759   452   NtClose  (128, ... ) == 0x0
 00760   452   NtClose  (124, ... ) == 0x0
 00761   452   NtClose  (120, ... ) == 0x0
 00762   452   NtClose  (140, ... ) == 0x0
 00763   452   NtClose  (116, ... ) == 0x0
 00764   452   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "Cookies"}, ... 116, ) }, ... 116, ) == 0x0
 00765   452   NtQueryValueKey  (116,  (116, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00766   452   NtClose  (116, ... ) == 0x0
 00767   452   NtClose  (104, ... ) == 0x0
 00768   452   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "Cookies"}, ... 104, ) }, ... 104, ) == 0x0
 00769   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00770   452   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 00771   452   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 00772   452   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00773   452   NtQueryValueKey  (116,  (116, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (116, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00774   452   NtClose  (116, ... ) == 0x0
 00775   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1238492, ... ) }, 1238492, ... ) == 0x0
 00776   452   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00777   452   NtSetValueKey  (116,  (116, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (116, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 00778   452   NtClose  (116, ... ) == 0x0
 00779   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1239824, ... ) }, 1239824, ... ) == 0x0
 00780   452   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 00781   452   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 00782   452   NtQueryValueKey  (104,  (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00783   452   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "History"}, ... 116, ) }, ... 116, ) == 0x0
 00784   452   NtQueryValueKey  (116,  (116, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00785   452   NtClose  (116, ... ) == 0x0
 00786   452   NtClose  (104, ... ) == 0x0
 00787   452   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "History"}, ... 104, ) }, ... 104, ) == 0x0
 00788   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00789   452   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 00790   452   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 00791   452   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00792   452   NtQueryValueKey  (116,  (116, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (116, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00793   452   NtClose  (116, ... ) == 0x0
 00794   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1238492, ... ) }, 1238492, ... ) == 0x0
 00795   452   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00796   452   NtSetValueKey  (116,  (116, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (116, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 00797   452   NtClose  (116, ... ) == 0x0
 00798   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239824, ... ) }, 1239824, ... ) == 0x0
 00799   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239556, ... ) }, 1239556, ... ) == 0x0
 00800   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 00801   452   NtSetInformationFile  (116, 1239532, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00802   452   NtClose  (116, ... ) == 0x0
 00803   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1239556, ... ) }, 1239556, ... ) == 0x0
 00804   452   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 00805   452   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 00806   452   NtQueryValueKey  (104,  (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00807   452   NtClose  (104, ... ) == 0x0
 00808   452   NtClose  (100, ... ) == 0x0
 00809   452   NtClose  (92, ... ) == 0x0
 00810   452   NtClose  (96, ... ) == 0x0
 00811   452   NtClose  (88, ... ) == 0x0
 00812   452   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 88, ) }, ... 88, ) == 0x0
 00813   452   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 96, ) }, ... 96, ) == 0x0
 00814   452   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00815   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 92, {status=0x0, info=1}, ) }, 3, 8388641, ... 92, {status=0x0, info=1}, ) == 0x0
 00816   452   NtQueryVolumeInformationFile  (92, 1241076, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00817   452   NtClose  (92, ... ) == 0x0
 00818   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 92, {status=0x0, info=1}, ) }, 3, 8388641, ... 92, {status=0x0, info=1}, ) == 0x0
 00819   452   NtQueryVolumeInformationFile  (92, 1241100, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00820   452   NtClose  (92, ... ) == 0x0
 00821   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241428, ... ) }, 1241428, ... ) == 0x0
 00822   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 92, {status=0x0, info=1}, ) }, 7, 2113568, ... 92, {status=0x0, info=1}, ) == 0x0
 00823   452   NtSetInformationFile  (92, 1241404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00824   452   NtClose  (92, ... ) == 0x0
 00825   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1356424, 1241420,  (0xc0100080, {24, 0, 0x40, 1356424, 1241420, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00826   452   NtSetInformationFile  (92, 1241472, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00827   452   NtQueryInformationFile  (92, 1241472, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00828   452   NtClose  (92, ... ) == 0x0
 00829   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1356424, 1241404,  (0xc0100080, {24, 0, 0x40, 1356424, 1241404, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00830   452   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 100, ) }, ... 100, ) == 0x0
 00831   452   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 32768, ) == 0x0
 00832   452   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00833   452   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 104, ) }, ... 104, ) == 0x0
 00834   452   NtWaitForSingleObject  (104, 0, 0x0, ... ) == 0x0
 00835   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 116, {status=0x0, info=1}, ) }, 3, 8388641, ... 116, {status=0x0, info=1}, ) == 0x0
 00836   452   NtQueryVolumeInformationFile  (116, 1241076, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00837   452   NtClose  (116, ... ) == 0x0
 00838   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 116, {status=0x0, info=1}, ) }, 3, 8388641, ... 116, {status=0x0, info=1}, ) == 0x0
 00839   452   NtQueryVolumeInformationFile  (116, 1241100, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00840   452   NtClose  (116, ... ) == 0x0
 00841   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1241428, ... ) }, 1241428, ... ) == 0x0
 00842   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 00843   452   NtSetInformationFile  (116, 1241404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00844   452   NtClose  (116, ... ) == 0x0
 00845   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1356424, 1241420,  (0xc0100080, {24, 0, 0x40, 1356424, 1241420, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 00846   452   NtSetInformationFile  (116, 1241472, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00847   452   NtQueryInformationFile  (116, 1241472, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00848   452   NtClose  (116, ... ) == 0x0
 00849   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1356424, 1241404,  (0xc0100080, {24, 0, 0x40, 1356424, 1241404, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 00850   452   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 140, ) }, ... 140, ) == 0x0
 00851   452   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3b0000), {0, 0}, 16384, ) == 0x0
 00852   452   NtReleaseMutant  (104, ... 0x0, ) == 0x0
 00853   452   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 120, ) }, ... 120, ) == 0x0
 00854   452   NtWaitForSingleObject  (120, 0, 0x0, ... ) == 0x0
 00855   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 124, {status=0x0, info=1}, ) }, 3, 8388641, ... 124, {status=0x0, info=1}, ) == 0x0
 00856   452   NtQueryVolumeInformationFile  (124, 1241076, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00857   452   NtClose  (124, ... ) == 0x0
 00858   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 124, {status=0x0, info=1}, ) }, 3, 8388641, ... 124, {status=0x0, info=1}, ) == 0x0
 00859   452   NtQueryVolumeInformationFile  (124, 1241100, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00860   452   NtClose  (124, ... ) == 0x0
 00861   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241428, ... ) }, 1241428, ... ) == 0x0
 00862   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 124, {status=0x0, info=1}, ) }, 7, 2113568, ... 124, {status=0x0, info=1}, ) == 0x0
 00863   452   NtSetInformationFile  (124, 1241404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00864   452   NtClose  (124, ... ) == 0x0
 00865   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1356424, 1241420,  (0xc0100080, {24, 0, 0x40, 1356424, 1241420, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 00866   452   NtSetInformationFile  (124, 1241472, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00867   452   NtQueryInformationFile  (124, 1241472, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00868   452   NtClose  (124, ... ) == 0x0
 00869   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1356424, 1241404,  (0xc0100080, {24, 0, 0x40, 1356424, 1241404, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 00870   452   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 128, ) }, ... 128, ) == 0x0
 00871   452   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3c0000), {0, 0}, 32768, ) == 0x0
 00872   452   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 00873   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00874   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 132, {status=0x0, info=1}, ) }, 7, 2113568, ... 132, {status=0x0, info=1}, ) == 0x0
 00875   452   NtSetInformationFile  (132, 1241460, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00876   452   NtClose  (132, ... ) == 0x0
 00877   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00878   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00879   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 132, {status=0x0, info=1}, ) }, 7, 2113568, ... 132, {status=0x0, info=1}, ) == 0x0
 00880   452   NtSetInformationFile  (132, 1241460, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00881   452   NtClose  (132, ... ) == 0x0
 00882   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00883   452   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00884   452   NtQueryInformationFile  (92, 1239868, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00885   452   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00886   452   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 132, ) }, ... 132, ) == 0x0
 00887   452   NtOpenKey  (0xf, {24, 132, 0x40, 0, 0,  (0xf, {24, 132, 0x40, 0, 0, "Extensible Cache"}, ... 136, ) }, ... 136, ) == 0x0
 00888   452   NtClose  (132, ... ) == 0x0
 00889   452   NtWaitForSingleObject  (88, 0, {-600000000, -1}, ... ) == 0x0
 00890   452   NtEnumerateKey  (136, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (136, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 00891   452   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "MSHist012007051420070521"}, ... 132, ) }, ... 132, ) == 0x0
 00892   452   NtQueryValueKey  (132,  (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00893   452   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00894   452   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00895   452   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00896   452   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00897   452   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00898   452   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00899   452   NtQueryValueKey  (132,  (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00900   452   NtQueryValueKey  (132,  (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00901   452   NtClose  (132, ... ) == 0x0
 00902   452   NtEnumerateKey  (136, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (136, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 00903   452   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "MSHist012007052120070528"}, ... 132, ) }, ... 132, ) == 0x0
 00904   452   NtQueryValueKey  (132,  (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00905   452   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00906   452   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00907   452   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00908   452   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00909   452   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00910   452   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00911   452   NtQueryValueKey  (132,  (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00912   452   NtQueryValueKey  (132,  (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00913   452   NtClose  (132, ... ) == 0x0
 00914   452   NtEnumerateKey  (136, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (136, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 00915   452   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "MSHist012007053120070601"}, ... 132, ) }, ... 132, ) == 0x0
 00916   452   NtQueryValueKey  (132,  (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00917   452   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00918   452   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00919   452   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00920   452   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00921   452   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00922   452   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00923   452   NtQueryValueKey  (132,  (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00924   452   NtQueryValueKey  (132,  (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00925   452   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00926   452   NtClose  (132, ... ) == 0x0
 00927   452   NtEnumerateKey  (136, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 00928   452   NtReleaseMutant  (88, ... 0x0, ) == 0x0
 00929   452   NtClose  (136, ... ) == 0x0
 00930   452   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00931   452   NtQueryInformationFile  (92, 1241796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00932   452   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00933   452   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00934   452   NtQueryInformationFile  (92, 1241868, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00935   452   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00936   452   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937   452   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   452   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   452   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   452   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 136, ) }, ... 136, ) == 0x0
 00942   452   NtQueryValueKey  (136,  (136, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943   452   NtClose  (136, ... ) == 0x0
 00944   452   NtQueryValueKey  (76,  (76, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   452   NtQueryValueKey  (76,  (76, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   452   NtQueryValueKey  (76,  (76, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   452   NtQueryValueKey  (76,  (76, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   452   NtQueryValueKey  (76,  (76, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   452   NtQueryValueKey  (76,  (76, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   452   NtQueryValueKey  (76,  (76, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   452   NtQueryValueKey  (76,  (76, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   452   NtQueryValueKey  (76,  (76, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   452   NtQueryValueKey  (76,  (76, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954   452   NtQueryValueKey  (76,  (76, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   452   NtQueryValueKey  (76,  (76, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   452   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 136, ) }, ... 136, ) == 0x0
 00957   452   NtQueryValueKey  (136,  (136, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   452   NtClose  (136, ... ) == 0x0
 00959   452   NtQueryValueKey  (76,  (76, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960   452   NtQueryValueKey  (76,  (76, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   452   NtQueryValueKey  (76,  (76, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   452   NtQueryValueKey  (76,  (76, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   452   NtQueryValueKey  (76,  (76, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   452   NtQueryValueKey  (76,  (76, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   452   NtQueryValueKey  (76,  (76, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966   452   NtQueryValueKey  (76,  (76, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   452   NtQueryValueKey  (76,  (76, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 136, ) }, ... 136, ) == 0x0
