Summary:


NtCallbackReturn(>)  1 
NtOpenProcessToken(>)  2 
NtOpenProcessTokenEx(>)  10 
NtUserRegisterClassExWOW(>)  34 

NtConnectPort(>)  1 
NtQueryInstallUILanguage(>)  2 
NtOpenThreadTokenEx(>)  10 
NtContinue(>)  35 

NtGdiCreateBitmap(>)  1 
NtRaiseException(>)  2 
NtWriteFile(>)  10 
NtQueryDebugFilterState(>)  36 

NtGdiInit(>)  1 
NtAddAtom(>)  3 
NtQueryVolumeInformationFile(>)  12 
NtRequestWaitReplyPort(>)  36 

NtGdiQueryFontAssocInfo(>)  1 
NtClearEvent(>)  3 
NtQueryInformationToken(>)  13 
NtQuerySystemInformation(>)  44 

NtGdiSelectBitmap(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryDefaultUILanguage(>)  14 
NtCreateEvent(>)  45 

NtOpenKeyedEvent(>)  1 
NtNotifyChangeKey(>)  3 
NtReadFile(>)  14 
NtSetInformationThread(>)  45 

NtOpenProcess(>)  1 
NtReleaseSemaphore(>)  3 
NtUserFindWindowEx(>)  14 
NtFreeVirtualMemory(>)  49 

NtOpenSymbolicLinkObject(>)  1 
NtSetInformationObject(>)  3 
NtCreateKey(>)  15 
NtCreateSection(>)  52 

NtQueryEvent(>)  1 
NtTerminateProcess(>)  3 
NtSetValueKey(>)  15 
NtQueryVirtualMemory(>)  53 

NtQueryObject(>)  1 
NtUserGetDC(>)  3 
NtSetInformationFile(>)  17 
NtUserGetClassInfo(>)  54 

NtQuerySymbolicLinkObject(>)  1 
NtWaitForMultipleObjects(>)  3 
NtFsControlFile(>)  18 
NtOpenSection(>)  56 

NtQuerySystemTime(>)  1 
NtDuplicateObject(>)  4 
NtUserUnregisterClass(>)  19 
NtOpenFile(>)  74 

NtQueryTimerResolution(>)  1 
NtEnumerateKey(>)  4 
NtQueryInformationFile(>)  20 
NtMapViewOfSection(>)  80 

NtSecureConnectPort(>)  1 
NtGdiGetStockObject(>)  5 
NtUserRegisterWindowMessage(>)  22 
NtProtectVirtualMemory(>)  82 

NtSetInformationProcess(>)  1 
NtCreateMutant(>)  6 
NtUserFindExistingCursorIcon(>)  24 
NtSetEvent(>)  92 

NtUserCallNoParam(>)  1 
NtDeviceIoControlFile(>)  6 
NtCreateThread(>)  25 
NtDelayExecution(>)  118 

NtUserGetForegroundWindow(>)  1 
NtOpenEvent(>)  6 
NtFlushInstructionCache(>)  25 
NtQueryAttributesFile(>)  118 

NtUserGetObjectInformation(>)  1 
NtOpenThreadToken(>)  7 
NtQueryInformationThread(>)  25 
NtWaitForSingleObject(>)  141 

NtUserGetProcessWindowStation(>)  1 
NtQueryInformationProcess(>)  7 
NtResumeThread(>)  25 
NtOpenKey(>)  157 

NtUserGetThreadDesktop(>)  1 
NtUserSystemParametersInfo(>)  7 
NtCreateFile(>)  26 
NtAllocateVirtualMemory(>)  224 

NtUserQueryWindow(>)  1 
NtQueryDefaultLocale(>)  9 
NtRegisterThreadTerminatePort(>)  26 
NtClose(>)  318 

NtCreateIoCompletion(>)  2 
NtReleaseMutant(>)  9 
NtTestAlert(>)  26 
NtQueryValueKey(>)  329 