 00969   452   NtQueryValueKey  (136,  (136, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   452   NtClose  (136, ... ) == 0x0
 00971   452   NtQueryValueKey  (76,  (76, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00972   452   NtQueryValueKey  (76,  (76, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   452   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00974   452   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00975   452   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00976   452   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00977   452   NtQueryValueKey  (76,  (76, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978   452   NtQueryValueKey  (76,  (76, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   452   NtQueryValueKey  (76,  (76, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   452   NtQueryValueKey  (76,  (76, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   452   NtQueryValueKey  (76,  (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00982   452   NtQueryValueKey  (76,  (76, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983   452   NtQueryValueKey  (76,  (76, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984   452   NtQueryValueKey  (76,  (76, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985   452   NtQueryValueKey  (76,  (76, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   452   NtQueryValueKey  (76,  (76, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987   452   NtQueryValueKey  (76,  (76, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   452   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "WininetStartupMutex"}, ... 136, ) }, ... 136, ) == 0x0
 00989   452   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 132, ) == 0x0
 00990   452   NtQueryValueKey  (76,  (76, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   452   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00992   452   NtQueryInformationFile  (92, 1241844, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00993   452   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00994   452   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "WininetConnectionMutex"}, ... 144, ) }, ... 144, ) == 0x0
 00995   452   NtCreateMutant  (0x1f0001, 0x0, 0, ... 148, ) == 0x0
 00996   452   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 152, ) }, ... 152, ) == 0x0
 00997   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00998   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00999   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 156, ) }, ... 156, ) == 0x0
 01000   452   NtQueryValueKey  (156,  (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01001   452   NtQueryValueKey  (156,  (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01002   452   NtClose  (156, ... ) == 0x0
 01003   452   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 156, ) == 0x0
 01004   452   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 01005   452   NtClearEvent  (156, ... ) == 0x0
 01006   452   NtSetEvent  (156, ... 0x0, ) == 0x0
 01007   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01008   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1239776, ... ) }, 1239776, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 1239776, ... ) }, 1239776, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 1239776, ... ) }, 1239776, ... ) == 0x0
 01011   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01012   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 160, ... 164, ) == 0x0
 01013   452   NtQuerySection  (164, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01014   452   NtClose  (160, ... ) == 0x0
 01015   452   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 01016   452   NtClose  (164, ... ) == 0x0
 01017   452   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 164, ) }, ... 164, ) == 0x0
 01018   452   NtQueryValueKey  (164,  (164, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01019   452   NtQueryValueKey  (164,  (164, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01020   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01021   452   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "Protocol_Catalog9"}, ... 168, ) }, ... 168, ) == 0x0
 01022   452   NtQueryValueKey  (168,  (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01023   452   NtNotifyChangeKey  (168, 160, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01024   452   NtQueryValueKey  (168,  (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01025   452   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0,  (0x2000000, {24, 168, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   452   NtQueryValueKey  (168,  (168, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 01027   452   NtQueryValueKey  (168,  (168, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01028   452   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0,  (0x2000000, {24, 168, 0x40, 0, 0, "Catalog_Entries"}, ... 172, ) }, ... 172, ) == 0x0
 01029   452   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01030   452   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000001"}, ... 176, ) }, ... 176, ) == 0x0
 01031   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01032   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01033   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\12\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\12\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\13\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\13\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\14\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\14\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\15\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\12\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\12\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\13\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\13\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\14\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\14\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\15\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\14\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\15\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\12\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\12\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\13\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\13\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\14\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\14\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\15\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01034   452   NtClose  (176, ... ) == 0x0
 01035   452   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000002"}, ... 176, ) }, ... 176, ) == 0x0
 01036   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01037   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01038   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\17\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\17\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\20\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\21\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\21\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\17\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\17\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\20\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\21\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\21\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\21\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\17\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\17\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\20\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\21\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\21\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01039   452   NtClose  (176, ... ) == 0x0
 01040   452   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000003"}, ... 176, ) }, ... 176, ) == 0x0
 01041   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01042   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01043   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\24\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\24\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\25\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\26\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\26\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\24\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\24\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\25\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\26\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\26\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\26\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\24\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\24\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\25\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\26\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\26\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01044   452   NtClose  (176, ... ) == 0x0
 01045   452   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000004"}, ... 176, ) }, ... 176, ) == 0x0
 01046   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01047   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01048   452   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01049   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\32\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\32\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\33\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\33\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\34\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\34\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\35\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\32\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\32\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\33\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\33\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\34\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\34\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\35\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\34\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\35\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\32\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\32\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\33\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\33\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\34\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\34\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\35\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01050   452   NtClose  (176, ... ) == 0x0
 01051   452   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000005"}, ... 176, ) }, ... 176, ) == 0x0
 01052   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01053   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01054   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\37\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\37\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0 \4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0 \4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0!\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0!\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0"\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\37\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\37\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0 \4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0 \4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0!\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0!\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0"\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0!\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\37\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\37\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0 \4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0 \4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0!\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0!\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0"\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01055   452   NtClose  (176, ... ) == 0x0
 01056   452   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000006"}, ... 176, ) }, ... 176, ) == 0x0
 01057   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01058   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01059   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0$\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0$\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0%\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0&\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0&\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0'\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0$\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0$\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0%\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0&\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0&\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0'\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0&\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0'\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0$\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0$\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0%\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0&\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0&\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0'\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01060   452   NtClose  (176, ... ) == 0x0
 01061   452   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000007"}, ... 176, ) }, ... 176, ) == 0x0
 01062   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01063   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01064   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0)\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0)\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0*\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0*\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0+\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0+\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0,\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0)\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0)\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0*\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0*\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0+\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0+\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0,\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0+\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0,\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0)\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0)\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0*\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0*\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0+\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0+\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0,\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01065   452   NtClose  (176, ... ) == 0x0
 01066   452   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000008"}, ... 176, ) }, ... 176, ) == 0x0
 01067   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01068   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01069   452   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01070   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0/\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0/\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\00\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\01\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\01\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0/\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0/\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\00\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\01\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\01\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\01\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0/\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0/\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\00\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\01\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\01\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01071   452   NtClose  (176, ... ) == 0x0
 01072   452   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000009"}, ... 176, ) }, ... 176, ) == 0x0
 01073   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01074   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01075   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\04\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\04\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\05\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\05\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\06\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\06\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\07\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\04\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\04\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\05\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\05\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\06\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\06\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\07\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\06\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\07\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\04\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\04\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\05\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\05\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\06\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\06\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\07\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01076   452   NtClose  (176, ... ) == 0x0
 01077   452   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000010"}, ... 176, ) }, ... 176, ) == 0x0
 01078   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01079   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01080   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\09\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\09\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0:\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0:\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0;\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0;\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0<\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\09\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\09\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0:\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0:\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0;\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0;\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0<\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0;\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0<\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\09\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\09\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0:\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\260\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\315\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0:\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0;\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0;\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0<\4\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01081   452   NtClose  (176, ... ) == 0x0
 01082   452   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000011"}, ... 176, ) }, ... 176, ) == 0x0
 01083   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01084   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01085   452   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0>\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0>\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0?\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\254\0\0\0?\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\4\0\0\274\1\0\0\304\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\4\0\0\274\1\0\0\304\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0A\4\0\0\274\1\0\0\304\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0A\4\0\0\274\1\0\0\304\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\254\0\0\0B\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\244\0\0\0\314\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0h\315\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0>\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0>\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0?\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\254\0\0\0?\4\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\4\0\0\274\1\0\0\304\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\4\0\0\274\1\0\0\304\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0A\4\0\0\274\1\0\0\304\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0A\4\0\0\274\1\0\0\304\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\254\0\0\0B\4\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\244\0\0\0\314\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0h\315\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01086   452   NtClose  (176, ... ) == 0x0
 01087   452   NtClose  (172, ... ) == 0x0
 01088   452   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x102
 01089   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01090   452   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 176, ) }, ... 176, ) == 0x0
 01091   452   NtQueryValueKey  (176,  (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01092   452   NtNotifyChangeKey  (176, 172, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01093   452   NtQueryValueKey  (176,  (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01094   452   NtOpenKey  (0x2000000, {24, 176, 0x40, 0, 0,  (0x2000000, {24, 176, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095   452   NtQueryValueKey  (176,  (176, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01096   452   NtOpenKey  (0x2000000, {24, 176, 0x40, 0, 0,  (0x2000000, {24, 176, 0x40, 0, 0, "Catalog_Entries"}, ... 180, ) }, ... 180, ) == 0x0
 01097   452   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "000000000001"}, ... 184, ) }, ... 184, ) == 0x0
 01098   452   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01099   452   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01100   452   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01101   452   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01102   452   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01103   452   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01104   452   NtQueryValueKey  (184,  (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01105   452   NtQueryValueKey  (184,  (184, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   452   NtQueryValueKey  (184,  (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01107   452   NtQueryValueKey  (184,  (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01108   452   NtQueryValueKey  (184,  (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01109   452   NtQueryValueKey  (184,  (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01110   452   NtClose  (184, ... ) == 0x0
 01111   452   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01112   452   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "000000000002"}, ... 184, ) }, ... 184, ) == 0x0
 01113   452   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01114   452   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01115   452   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01116   452   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01117   452   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01118   452   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01119   452   NtQueryValueKey  (184,  (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01120   452   NtQueryValueKey  (184,  (184, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01121   452   NtQueryValueKey  (184,  (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01122   452   NtQueryValueKey  (184,  (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01123   452   NtQueryValueKey  (184,  (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01124   452   NtQueryValueKey  (184,  (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01125   452   NtClose  (184, ... ) == 0x0
 01126   452   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "000000000003"}, ... 184, ) }, ... 184, ) == 0x0
 01127   452   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01128   452   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01129   452   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01130   452   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01131   452   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01132   452   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01133   452   NtQueryValueKey  (184,  (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01134   452   NtQueryValueKey  (184,  (184, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01135   452   NtQueryValueKey  (184,  (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01136   452   NtQueryValueKey  (184,  (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01137   452   NtQueryValueKey  (184,  (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01138   452   NtQueryValueKey  (184,  (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01139   452   NtClose  (184, ... ) == 0x0
 01140   452   NtClose  (180, ... ) == 0x0
 01141   452   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x102
 01142   452   NtClose  (164, ... ) == 0x0
 01143   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01144   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01145   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 164, ) }, ... 164, ) == 0x0
 01146   452   NtQueryValueKey  (164,  (164, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   452   NtClose  (164, ... ) == 0x0
 01148   452   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 164, ) == 0x0
 01149   452   NtClearEvent  (132, ... ) == 0x0
 01150   452   NtSetEvent  (132, ... 0x0, ) == 0x0
 01151   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01152   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\icmp.dll"}, 1240308, ... ) }, 1240308, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01153   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "icmp.dll"}, 1240308, ... ) }, 1240308, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01154   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 1240308, ... ) }, 1240308, ... ) == 0x0
 01155   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01156   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01157   452   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01158   452   NtClose  (180, ... ) == 0x0
 01159   452   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 01160   452   NtClose  (184, ... ) == 0x0
 01161   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1240772, ... ) }, 1240772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01163   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "iphlpapi.dll"}, 1240772, ... ) }, 1240772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01164   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 1240772, ... ) }, 1240772, ... ) == 0x0
 01165   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01166   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01167   452   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01168   452   NtClose  (184, ... ) == 0x0
 01169   452   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 01170   452   NtClose  (180, ... ) == 0x0
 01171   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 1239968, ... ) }, 1239968, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netman.dll"}, 1239968, ... ) }, 1239968, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 1239968, ... ) }, 1239968, ... ) == 0x0
 01175   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01176   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01177   452   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01178   452   NtClose  (180, ... ) == 0x0
 01179   452   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 01180   452   NtClose  (184, ... ) == 0x0
 01181   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 1239164, ... ) }, 1239164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MPRAPI.dll"}, 1239164, ... ) }, 1239164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 1239164, ... ) }, 1239164, ... ) == 0x0
 01185   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01186   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01187   452   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01188   452   NtClose  (184, ... ) == 0x0
 01189   452   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 01190   452   NtClose  (180, ... ) == 0x0
 01191   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01192   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ACTIVEDS.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01194   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01195   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01196   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01197   452   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01198   452   NtClose  (180, ... ) == 0x0
 01199   452   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 01200   452   NtClose  (184, ... ) == 0x0
 01201   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01202   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "adsldpc.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 1237556, ... ) }, 1237556, ... ) == 0x0
 01205   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01206   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01207   452   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01208   452   NtClose  (184, ... ) == 0x0
 01209   452   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 01210   452   NtClose  (180, ... ) == 0x0
 01211   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1236752, ... ) }, 1236752, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1236752, ... ) }, 1236752, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1236752, ... ) }, 1236752, ... ) == 0x0
 01215   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01216   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01217   452   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01218   452   NtClose  (180, ... ) == 0x0
 01219   452   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01220   452   NtClose  (184, ... ) == 0x0
 01221   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 184, ) }, ... 184, ) == 0x0
 01222   452   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01223   452   NtClose  (184, ... ) == 0x0
 01224   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237556, ... ) }, 1237556, ... ) == 0x0
 01228   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01229   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01230   452   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01231   452   NtClose  (184, ... ) == 0x0
 01232   452   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01233   452   NtClose  (180, ... ) == 0x0
 01234   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01236   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01238   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01239   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01240   452   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01241   452   NtClose  (180, ... ) == 0x0
 01242   452   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 01243   452   NtClose  (184, ... ) == 0x0
 01244   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01245   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01246   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SAMLIB.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01248   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01249   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01250   452   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01251   452   NtClose  (184, ... ) == 0x0
 01252   452   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 01253   452   NtClose  (180, ... ) == 0x0
 01254   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01255   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01256   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01258   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01259   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01260   452   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01261   452   NtClose  (180, ... ) == 0x0
 01262   452   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01263   452   NtClose  (184, ... ) == 0x0
 01264   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 1239164, ... ) }, 1239164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01266   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.dll"}, 1239164, ... ) }, 1239164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 1239164, ... ) }, 1239164, ... ) == 0x0
 01268   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01269   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01270   452   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01271   452   NtClose  (184, ... ) == 0x0
 01272   452   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 01273   452   NtClose  (180, ... ) == 0x0