NtGdiCreateSolidBrush(>)  2 
NtCreateSemaphore(>)  10 
NtQuerySection(>)  33 

NtOpenDirectoryObject(>)  2 
NtOpenMutant(>)  10 

Trace:
 00001   400   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   400   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   400   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   400   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   400   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   400   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   400   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   400   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   400   NtClose  (12, ... ) == 0x0
 00014   400   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   400   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   400   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   400   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   400   NtClose  (16, ... ) == 0x0
 00021   400   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   400   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   400   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   400   NtClose  (16, ... ) == 0x0
 00026   400   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   400   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   400   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   400   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 396, 400, 1490, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 396, 400, 1490, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 396, 400, 1490, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   400   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   400   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   400   NtClose  (16, ... ) == 0x0
 00036   400   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   400   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   400   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   400   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   400   NtClose  (28, ... ) == 0x0
 00041   400   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   400   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   400   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   400   NtClose  (28, ... ) == 0x0
 00045   400   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   400   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   400   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   400   NtClose  (28, ... ) == 0x0
 00049   400   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   400   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   400   NtClose  (28, ... ) == 0x0
 00052   400   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   400   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   400   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 396, 400, 1492, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 396, 400, 1492, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 396, 400, 1492, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   400   NtProtectVirtualMemory  (-1, (0x484000), 4096, 4, ... (0x484000), 4096, 8, ) == 0x0
 00057   400   NtProtectVirtualMemory  (-1, (0x484000), 4096, 8, ... (0x484000), 4096, 4, ) == 0x0
 00058   400   NtFlushInstructionCache  (-1, 4734976, 4096, ... ) == 0x0
 00059   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   400   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00061   400   NtClose  (28, ... ) == 0x0
 00062   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   400   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   400   NtClose  (28, ... ) == 0x0
 00065   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   400   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00067   400   NtClose  (28, ... ) == 0x0
 00068   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   400   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00070   400   NtClose  (28, ... ) == 0x0
 00071   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00072   400   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00073   400   NtClose  (28, ... ) == 0x0
 00074   400   NtProtectVirtualMemory  (-1, (0x484000), 4096, 4, ... (0x484000), 4096, 4, ) == 0x0
 00075   400   NtProtectVirtualMemory  (-1, (0x484000), 4096, 4, ... (0x484000), 4096, 4, ) == 0x0
 00076   400   NtFlushInstructionCache  (-1, 4734976, 4096, ... ) == 0x0
 00077   400   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00078   400   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00079   400   NtClose  (28, ... ) == 0x0
 00080   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00081   400   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00082   400   NtClose  (28, ... ) == 0x0
 00083   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00084   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 396, 400, 1495, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 396, 400, 1495, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 396, 400, 1495, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00085   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086   400   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x590000), 0x0, 1060864, ) == 0x0
 00087   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00088   400   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00089   400   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00090   400   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00091   400   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00092   400   NtClose  (-2147482020, ... ) == 0x0
 00093   400   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00094   400   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00095   400   NtDuplicateObject  (-1, 36, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00096   400   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00097   400   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   400   NtClose  (-2147482020, ... ) == 0x0
 00099   400   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00100   400   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   400   NtClose  (-2147482020, ... ) == 0x0
 00102   400   NtQueryDefaultLocale  (0, -132412916, ... ) == 0x0
 00103   400   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00104   400   NtUserCallNoParam  (24, ... ) == 0x0
 00105   400   NtGdiCreateCompatibleDC  (0, ...
 00106   400   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00105   400   NtGdiCreateCompatibleDC  ... ) == 0x100103cf
 00107   400   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00108   400   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00109   400   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xf0503ef
 00110   400   NtGdiCreateSolidBrush  (0, 0, ...
 00111   400   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 10092544, 4096, ) == 0x0
 00110   400   NtGdiCreateSolidBrush  ... ) == 0x1b1003ee
 00112   400   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00113   400   NtGdiCreateCompatibleDC  (0, ... ) == 0xe01040b
 00114   400   NtGdiSelectBitmap  (234947595, 251986927, ... ) == 0x185000f
 00115   400   NtUserGetThreadDesktop  (400, 0, ... ) == 0x28
 00116   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00117   400   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00118   400   NtClose  (48, ... ) == 0x0
 00119   400   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00120   400   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810ec017
 00121   400   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00122   400   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810ec01c
 00123   400   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00124   400   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810ec01e
 00125   400   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00126   400   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810e8002