 01274   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01278   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01279   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01280   452   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01281   452   NtClose  (180, ... ) == 0x0
 01282   452   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 01283   452   NtClose  (184, ... ) == 0x0
 01284   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01286   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01288   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01289   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01290   452   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01291   452   NtClose  (184, ... ) == 0x0
 01292   452   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 01293   452   NtClose  (180, ... ) == 0x0
 01294   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01296   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01297   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 1237556, ... ) }, 1237556, ... ) == 0x0
 01298   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01299   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01300   452   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01301   452   NtClose  (180, ... ) == 0x0
 01302   452   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 01303   452   NtClose  (184, ... ) == 0x0
 01304   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 1239164, ... ) }, 1239164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01306   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WZCSvc.DLL"}, 1239164, ... ) }, 1239164, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 1239164, ... ) }, 1239164, ... ) == 0x0
 01308   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01309   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01310   452   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01311   452   NtClose  (184, ... ) == 0x0
 01312   452   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 01313   452   NtClose  (180, ... ) == 0x0
 01314   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01315   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01316   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WMI.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01317   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01318   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01319   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01320   452   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01321   452   NtClose  (180, ... ) == 0x0
 01322   452   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 01323   452   NtClose  (184, ... ) == 0x0
 01324   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01325   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01326   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DHCPCSVC.DLL"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01327   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01328   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01329   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01330   452   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01331   452   NtClose  (184, ... ) == 0x0
 01332   452   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 01333   452   NtClose  (180, ... ) == 0x0
 01334   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01335   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01336   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01337   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1237556, ... ) }, 1237556, ... ) == 0x0
 01338   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01339   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01340   452   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01341   452   NtClose  (180, ... ) == 0x0
 01342   452   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01343   452   NtClose  (184, ... ) == 0x0
 01344   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1238360, ... ) }, 1238360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01347   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1238360, ... ) }, 1238360, ... ) == 0x0
 01348   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01349   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01350   452   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01351   452   NtClose  (184, ... ) == 0x0
 01352   452   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01353   452   NtClose  (180, ... ) == 0x0
 01354   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01355   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01356   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1237556, ... ) }, 1237556, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01357   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1237556, ... ) }, 1237556, ... ) == 0x0
 01358   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01359   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01360   452   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01361   452   NtClose  (180, ... ) == 0x0
 01362   452   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 01363   452   NtClose  (184, ... ) == 0x0
 01364   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 184, ) == 0x0
 01365   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 180, ) }, ... 180, ) == 0x0
 01366   452   NtQueryValueKey  (180,  (180, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (180, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01367   452   NtClose  (180, ... ) == 0x0
 01368   452   NtQueryDefaultLocale  (1, 1241416, ... ) == 0x0
 01369   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01370   452   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 26607616, 262144, ) == 0x0
 01371   452   NtAllocateVirtualMemory  (-1, 26607616, 0, 4096, 4096, 4, ... 26607616, 4096, ) == 0x0
 01372   452   NtAllocateVirtualMemory  (-1, 26611712, 0, 8192, 4096, 4, ... 26611712, 8192, ) == 0x0
 01373   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01374   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01375   452   NtQueryDefaultLocale  (1, 1241376, ... ) == 0x0
 01376   452   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01377   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01378   452   NtQueryValueKey  (180,  (180, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (180, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01379   452   NtClose  (180, ... ) == 0x0
 01380   452   NtUserGetProcessWindowStation  (... ) == 0x2c
 01381   452   NtUserGetObjectInformation  (44, 1, 1241048, 12, 1241060, ... ) == 0x1
 01382   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 180, ) }, ... 180, ) == 0x0
 01383   452   NtQueryValueKey  (180,  (180, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (180, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01384   452   NtClose  (180, ... ) == 0x0
 01385   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01386   452   NtQueryValueKey  (180,  (180, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01387   452   NtQueryValueKey  (180,  (180, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01388   452   NtClose  (180, ... ) == 0x0
 01389   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01390   452   NtQueryValueKey  (180,  (180, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01391   452   NtQueryValueKey  (180,  (180, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01392   452   NtClose  (180, ... ) == 0x0
 01393   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01394   452   NtQueryValueKey  (180,  (180, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01395   452   NtQueryValueKey  (180,  (180, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01396   452   NtClose  (180, ... ) == 0x0
 01397   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01398   452   NtQueryValueKey  (180,  (180, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01399   452   NtQueryValueKey  (180,  (180, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (180, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01400   452   NtClose  (180, ... ) == 0x0
 01401   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01402   452   NtQueryValueKey  (180,  (180, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (180, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01403   452   NtQueryValueKey  (180,  (180, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (180, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01404   452   NtClose  (180, ... ) == 0x0
 01405   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 180, ) }, ... 180, ) == 0x0
 01406   452   NtQueryValueKey  (180,  (180, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (180, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01407   452   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01408   452   NtClose  (180, ... ) == 0x0
 01409   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01410   452   NtCreateMutant  (0x1f0001, 0x0, 0, ... 188, ) == 0x0
 01411   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 01412   452   NtCreateMutant  (0x1f0001, 0x0, 0, ... 196, ) == 0x0
 01413   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01414   452   NtCreateMutant  (0x1f0001, 0x0, 0, ... 204, ) == 0x0
 01415   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 208, ) }, ... 208, ) == 0x0
 01416   452   NtQueryValueKey  (208,  (208, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   452   NtQueryValueKey  (208,  (208, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01418   452   NtOpenKey  (0x1, {24, 208, 0x40, 0, 0,  (0x1, {24, 208, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419   452   NtClose  (208, ... ) == 0x0
 01420   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1240968, ... ) }, 1240968, ... ) == 0x0
 01421   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 208, ) }, ... 208, ) == 0x0
 01422   452   NtQueryValueKey  (208,  (208, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (208, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (208, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01423   452   NtClose  (208, ... ) == 0x0
 01424   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 208, ) }, ... 208, ) == 0x0
 01425   452   NtQueryValueKey  (208,  (208, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (208, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (208, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01426   452   NtClose  (208, ... ) == 0x0
 01427   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 208, ) }, ... 208, ) == 0x0
 01429   452   NtQueryValueKey  (208,  (208, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (208, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (208, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01430   452   NtClose  (208, ... ) == 0x0
 01431   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01432   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 212, ) == 0x0
 01433   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 216, ) == 0x0
 01434   452   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 220, ) }, ... 220, ) == 0x0
 01435   452   NtQueryValueKey  (220,  (220, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01436   452   NtQueryValueKey  (220,  (220, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01437   452   NtQueryValueKey  (220,  (220, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   452   NtQueryValueKey  (220,  (220, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   452   NtQueryValueKey  (220,  (220, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   452   NtQueryValueKey  (220,  (220, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   452   NtQueryValueKey  (220,  (220, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   452   NtQueryValueKey  (220,  (220, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   452   NtQueryValueKey  (220,  (220, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   452   NtQueryValueKey  (220,  (220, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   452   NtQueryValueKey  (220,  (220, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   452   NtQueryValueKey  (220,  (220, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447   452   NtQueryValueKey  (220,  (220, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448   452   NtQueryValueKey  (220,  (220, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   452   NtQueryValueKey  (220,  (220, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   452   NtQueryValueKey  (220,  (220, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451   452   NtQueryValueKey  (220,  (220, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   452   NtQueryValueKey  (220,  (220, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453   452   NtQueryValueKey  (220,  (220, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454   452   NtQueryValueKey  (220,  (220, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   452   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 01456   452   NtQueryValueKey  (220,  (220, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457   452   NtQueryValueKey  (220,  (220, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01458   452   NtQueryValueKey  (220,  (220, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459   452   NtQueryValueKey  (220,  (220, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460   452   NtQueryValueKey  (220,  (220, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   452   NtQueryValueKey  (220,  (220, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462   452   NtQueryValueKey  (220,  (220, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01463   452   NtQueryValueKey  (220,  (220, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   452   NtQueryValueKey  (220,  (220, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01465   452   NtQueryValueKey  (220,  (220, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466   452   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 01467   452   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 224, ) }, ... 224, ) == 0x0
 01468   452   NtQueryValueKey  (224,  (224, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (224, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01469   452   NtClose  (224, ... ) == 0x0
 01470   452   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 0, 0,  (0x1f0003, {24, 56, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01471   452   NtQueryValueKey  (220,  (220, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472   452   NtQueryValueKey  (220,  (220, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473   452   NtQueryValueKey  (220,  (220, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   452   NtQueryValueKey  (220,  (220, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475   452   NtQueryValueKey  (220,  (220, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   452   NtQueryValueKey  (220,  (220, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477   452   NtQueryValueKey  (220,  (220, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01478   452   NtQueryValueKey  (220,  (220, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479   452   NtQueryValueKey  (220,  (220, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   452   NtQueryValueKey  (220,  (220, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   452   NtQueryDefaultUILanguage  (1239936, ...
 01482   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01483   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 01484   452   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01485   452   NtClose  (-2147482208, ... ) == 0x0
 01486   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 01487   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01488   452   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 01489   452   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490   452   NtClose  (-2147482196, ... ) == 0x0
 01491   452   NtClose  (-2147482208, ... ) == 0x0
 01481   452   NtQueryDefaultUILanguage  ... ) == 0x0
 01492   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 224, {status=0x0, info=1}, ) }, 1, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 01494   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 224, ... 228, ) == 0x0
 01495   452   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3d0000), 0x0, 163840, ) == 0x0
 01496   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01497   452   NtQueryDefaultLocale  (1, 1237972, ... ) == 0x0
 01498   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499   452   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238828, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238828, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z?\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0,\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1514, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z?\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0,\356\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 452, 1514, 0}  (24, {128, 156, new_msg, 0, 1238828, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z?\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0,\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1514, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z?\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0,\356\22\0\0\0\0\0" )  ) == 0x0
 01500   452   NtClose  (224, ... ) == 0x0
 01501   452   NtClose  (228, ... ) == 0x0
 01502   452   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 01503   452   NtUnmapViewOfSection  (-1, 0x12ee2c, ... ) == STATUS_NOT_MAPPED_VIEW
 01504   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01505   452   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01507   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01508   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237056, ... ) }, 1237056, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01510   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01511   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01512   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237648, ... ) }, 1237648, ... ) == 0x0
 01513   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 228, {status=0x0, info=1}, ) }, 3, 33, ... 228, {status=0x0, info=1}, ) == 0x0
 01514   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01515   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 224, ) }, ... 224, ) == 0x0
 01516   452   NtQueryValueKey  (224,  (224, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517   452   NtQueryValueKey  (224,  (224, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518   452   NtClose  (224, ... ) == 0x0
 01519   452   NtCreateMutant  (0x1f0001, 0x0, 0, ... 224, ) == 0x0
 01520   452   NtCreateMutant  (0x1f0001, {24, 56, 0x80, 1381712, 0,  (0x1f0001, {24, 56, 0x80, 1381712, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 01521   452   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "RasPbFile"}, ... 232, ) }, ... 232, ) == 0x0
 01522   452   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 236, ) == 0x0
 01523   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 240, ) == 0x0
 01524   452   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 244, ) == 0x0
 01525   452   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 248, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 248, 2, ) , 0, ... 248, 2, ) == 0x0
 01526   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 252, ) }, ... 252, ) == 0x0
 01527   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01528   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01529   452   NtQueryValueKey  (252,  (252, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01530   452   NtQueryValueKey  (248,  (248, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01531   452   NtQueryValueKey  (252,  (252, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   452   NtQueryValueKey  (248,  (248, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (248, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01533   452   NtQueryValueKey  (252,  (252, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   452   NtQueryValueKey  (248,  (248, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   452   NtQueryValueKey  (252,  (252, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   452   NtQueryValueKey  (248,  (248, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01537   452   NtQueryValueKey  (252,  (252, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538   452   NtQueryValueKey  (252,  (252, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539   452   NtQueryValueKey  (252,  (252, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01540   452   NtQueryValueKey  (252,  (252, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01541   452   NtQueryValueKey  (252,  (252, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01542   452   NtQueryValueKey  (252,  (252, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01543   452   NtQueryValueKey  (252,  (252, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544   452   NtQueryValueKey  (248,  (248, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545   452   NtQueryValueKey  (252,  (252, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01546   452   NtQueryValueKey  (252,  (252, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547   452   NtQueryValueKey  (248,  (248, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548   452   NtQueryValueKey  (252,  (252, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01549   452   NtQueryValueKey  (248,  (248, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550   452   NtQueryValueKey  (252,  (252, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551   452   NtQueryValueKey  (248,  (248, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01552   452   NtQueryValueKey  (252,  (252, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01553   452   NtQueryValueKey  (248,  (248, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01554   452   NtQueryValueKey  (252,  (252, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555   452   NtQueryValueKey  (248,  (248, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01556   452   NtQueryValueKey  (252,  (252, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557   452   NtQueryValueKey  (248,  (248, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01558   452   NtQueryValueKey  (252,  (252, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01559   452   NtQueryValueKey  (248,  (248, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560   452   NtQueryValueKey  (252,  (252, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561   452   NtQueryValueKey  (248,  (248, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01562   452   NtQueryValueKey  (252,  (252, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01563   452   NtQueryValueKey  (252,  (252, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564   452   NtQueryValueKey  (252,  (252, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   452   NtQueryValueKey  (252,  (252, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01566   452   NtQueryValueKey  (252,  (252, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567   452   NtQueryValueKey  (252,  (252, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568   452   NtQueryValueKey  (252,  (252, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569   452   NtQueryValueKey  (252,  (252, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570   452   NtQueryValueKey  (252,  (252, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01571   452   NtQueryValueKey  (252,  (252, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   452   NtQueryValueKey  (252,  (252, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573   452   NtQueryValueKey  (252,  (252, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574   452   NtQueryValueKey  (252,  (252, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01575   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 256, ) }, ... 256, ) == 0x0
 01576   452   NtQueryValueKey  (256,  (256, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01577   452   NtClose  (256, ... ) == 0x0
 01578   452   NtClose  (248, ... ) == 0x0
 01579   452   NtClose  (252, ... ) == 0x0
 01580   452   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 252, ) }, ... 252, ) == 0x0
 01581   452   NtQueryValueKey  (252,  (252, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01582   452   NtQueryValueKey  (252,  (252, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583   452   NtQueryValueKey  (252,  (252, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584   452   NtClose  (252, ... ) == 0x0
 01585   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 01586   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 248, ) == 0x0
 01587   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 256, ) == 0x0
 01588   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01589   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3997696, 65536, ) == 0x0
 01590   452   NtAllocateVirtualMemory  (-1, 3997696, 0, 4096, 4096, 4, ... 3997696, 4096, ) == 0x0
 01591   452   NtAllocateVirtualMemory  (-1, 4001792, 0, 8192, 4096, 4, ... 4001792, 8192, ) == 0x0
 01592   452   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01593   452   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 260, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 260, {status=0x0, info=0}, ) == 0x0
 01594   452   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) == 0x0
 01595   452   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 268, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 268, {status=0x0, info=0}, ) == 0x0
 01596   452   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 01597   452   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1241500,  (0x20100080, {24, 0, 0x40, 0, 1241500, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 276, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 276, {status=0x0, info=0}, ) == 0x0
 01598   452   NtAllocateVirtualMemory  (-1, 4009984, 0, 36864, 4096, 4, ... 4009984, 36864, ) == 0x0
 01599   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01600   452   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (260, 280, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01601   452   NtClose  (280, ... ) == 0x0
 01602   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01603   452   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\04\204\221\261\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (260, 280, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\04\204\221\261\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01604   452   NtClose  (280, ... ) == 0x0
 01605   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01606   452   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0R\204\221\261\352\265\2\0\366\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\203\0\0\307\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (260, 280, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0R\204\221\261\352\265\2\0\366\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\203\0\0\307\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01607   452   NtClose  (280, ... ) == 0x0
 01608   452   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01609   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01610   452   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (260, 280, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01611   452   NtClose  (280, ... ) == 0x0
 01612   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01613   452   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (260, 280, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01614   452   NtClose  (280, ... ) == 0x0
 01615   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01616   452   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (260, 280, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01617   452   NtClose  (280, ... ) == 0x0
 01618   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01619   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01620   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01621   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01622   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01623   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01624   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01625   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01626   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01627   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01628   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01629   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01630   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01631   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01632   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01633   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01634   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01635   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01636   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01637   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01638   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01639   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01640   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01641   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01642   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01643   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01644   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01645   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01646   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01647   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01648   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01649   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01650   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01651   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01652   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01653   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01654   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01655   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01656   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01657   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01658   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01659   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01660   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01661   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01662   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01663   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01664   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01665   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01666   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01667   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01668   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01669   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01670   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01671   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01672   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01673   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01674   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01675   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01676   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01677   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01678   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01679   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01680   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01681   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01682   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01683   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01684   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01685   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01686   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01687   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01688   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01689   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01690   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01691   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01692   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01693   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01694   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01695   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01696   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01697   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01698   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01699   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01700   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01701   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01702   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01703   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01704   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01705   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01706   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01707   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01708   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01709   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01710   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01711   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01712   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01713   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01714   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01715   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01716   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01717   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01718   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01719   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01720   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01721   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01722   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01723   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01724   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01725   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01726   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01727   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01728   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01729   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01730   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01731   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01732   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01733   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01734   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01735   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01736   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01737   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01738   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01739   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01740   452   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01741   452   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01742   452   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01743   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 280, ) }, ... 280, ) == 0x0