 00127   400   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00128   400   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810ec018
 00129   400   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   400   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810ec01a
 00131   400   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   400   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810ec01d
 00133   400   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   400   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00135   400   NtAllocateVirtualMemory  (-1, 7041024, 0, 4096, 4096, 32, ... 7041024, 4096, ) == 0x0
 00134   400   NtUserRegisterClassExWOW  ... ) == 0x810ec026
 00136   400   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00137   400   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810ec019
 00138   400   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810ec020
 00139   400   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810ec022
 00140   400   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810ec023
 00141   400   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00142   400   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810ec024
 00143   400   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810ec025
 00144   400   NtCallbackReturn  (0, 0, 0, ...
 00145   400   NtGdiInit  (... ) == 0x1
 00146   400   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00147   400   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00148   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 48, ) }, ... 48, ) == 0x0
 00149   400   NtQueryValueKey  (48,  (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00150   400   NtQueryValueKey  (48,  (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00151   400   NtClose  (48, ... ) == 0x0
 00152   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 48, ) }, ... 48, ) == 0x0
 00153   400   NtQueryValueKey  (48,  (48, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   400   NtClose  (48, ... ) == 0x0
 00155   400   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 48, ) }, ... 48, ) == 0x0
 00156   400   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00157   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00158   400   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00159   400   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   400   NtClose  (52, ... ) == 0x0
 00161   400   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {396, 0}, ... 52, ) == 0x0
 00162   400   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00163   400   NtClose  (52, ... ) == 0x0
 00164   400   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00165   400   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00166   400   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00167   400   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00168   400   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00169   400   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00170   400   NtClose  (52, ... ) == 0x0
 00171   400   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00172   400   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00173   400   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00174   400   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   400   NtClose  (56, ... ) == 0x0
 00176   400   NtUserSystemParametersInfo  (41, 500, 1243132, 0, ... ) == 0x1
 00177   400   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00178   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00179   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00180   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec03b
 00181   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00182   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec03d
 00183   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00184   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00185   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec03f
 00186   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00187   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00188   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec041
 00189   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00190   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00191   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec043
 00192   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00193   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec045
 00194   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00195   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00196   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec047
 00197   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00198   400   NtUserFindExistingCursorIcon  (1242920, 1242936, 1243504, ... ) == 0x10011
 00199   400   NtUserRegisterClassExWOW  (1243372, 1243452, 1243436, 1243468, 0, 384, 0, ... ) == 0x810ec049
 00200   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00201   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00202   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec04b
 00203   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00204   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00205   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec04d
 00206   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00207   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00208   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec04f
 00209   400   NtUserGetClassInfo  (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0x0
 00210   400   NtUserRegisterClassExWOW  (1243380, 1243460, 1243444, 1243476, 0, 384, 0, ... ) == 0x810ec051
 00211   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00212   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00213   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec053
 00214   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00215   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00216   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec055
 00217   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec057
 00218   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00219   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00220   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec059
 00221   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00222   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10013
 00223   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec05b
 00224   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00225   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00226   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec05d
 00227   400   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00228   400   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00229   400   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec05f
 00230   400   NtTestAlert  (... ) == 0x0
 00231   400   NtContinue  (1244464, 1, ...
 00232   400   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x485014,}, 4, ... ) == 0x0
 00233   400   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00234   400   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SIWVID"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   400   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\NTICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00236   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00237   400   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00238   400   NtContinue  (1244368, 0, ...
 00239   400   NtContinue  (1244336, 0, ...
 00240   400   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\System32\KERNEL32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) == 0x0
 00241   400   NtQueryInformationFile  (56, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00242   400   NtAllocateVirtualMemory  (-1, 0, 0, 926720, 4096, 64, ... 10158080, 929792, ) == 0x0