 01744   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 284, ) }, ... 284, ) == 0x0
 01745   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 288, ) }, ... 288, ) == 0x0
 01746   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 292, ) }, ... 292, ) == 0x0
 01747   452   NtQueryDefaultLocale  (1, 1241436, ... ) == 0x0
 01748   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 296, ) }, ... 296, ) == 0x0
 01749   452   NtMapViewOfSection  (296, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 01750   452   NtClose  (296, ... ) == 0x0
 01751   452   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 296, ) == 0x0
 01752   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 300, ) == 0x0
 01753   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 304, ) }, ... 304, ) == 0x0
 01754   452   NtNotifyChangeKey  (304, 300, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 01755   452   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01756   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 308, ) == 0x0
 01757   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 312, ) == 0x0
 01758   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01759   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\odbc32.dll"}, 1240308, ... ) }, 1240308, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01760   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "odbc32.dll"}, 1240308, ... ) }, 1240308, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01761   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 1240308, ... ) }, 1240308, ... ) == 0x0
 01762   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01763   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 320, ) == 0x0
 01764   452   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01765   452   NtClose  (316, ... ) == 0x0
 01766   452   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 01767   452   NtClose  (320, ... ) == 0x0
 01768   452   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 01769   452   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 01770   452   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 01771   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 320, ) }, ... 320, ) == 0x0
 01772   452   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 01773   452   NtClose  (320, ... ) == 0x0
 01774   452   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 01775   452   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 01776   452   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 01777   452   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 01778   452   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 01779   452   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 01780   452   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 01781   452   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 01782   452   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 01783   452   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 01784   452   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 01785   452   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 01786   452   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 01787   452   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 01788   452   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 01789   452   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 01790   452   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 01791   452   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 01792   452   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 01793   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01794   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01795   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01796   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01797   452   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 26935296, 262144, ) == 0x0
 01798   452   NtAllocateVirtualMemory  (-1, 26935296, 0, 4096, 4096, 4, ... 26935296, 4096, ) == 0x0
 01799   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01800   452   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 27197440, 262144, ) == 0x0
 01801   452   NtAllocateVirtualMemory  (-1, 27197440, 0, 4096, 4096, 4, ... 27197440, 4096, ) == 0x0
 01802   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01803   452   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 27459584, 262144, ) == 0x0
 01804   452   NtAllocateVirtualMemory  (-1, 27459584, 0, 4096, 4096, 4, ... 27459584, 4096, ) == 0x0
 01805   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01806   452   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 27721728, 262144, ) == 0x0
 01807   452   NtAllocateVirtualMemory  (-1, 27721728, 0, 4096, 4096, 4, ... 27721728, 4096, ) == 0x0
 01808   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01809   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01810   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01811   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01812   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1236280, ... ) }, 1236280, ... ) == 0x0
 01813   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 01814   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 316, ) == 0x0
 01815   452   NtClose  (320, ... ) == 0x0
 01816   452   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 90112, ) == 0x0
 01817   452   NtClose  (316, ... ) == 0x0
 01818   452   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01819   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1236596, ... ) }, 1236596, ... ) == 0x0
 01820   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01821   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 320, ) == 0x0
 01822   452   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01823   452   NtClose  (316, ... ) == 0x0
 01824   452   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 01825   452   NtClose  (320, ... ) == 0x0
 01826   452   NtQueryDefaultLocale  (1, 1238284, ... ) == 0x0
 01827   452   NtAllocateVirtualMemory  (-1, 26939392, 0, 4096, 4096, 4, ... 26939392, 4096, ) == 0x0
 01828   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 320, ) }, ... 320, ) == 0x0
 01829   452   NtClose  (320, ... ) == 0x0
 01830   452   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01831   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832   452   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01833   452   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01834   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01835   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01836   452   NtCreateMutant  (0x1f0001, {24, 56, 0x80, 0, 0,  (0x1f0001, {24, 56, 0x80, 0, 0, "Bot018"}, 0, ... 320, ) }, 0, ... 320, ) == 0x0
 01837   452   NtWaitForSingleObject  (320, 0, {-300000000, -1}, ... ) == 0x0
 01838   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sddathg32.exe"}, 1242252, ... ) }, 1242252, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01839   452   NtDelayExecution  (0, {-20000000, -1}, ... ) == 0x0
 01840   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241168,  (0x80100080, {24, 0, 0x40, 0, 1241168, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 316, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 316, {status=0x0, info=1}, ) == 0x0
 01841   452   NtQueryInformationFile  (316, 1242104, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01842   452   NtQueryInformationFile  (316, 1242076, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01843   452   NtQueryInformationFile  (316, 1242028, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01844   452   NtAllocateVirtualMemory  (-1, 1388544, 0, 8192, 4096, 4, ... 1388544, 8192, ) == 0x0
 01845   452   NtQueryInformationFile  (316, 1386816, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01846   452   NtQueryInformationFile  (316, 1240572, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01847   452   NtQueryInformationFile  (316, 1240416, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01848   452   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240424,  (0x40110080, {24, 0, 0x40, 0, 1240424, "\??\C:\WINDOWS\System32\sddathg32.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01849   452   NtClose  (-2147482188, ... ) == 0x0
 01848   452   NtCreateFile  ... 324, {status=0x0, info=2}, ) == 0x0
 01850   452   NtQueryVolumeInformationFile  (324, 1239796, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01851   452   NtQueryInformationFile  (324, 1239756, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01852   452   NtQueryVolumeInformationFile  (316, 1239796, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01853   452   NtQueryVolumeInformationFile  (316, 1239480, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01854   452   NtSetInformationFile  (324, 1239584, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01855   452   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 316, ... 328, ) == 0x0
 01856   452   NtMapViewOfSection  (328, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1ab0000), {0, 0}, 151552, ) == 0x0
 01857   452   NtClose  (328, ... ) == 0x0
 01858   452   NtWriteFile  (324, 0, 0, 0,  (324, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0,\354.\261h\215@\342h\215@\342h\215@\342\242\256g\342i\215@\342\222\251\0\342v\215@\342\222\251\\342\344\215@\342\222\256Y\342m\215@\342h\215A\342\344\215@\342\222\251]\342-\215@\342\222\251}\342i\215@\342Richh\215@\342\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\247\25{C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\332\1\0\0\274\5\0\0\0\0\0\0\340\7\0\0\20\0\0\0\360\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\7\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\334\3\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\300\7\0\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\304\330\1\0\0\20\0\0\0\16\1\0\0\4\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01859   452   NtWriteFile  (324, 0, 0, 0,  (324, 0, 0, 0, "J$\230\340\235\362\222\357\23\20\13\327\200yt8\251\250^\21\212\5\16:\17uXR\323\324~\305\301N\222\16@\278\321uE\360N\241\357W\3176\25;4\322e\306\6\350\2\265\343_^\361d%\220\270+\363H\247\201~HN\3179W\347M\20G\365F\14.\357\315\352\353 \35\2\267.b\24\314\13_\203\330\330\16\210\204\304\213r\26\24\178\312\307@f\34\362\356\362\336\240\11\23\201H\341\302\235\224\342\63;r\311j+\312\240\177\2508\246\231B\14\201\361\215F\377&\232H\320\205;\15\365 \3\376s%\232\301G\6>FJ\274+\236\326<\350\227-6l\316\2645\237\24\237\36\222\351\7\36\20I7\10?a\23Sj\3641\276\223\12\365\30\276\12\366\377%\250\245&\7\372\20\4\232'[\360\237/\230\305\224\343{\226\205 \304\215|\21X\255*%\371\2\117\2038a\3002nsQ\37\25\266+\310\177\210PN\260\236\241\302\203\14\215\263J\220\377\31\342\276\276\33Ps\36\225\25\30\262\6\201\242w\3\213\360`+\326\304C\236\324\341HA\215SVv\260q}W\215\34\250<\2133\240\305\300\301P\347\267\367\274?D9\352\302\340(\177\10\332\15\37Y\222#\362g\304\352\3d\206\25E-r\260\367\221J\33/\31s\37c\10\213\270\13\27D8\14\355?\222\3524\307Ps\254\274D|\201\235\323*\234QAUj\13\203\315\370\3504\332\211\301Uy\217-!!\13\350\240\211'3\333\361\201\11\24\277L\2577'\205\366Q.\211\215\206\331\12\37^\324F\367\24uN\275\310-\210k\260Q\27\16#-\212tm\261\302\262\257 \215^\14S\254\256\200Ct\33\373X\223\213\325\337\217;\306(\5`\3;\360r\236\353\34\362\16_\300{+\7-", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01860   452   NtWriteFile  (324, 0, 0, 0,  (324, 0, 0, 0, ":]\20\253(\227PFx\25O\353\237\320\177\360"y\246\336\334B\306\262!\7\231\302/\37\321\304\375\263\257:\126\301\263:\200Mh6\204\206\32\177Gns\264K\315\26:_o\256\7\343q\264\312g\2z1O\20\260\2012\6":\326\260\236\365\17\24\231\201O\227\6\32G\220Q7i\272 z^DQI`\244K\206\224O\6\225\321S{\72p\324;\247\204\234}\366\263\32pC] 2\366\272\304\322\203\301\21\320e\204\177\12\230\302\270z\312\343\351\251\17A6\360\365\347\366\206\306\23\202\365\356\337\T\2105Js\7j\5S5/,\24%U\321D\313\255\343*^\304"3r~\17I\214\323\37^\214\332\3745\235\31E\317}\240!\317]3I\305C\270J\72H\325x\200V\325\210b\2\350v6\264SsW\32\7\204\230\36\361\210pf\37\234\341c\10\367*P\10\247~RoCF!!\320\34f#v6\260\317\256\13n+\16X\312q\266&v3a\11\33o\17P~v\214\17\22\320\274i\200\14\3472}\306Z\267\246\347\310\350\27M\177\331;\351\200(\363\367\224\23\36\3013\352)\310B\23\230\300\214KB,\356\253\244\274+\224*\311\203"8\223\260\23\364\5\177\31\232\26W\200_\237\223.\373\232N\220lG\202\36\361\5\333\354o\306\354Z\272s\320/\16\15\334P\12m\216|25h\314\31\265\34=\11\303\217jZ\200\3176\225\177h\220\261\367\7A\2722Pr\215\247\341\222z\327\305\335\163\5\225\346\5\245Fq\304\227]\311c\333~p6\241+,@\365\370\210\7\340R\251\23\322n\22A\363\17,\267\237]9r\15\240J\0\200"]\241;=\270C\314\247wLOV\12D\365\352\210M\377`\3766y\337\11\236J", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) y\246\336\334B\306\262!\7\231\302/\37\321\304\375\263\257:\126\301\263:\200Mh6\204\206\32\177Gns\264K\315\26:_o\256\7\343q\264\312g\2z1O\20\260\2012\6 (324, 0, 0, 0, ":]\20\253(\227PFx\25O\353\237\320\177\360"y\246\336\334B\306\262!\7\231\302/\37\321\304\375\263\257:\126\301\263:\200Mh6\204\206\32\177Gns\264K\315\26:_o\256\7\343q\264\312g\2z1O\20\260\2012\6":\326\260\236\365\17\24\231\201O\227\6\32G\220Q7i\272 z^DQI`\244K\206\224O\6\225\321S{\72p\324;\247\204\234}\366\263\32pC] 2\366\272\304\322\203\301\21\320e\204\177\12\230\302\270z\312\343\351\251\17A6\360\365\347\366\206\306\23\202\365\356\337\T\2105Js\7j\5S5/,\24%U\321D\313\255\343*^\304"3r~\17I\214\323\37^\214\332\3745\235\31E\317}\240!\317]3I\305C\270J\72H\325x\200V\325\210b\2\350v6\264SsW\32\7\204\230\36\361\210pf\37\234\341c\10\367*P\10\247~RoCF!!\320\34f#v6\260\317\256\13n+\16X\312q\266&v3a\11\33o\17P~v\214\17\22\320\274i\200\14\3472}\306Z\267\246\347\310\350\27M\177\331;\351\200(\363\367\224\23\36\3013\352)\310B\23\230\300\214KB,\356\253\244\274+\224*\311\203"8\223\260\23\364\5\177\31\232\26W\200_\237\223.\373\232N\220lG\202\36\361\5\333\354o\306\354Z\272s\320/\16\15\334P\12m\216|25h\314\31\265\34=\11\303\217jZ\200\3176\225\177h\220\261\367\7A\2722Pr\215\247\341\222z\327\305\335\163\5\225\346\5\245Fq\304\227]\311c\333~p6\241+,@\365\370\210\7\340R\251\23\322n\22A\363\17,\267\237]9r\15\240J\0\200"]\241;=\270C\314\247wLOV\12D\365\352\210M\377`\3766y\337\11\236J", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) 3r~\17I\214\323\37^\214\332\3745\235\31E\317}\240!\317]3I\305C\270J\72H\325x\200V\325\210b\2\350v6\264SsW\32\7\204\230\36\361\210pf\37\234\341c\10\367*P\10\247~RoCF!!\320\34f#v6\260\317\256\13n+\16X\312q\266&v3a\11\33o\17P~v\214\17\22\320\274i\200\14\3472}\306Z\267\246\347\310\350\27M\177\331;\351\200(\363\367\224\23\36\3013\352)\310B\23\230\300\214KB,\356\253\244\274+\224*\311\203 (324, 0, 0, 0, ":]\20\253(\227PFx\25O\353\237\320\177\360"y\246\336\334B\306\262!\7\231\302/\37\321\304\375\263\257:\126\301\263:\200Mh6\204\206\32\177Gns\264K\315\26:_o\256\7\343q\264\312g\2z1O\20\260\2012\6":\326\260\236\365\17\24\231\201O\227\6\32G\220Q7i\272 z^DQI`\244K\206\224O\6\225\321S{\72p\324;\247\204\234}\366\263\32pC] 2\366\272\304\322\203\301\21\320e\204\177\12\230\302\270z\312\343\351\251\17A6\360\365\347\366\206\306\23\202\365\356\337\T\2105Js\7j\5S5/,\24%U\321D\313\255\343*^\304"3r~\17I\214\323\37^\214\332\3745\235\31E\317}\240!\317]3I\305C\270J\72H\325x\200V\325\210b\2\350v6\264SsW\32\7\204\230\36\361\210pf\37\234\341c\10\367*P\10\247~RoCF!!\320\34f#v6\260\317\256\13n+\16X\312q\266&v3a\11\33o\17P~v\214\17\22\320\274i\200\14\3472}\306Z\267\246\347\310\350\27M\177\331;\351\200(\363\367\224\23\36\3013\352)\310B\23\230\300\214KB,\356\253\244\274+\224*\311\203"8\223\260\23\364\5\177\31\232\26W\200_\237\223.\373\232N\220lG\202\36\361\5\333\354o\306\354Z\272s\320/\16\15\334P\12m\216|25h\314\31\265\34=\11\303\217jZ\200\3176\225\177h\220\261\367\7A\2722Pr\215\247\341\222z\327\305\335\163\5\225\346\5\245Fq\304\227]\311c\333~p6\241+,@\365\370\210\7\340R\251\23\322n\22A\363\17,\267\237]9r\15\240J\0\200"]\241;=\270C\314\247wLOV\12D\365\352\210M\377`\3766y\337\11\236J", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) ]\241;=\270C\314\247wLOV\12D\365\352\210M\377`\3766y\337\11\236J", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) == 0x0
 01861   452   NtUnmapViewOfSection  (-1, 0x1ab0000, ... ) == 0x0
 01862   452   NtSetInformationFile  (324, 1242028, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01863   452   NtClose  (316, ... ) == 0x0
 01864   452   NtClose  (324, ... ) == 0x0
 01865   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\explorer.exe"}, 1241176, ... ) }, 1241176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01866   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "explorer.exe"}, 1241176, ... ) }, 1241176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01867   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 1241176, ... ) }, 1241176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01868   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\explorer.exe"}, 1241176, ... ) }, 1241176, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01869   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe"}, 1241176, ... ) }, 1241176, ... ) == 0x0
 01870   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241924,  (0x80100080, {24, 0, 0x40, 0, 1241924, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 01871   452   NtQueryInformationFile  (324, 1241976, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01872   452   NtClose  (324, ... ) == 0x0
 01873   452   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1241924,  (0x40100080, {24, 0, 0x40, 0, 1241924, "\??\C:\WINDOWS\System32\sddathg32.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 01874   452   NtSetInformationFile  (324, 1241976, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01875   452   NtClose  (324, ... ) == 0x0
 01876   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sddathg32.exe"}, 7, 2113568, ... 324, {status=0x0, info=1}, ) }, 7, 2113568, ... 324, {status=0x0, info=1}, ) == 0x0
 01877   452   NtSetInformationFile  (324, 1242228, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01878   452   NtClose  (324, ... ) == 0x0
 01879   452   NtOpenProcess  (0x100000, {24, 0, 0x2, 0, 0, 0x0}, {444, 0}, ... 324, ) == 0x0
 01880   452   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01881   452   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sddathg32.exe"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01882   452   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 316, ... 328, ) == 0x0
 01883   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01884   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 332, ) }, ... 332, ) == 0x0
 01885   452   NtQueryValueKey  (332,  (332, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01886   452   NtClose  (332, ... ) == 0x0
 01887   452   NtQueryVolumeInformationFile  (316, 1238724, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01888   452   NtOpenMutant  (0x120001, {24, 56, 0x0, 0, 0,  (0x120001, {24, 56, 0x0, 0, 0, "ShimCacheMutex"}, ... 332, ) }, ... 332, ) == 0x0
 01889   452   NtWaitForSingleObject  (332, 0, {-1000000, -1}, ... ) == 0x0
 01890   452   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "ShimSharedMemory"}, ... 336, ) }, ... 336, ) == 0x0
 01891   452   NtMapViewOfSection  (336, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 57344, ) == 0x0
 01892   452   NtReleaseMutant  (332, ... 0x0, ) == 0x0
 01893   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1236708, ... ) }, 1236708, ... ) == 0x0
 01894   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 340, {status=0x0, info=1}, ) }, 5, 96, ... 340, {status=0x0, info=1}, ) == 0x0
 01895   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 340, ... 344, ) == 0x0
 01896   452   NtClose  (340, ... ) == 0x0
 01897   452   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1ab0000), 0x0, 106496, ) == 0x0
 01898   452   NtClose  (344, ... ) == 0x0
 01899   452   NtUnmapViewOfSection  (-1, 0x1ab0000, ... ) == 0x0
 01900   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237024, ... ) }, 1237024, ... ) == 0x0
 01901   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 01902   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 340, ) == 0x0
 01903   452   NtQuerySection  (340, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01904   452   NtClose  (344, ... ) == 0x0
 01905   452   NtMapViewOfSection  (340, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01906   452   NtClose  (340, ... ) == 0x0
 01907   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 01908   452   NtQueryInformationFile  (340, 1237312, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01909   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 340, ... 344, ) == 0x0
 01910   452   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1ab0000), 0x0, 1028096, ) == 0x0
 01911   452   NtQueryInformationFile  (340, 1237408, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01912   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01913   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01914   452   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01915   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01916   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1234972, 616, BothDirectory, 1,  (348, 0, 0, 0, 1234972, 616, BothDirectory, 1, "sddathg32.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 01917   452   NtClose  (348, ... ) == 0x0
 01918   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01919   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01920   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sddathg32.exe"}, 1234360, ... ) }, 1234360, ... ) == 0x0
 01921   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01922   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1233720, 616, BothDirectory, 1,  (348, 0, 0, 0, 1233720, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01923   452   NtClose  (348, ... ) == 0x0
 01924   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01925   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1233720, 616, BothDirectory, 1,  (348, 0, 0, 0, 1233720, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01926   452   NtClose  (348, ... ) == 0x0
 01927   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01928   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01929   452   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01930   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01931   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 01932   452   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01933   452   NtClose  (348, ... ) == 0x0
 01934   452   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935   452   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\sddathg32.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01936   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01937   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01938   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sddathg32.exe"}, 1236640, ... ) }, 1236640, ... ) == 0x0
 01939   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01940   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1236000, 616, BothDirectory, 1,  (348, 0, 0, 0, 1236000, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01941   452   NtClose  (348, ... ) == 0x0
 01942   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01943   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1236000, 616, BothDirectory, 1,  (348, 0, 0, 0, 1236000, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01944   452   NtClose  (348, ... ) == 0x0
 01945   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01946   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01947   452   NtWaitForSingleObject  (332, 0, {-1000000, -1}, ... ) == 0x0
 01948   452   NtQueryVolumeInformationFile  (316, 1237284, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01949   452   NtQueryInformationFile  (316, 1237264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01950   452   NtQueryInformationFile  (316, 1237304, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01951   452   NtReleaseMutant  (332, ... 0x0, ) == 0x0
 01952   452   NtUnmapViewOfSection  (-1, 0x1ab0000, ... ) == 0x0
 01953   452   NtClose  (344, ... ) == 0x0
 01954   452   NtClose  (340, ... ) == 0x0
 01955   452   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01956   452   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sddathg32.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01957   452   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01958   452   NtOpenProcessToken  (-1, 0xa, ... 340, ) == 0x0
 01959   452   NtQueryInformationToken  (340, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01960   452   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01961   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 344, ) }, ... 344, ) == 0x0
 01962   452   NtQueryValueKey  (344,  (344, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (344, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01963   452   NtQueryValueKey  (344,  (344, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (344, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01964   452   NtClose  (344, ... ) == 0x0
 01965   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 344, ) }, ... 344, ) == 0x0
 01966   452   NtQueryValueKey  (344,  (344, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01967   452   NtQueryValueKey  (344,  (344, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (344, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01968   452   NtClose  (344, ... ) == 0x0
 01969   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01970   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 344, ) }, ... 344, ) == 0x0
 01971   452   NtQueryValueKey  (344,  (344, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01972   452   NtClose  (344, ... ) == 0x0
 01973   452   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 01974   452   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 01975   452   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 01976   452   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 01977   452   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 01978   452   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 01979   452   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 01980   452   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 01981   452   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 01982   452   NtQueryDefaultLocale  (1, 1238096, ... ) == 0x0
 01983   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 344, ) }, ... 344, ) == 0x0
 01984   452   NtEnumerateKey  (344, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (344, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01985   452   NtOpenKey  (0x20019, {24, 344, 0x40, 0, 0,  (0x20019, {24, 344, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 348, ) }, ... 348, ) == 0x0
 01986   452   NtQueryValueKey  (348,  (348, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (348, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01987   452   NtQueryValueKey  (348,  (348, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (348, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01988   452   NtClose  (348, ... ) == 0x0
 01989   452   NtEnumerateKey  (344, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01990   452   NtClose  (344, ... ) == 0x0
 01991   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01992   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01993   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01995   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01996   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01997   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01998   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01999   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02000   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02001   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02002   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02003   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02004   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02005   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02006   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02007   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02008   452   NtClose  (344, ... ) == 0x0
 02009   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02010   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02011   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02012   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02013   452   NtClose  (344, ... ) == 0x0
 02014   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02015   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02016   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02017   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02018   452   NtClose  (344, ... ) == 0x0
 02019   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02020   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02021   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02022   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02023   452   NtClose  (344, ... ) == 0x0
 02024   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02025   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02026   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02027   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02028   452   NtClose  (344, ... ) == 0x0
 02029   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02030   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02031   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02032   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02033   452   NtClose  (344, ... ) == 0x0
 02034   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02035   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02036   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02037   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02038   452   NtClose  (344, ... ) == 0x0
 02039   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02040   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02041   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02042   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02043   452   NtClose  (344, ... ) == 0x0
 02044   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02045   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02046   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02047   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02048   452   NtClose  (344, ... ) == 0x0
 02049   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02050   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02051   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02052   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02053   452   NtClose  (344, ... ) == 0x0
 02054   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02055   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02056   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02057   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02058   452   NtClose  (344, ... ) == 0x0
 02059   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02060   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02061   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02062   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02063   452   NtClose  (344, ... ) == 0x0
 02064   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02065   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02066   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02067   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02068   452   NtClose  (344, ... ) == 0x0
 02069   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02070   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02071   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02072   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02073   452   NtClose  (344, ... ) == 0x0
 02074   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02075   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02076   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02077   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02078   452   NtClose  (344, ... ) == 0x0
 02079   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02080   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 344, ) }, ... 344, ) == 0x0
 02081   452   NtQueryValueKey  (344,  (344, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (344, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (344, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02082   452   NtClose  (344, ... ) == 0x0
 02083   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02084   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02085   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02086   452   NtClose  (344, ... ) == 0x0
 02087   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   452   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02089   452   NtOpenProcessToken  (-1, 0xa, ... 344, ) == 0x0
 02090   452   NtDuplicateToken  (344, 0xc, {24, 0, 0x0, 0, 1238616, 0x0}, 0, 2, ... 348, ) == 0x0
 02091   452   NtClose  (344, ... ) == 0x0
 02092   452   NtAccessCheck  (1393520, 348, 0x1, 1238744, 1238688, 56, 1238772, ... (0x1), ) == 0x0
 02093   452   NtClose  (348, ... ) == 0x0
 02094   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 348, ) }, ... 348, ) == 0x0
 02095   452   NtQueryValueKey  (348,  (348, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (348, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02096   452   NtClose  (348, ... ) == 0x0
 02097   452   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 348, ) }, ... 348, ) == 0x0
 02098   452   NtQuerySymbolicLinkObject  (348, ...  (348, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02099   452   NtClose  (348, ... ) == 0x0
 02100   452   NtQueryInformationFile  (316, 1237076, 528, Name, ... {status=0x0, info=66}, ) == 0x0
 02101   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02102   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02103   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sddathg32.exe"}, 1235756, ... ) }, 1235756, ... ) == 0x0
 02104   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 02105   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1235116, 616, BothDirectory, 1,  (348, 0, 0, 0, 1235116, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02106   452   NtClose  (348, ... ) == 0x0
 02107   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 02108   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1235116, 616, BothDirectory, 1,  (348, 0, 0, 0, 1235116, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02109   452   NtClose  (348, ... ) == 0x0
 02110   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02111   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02112   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02113   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02114   452   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02115   452   NtClose  (348, ... ) == 0x0
 02116   452   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 02117   452   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 344, ) }, ... 344, ) == 0x0
 02118   452   NtClose  (348, ... ) == 0x0
 02119   452   NtQueryValueKey  (344,  (344, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02120   452   NtQueryValueKey  (344,  (344, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (344, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02121   452   NtClose  (344, ... ) == 0x0
 02122   452   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 4128768, 4096, ) == 0x0
 02123   452   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 02124   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 344, ) }, ... 344, ) == 0x0
 02125   452   NtQueryValueKey  (344,  (344, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02126   452   NtClose  (344, ... ) == 0x0
 02127   452   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02128   452   NtQueryInformationToken  (340, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02129   452   NtQueryInformationToken  (340, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02130   452   NtClose  (340, ... ) == 0x0
 02131   452   NtCreateProcessEx  (1241352, 2035711, 0, -1, 4, 328, 0, 0, 0, ... ) == 0x0
 02132   452   NtSetInformationProcess  (340, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 02133   452   NtQueryInformationProcess  (340, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1436,ParentPid=444,}, 0x0, ) == 0x0
 02134   452   NtReadVirtualMemory  (340, 0x7ffdf008, 4, ...  (340, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02135   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sddathg32.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02136   452   NtAllocateVirtualMemory  (-1, 1396736, 0, 8192, 4096, 4, ... 1396736, 8192, ) == 0x0
 02137   452   NtReadVirtualMemory  (340, 0x400000, 4096, ...  (340, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0,\354.\261h\215@\342h\215@\342h\215@\342\242\256g\342i\215@\342\222\251\0\342v\215@\342\222\251\\342\344\215@\342\222\256Y\342m\215@\342h\215A\342\344\215@\342\222\251]\342-\215@\342\222\251}\342i\215@\342Richh\215@\342\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\247\25{C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\332\1\0\0\274\5\0\0\0\0\0\0\340\7\0\0\20\0\0\0\360\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\7\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\334\3\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\300\7\0\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\304\330\1\0\0\20\0\0\0\16\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02138   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02139   452   NtQueryInformationProcess  (340, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1436,ParentPid=444,}, 0x0, ) == 0x0
 02140   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1239416, ... ) }, 1239416, ... ) == 0x0
 02141   452   NtAllocateVirtualMemory  (-1, 0, 0, 1660, 4096, 4, ... 27983872, 4096, ) == 0x0
 02142   452   NtAllocateVirtualMemory  (340, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02143   452   NtWriteVirtualMemory  (340, 0x10000,  (340, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02144   452   NtAllocateVirtualMemory  (340, 0, 0, 1660, 4096, 4, ... 131072, 4096, ) == 0x0
 02145   452   NtWriteVirtualMemory  (340, 0x20000,  (340, 0x20000, "\0\20\0\0|\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\374\0\376\0\230\4\0\0B\0D\0\230\5\0\0t\0v\0\334\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\2\0T\6\0\0\36\0 \0X\6\0\0\0\0\2\0x\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1660, ... 0x0, ) , 1660, ... 0x0, ) == 0x0
 02146   452   NtWriteVirtualMemory  (340, 0x7ffdf010,  (340, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02147   452   NtWriteVirtualMemory  (340, 0x7ffdf1e8,  (340, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02148   452   NtFreeVirtualMemory  (-1, (0x1ab0000), 0, 32768, ... (0x1ab0000), 4096, ) == 0x0
 02149   452   NtAllocateVirtualMemory  (340, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02150   452   NtAllocateVirtualMemory  (340, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 02151   452   NtProtectVirtualMemory  (340, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 02152   452   NtCreateThread  (0x1f03ff, 0x0, 340, 1239616, 1240336, 1, ... 344, {1436, 1460}, ) == 0x0
 02153   452   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1385320, 1241436}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1385320, 1241436} "\0\0\0\0\0\0\1\0\2$\370w U\367wW\1\0\0X\1\0\0\234\5\0\0\264\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0s\0t\0e\0" ... {168, 196, reply, 0, 444, 452, 1522, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wT\1\0\0X\1\0\0\234\5\0\0\264\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0s\0t\0e\0" )  ... {168, 196, reply, 0, 444, 452, 1522, 0}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1385320, 1241436} "\0\0\0\0\0\0\1\0\2$\370w U\367wW\1\0\0X\1\0\0\234\5\0\0\264\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0s\0t\0e\0" ... {168, 196, reply, 0, 444, 452, 1522, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wT\1\0\0X\1\0\0\234\5\0\0\264\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0s\0t\0e\0" )  ) == 0x0
 02154   452   NtResumeThread  (344, ... 1, ) == 0x0
 02155   452   NtClose  (316, ... ) == 0x0
 02156   452   NtClose  (328, ... ) == 0x0
 02157   452   NtDelayExecution  (0, {-2000000, -1}, ... ) == 0x0
 02158   452   NtClose  (340, ... ) == 0x0
 02159   452   NtClose  (344, ... ) == 0x0
 02160   452   NtTerminateProcess  (0, 0, ... ) == 0x0
 02161   452   NtFreeVirtualMemory  (-1, (0x3d0000), 0, 32768, ... (0x3d0000), 65536, ) == 0x0
 02162   452   NtClose  (260, ... ) == 0x0
 02163   452   NtClose  (264, ... ) == 0x0
 02164   452   NtClose  (272, ... ) == 0x0
 02165   452   NtClose  (268, ... ) == 0x0
 02166   452   NtClose  (276, ... ) == 0x0
 02167   452   NtClose  (248, ... ) == 0x0
 02168   452   NtClose  (256, ... ) == 0x0
 02169   452   NtClose  (292, ... ) == 0x0
 02170   452   NtClose  (288, ... ) == 0x0
 02171   452   NtClose  (284, ... ) == 0x0
 02172   452   NtClose  (280, ... ) == 0x0
 02173   452   NtClose  (252, ... ) == 0x0
 02174   452   NtClose  (236, ... ) == 0x0
 02175   452   NtClose  (232, ... ) == 0x0
 02176   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02177   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02178   452   NtClose  (224, ... ) == 0x0
 02179   452   NtUnmapViewOfSection  (-1, 0x19a0000, ... ) == 0x0
 02180   452   NtClose  (228, ... ) == 0x0
 02181   452   NtClose  (220, ... ) == 0x0
 02182   452   NtClose  (208, ... ) == 0x0
 02183   452   NtClose  (212, ... ) == 0x0
 02184   452   NtClose  (216, ... ) == 0x0
 02185   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 02186   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 02187   452   NtWaitForMultipleObjects  (2, (180, 188, ), 1, 0, 0x0, ... ) == 0x1
 02188   452   NtClose  (188, ... ) == 0x0
 02189   452   NtSetEvent  (180, ... 0x0, ) == 0x0
 02190   452   NtClose  (180, ... ) == 0x0
 02191   452   NtWaitForMultipleObjects  (2, (192, 196, ), 1, 0, 0x0, ... ) == 0x1
 02192   452   NtClose  (196, ... ) == 0x0
 02193   452   NtSetEvent  (192, ... 0x0, ) == 0x0
 02194   452   NtClose  (192, ... ) == 0x0
 02195   452   NtWaitForMultipleObjects  (2, (200, 204, ), 1, 0, 0x0, ... ) == 0x1
 02196   452   NtClose  (204, ... ) == 0x0
 02197   452   NtSetEvent  (200, ... 0x0, ) == 0x0
 02198   452   NtClose  (200, ... ) == 0x0
 02199   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 02200   452   NtFreeVirtualMemory  (-1, (0x1960000), 0, 32768, ... (0x1960000), 262144, ) == 0x0
 02201   452   NtUserUnregisterClass  (1241736, 1991376896, 1241724, ... ) == 0x0
 02202   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc03b
 02203   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02204   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc03d
 02205   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02206   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc03f
 02207   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02208   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc041
 02209   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02210   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc043
 02211   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02212   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc045
 02213   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02214   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc047
 02215   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02216   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc049
 02217   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02218   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc04b
 02219   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02220   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc04d
 02221   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02222   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc04f
 02223   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02224   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc051
 02225   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02226   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc053
 02227   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02228   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc057
 02229   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02230   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc059
 02231   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02232   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc05b
 02233   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02234   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc05d
 02235   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02236   452   NtUserGetClassInfo  (1999896576, 1241824, 1241776, 1241852, 0, ... ) == 0xc05f
 02237   452   NtUserUnregisterClass  (1241828, 1999896576, 1241816, ... ) == 0x1
 02238   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02239   452   NtClose  (108, ... ) == 0x0
 02240   452   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 02241   452   NtClose  (112, ... ) == 0x0
 02242   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 02243   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 02244   452   NtClose  (80, ... ) == 0x0
 02245   452   NtClose  (68, ... ) == 0x0
 02246   452   NtClose  (84, ... ) == 0x0
 02247   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc03b
 02248   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02249   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc03d
 02250   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02251   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc03f
 02252   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02253   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc041
 02254   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02255   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc043
 02256   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02257   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc045
 02258   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02259   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc047
 02260   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02261   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc049
 02262   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02263   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc04b
 02264   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02265   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc04d
 02266   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02267   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc04f
 02268   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02269   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc051
 02270   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02271   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc053
 02272   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02273   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc057
 02274   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02275   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc059
 02276   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02277   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc05b
 02278   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02279   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc05d
 02280   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02281   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc05f
 02282   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02283   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc017
 02284   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02285   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc019
 02286   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02287   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc018
 02288   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02289   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc01a
 02290   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02291   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc01c
 02292   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02293   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc01e
 02294   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02295   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc01b
 02296   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02297   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc068
 02298   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02299   452   NtUserGetClassInfo  (1905590272, 1241824, 1241776, 1241852, 0, ... ) == 0xc06a
 02300   452   NtUserUnregisterClass  (1241828, 1905590272, 1241816, ... ) == 0x1
 02301   452   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 02302   452   NtClose  (76, ... ) == 0x0
 02303   452   NtClose  (64, ... ) == 0x0
 02304   452   NtWaitForSingleObject  (132, 0, 0x0, ... ) == 0x0
 02305   452   NtClearEvent  (132, ... ) == 0x0
 02306   452   NtSetEvent  (132, ... 0x0, ) == 0x0
 02307   452   NtClose  (132, ... ) == 0x0
 02308   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 02309   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02310   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02311   452   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02312   452   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 02313   452   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 65536, 4323958, 1, 68}  (24, {20, 48, new_msg, 0, 65536, 4323958, 1, 68} "\0\0\0\0\3\0\1\0h\32\25\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 444, 452, 1581, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 444, 452, 1581, 0}  (24, {20, 48, new_msg, 0, 65536, 4323958, 1, 68} "\0\0\0\0\3\0\1\0h\32\25\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 444, 452, 1581, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02314   452   NtTerminateProcess  (-1, 0, ...
 02315   452   NtClose  (48, ... ) == 0x0