 00243   400   NtReadFile  (56, 0, 0, 0, 926720, 0x0, 0, ... {status=0x0, info=926720},  (56, 0, 0, 0, 926720, 0x0, 0, ... {status=0x0, info=926720}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\233\10S\206\337i=\325\337i=\325\337i=\325\337i<\325]h=\325%J$\325\334i=\325\337i=\325\335i=\325%J\2\325\336i=\325HJx\325\336i=\325%J}\325\334i=\325\5J!\325\16i=\325\5J \325\334i=\325%J\0\325\336i=\325Rich\337i=\325\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0H\7\0\0\336\6\0\0\0\0\0A\242\1\0\0\20\0\0\0\20\7\0\0\0\346w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\16\0\0\4\0\0\222\207\16\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0@!\2\0\210i\0\0\304-\7\0(\0\0\0\0\220\7\0\330^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\15\0\20S\0\0 V\7\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250f\7\0@\0\0\0\220\2\0\0\34\0\0\0\0\20\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", ) , ) == 0x0
 00244   400   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\System32\USER32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00245   400   NtQueryInformationFile  (60, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00246   400   NtAllocateVirtualMemory  (-1, 0, 0, 561152, 4096, 64, ... 11141120, 561152, ) == 0x0
 00247   400   NtReadFile  (60, 0, 0, 0, 561152, 0x0, 0, ... {status=0x0, info=561152},  (60, 0, 0, 0, 561152, 0x0, 0, ... {status=0x0, info=561152}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0cf;e'\7U6'\7U6'\7U6'\7T6`\6U6\335$L6 \7U6'\7U6%\7U6\335$j6&\7U6\260$\206&\7U6\335$\256!\7U6\375$I6U\7U6\335$h6&\7U6Rich'\7U6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\262\5\0\0\340\2\0\0\0\0\0KQ\0\0\0\20\0\0\0P\5\0\0\0\324w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\320\10\0\0\4\0\0\35?\11\0\2\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0pk\1\0\251K\0\0\230\244\5\0P\0\0\0\0\360\5\0\210\240\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\10\0\270+\0\0\0\300\5\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\2\0\0L\0\0\0\0\20\0\0\324\4\0\0\300\241\5\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\08\260\5\0", ) , ) == 0x0
 00248   400   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244956,  (0x80100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\ADVAPI32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00249   400   NtQueryInformationFile  (64, 1245008, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00250   400   NtAllocateVirtualMemory  (-1, 0, 0, 549888, 4096, 64, ... 11730944, 552960, ) == 0x0
 00251   400   NtReadFile  (64, 0, 0, 0, 549888, 0x0, 0, ... {status=0x0, info=549888},  (64, 0, 0, 0, 549888, 0x0, 0, ... {status=0x0, info=549888}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\375\343\244\227\271\202\312\304\271\202\312\304\271\202\312\304C\241\323\304\276\202\312\304\271\202\312\304\273\202\312\304C\241\212\304\275\202\312\304\364\241\326\304\262\202\312\304p\240\340\304\277\202\312\304\271\202\313\304\37\203\312\304C\241\365\304\270\202\312\304.\241\217\304\270\202\312\304c\241\327\304\255\202\312\304c\241\326\304:\202\312\304C\241\367\304\270\202\312\304Rich\271\202\312\304\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0B\6\0\02\2\0\0\0\0\0\373\34\0\0\0\20\0\0\0 \6\0\0\0\335w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\260\10\0\0\4\0\0\305\371\10\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\224\1\0YQ\0\0\204(\6\0P\0\0\0\0\260\6\0h\251\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\10\0\264D\0\0\330P\6\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\2\0\0L\0\0\0\0\20\0\0\\6\0\0\360&\6\0`\0\0\0\0\0\0\0", ) , ) == 0x0
 00252   400   NtClose  (64, ... ) == 0x0
 00253   400   NtClose  (60, ... ) == 0x0
 00254   400   NtClose  (56, ... ) == 0x0
 00255   400   NtRaiseException  (1244384, 1243644, 1, ...
 00256   400   NtContinue  (1242440, 0, ...
 00257   400   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 56, ) }, ... 56, ) == 0x0
 00258   400   NtOpenMutant  (0x120001, {24, 56, 0x2, 0, 0,  (0x120001, {24, 56, 0x2, 0, 0, "DBWinMutex"}, ... 60, ) }, ... 60, ) == 0x0
 00259   400   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 00260   400   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261   400   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 00262   400   NtAllocateVirtualMemory  (-1, 0, 0, 748, 4096, 4, ... 12320768, 4096, ) == 0x0
 00263   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "winmm.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00265   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == 0x0
 00267   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winmm.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00268   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00269   400   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00270   400   NtOpenProcessToken  (-1, 0x8, ... 72, ) == 0x0
 00271   400   NtQueryInformationToken  (72, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00272   400   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   400   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00274   400   NtQueryValueKey  (76,  (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00275   400   NtClose  (76, ... ) == 0x0
 00276   400   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00277   400   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00278   400   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00279   400   NtClose  (76, ... ) == 0x0
 00280   400   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   400   NtClose  (72, ... ) == 0x0
 00282   400   NtClose  (64, ... ) == 0x0
 00283   400   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 00284   400   NtClose  (68, ... ) == 0x0
 00285   400   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00286   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00287   400   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 64, ) == 0x0
 00288   400   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00289   400   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 76, ) }, ... 76, ) == 0x0
 00290   400   NtQueryValueKey  (76,  (76, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291   400   NtQueryValueKey  (76,  (76, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   400   NtQueryValueKey  (76,  (76, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   400   NtQueryValueKey  (76,  (76, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294   400   NtQueryValueKey  (76,  (76, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00295   400   NtQueryValueKey  (76,  (76, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   400   NtQueryValueKey  (76,  (76, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00297   400   NtQueryValueKey  (76,  (76, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   400   NtQueryValueKey  (76,  (76, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   400   NtQueryValueKey  (76,  (76, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00300   400   NtQueryValueKey  (76,  (76, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301   400   NtQueryValueKey  (76,  (76, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   400   NtQueryValueKey  (76,  (76, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   400   NtQueryValueKey  (76,  (76, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   400   NtQueryValueKey  (76,  (76, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   400   NtQueryValueKey  (76,  (76, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   400   NtQueryValueKey  (76,  (76, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   400   NtQueryValueKey  (76,  (76, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   400   NtQueryValueKey  (76,  (76, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   400   NtQueryValueKey  (76,  (76, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   400   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 00311   400   NtQueryValueKey  (76,  (76, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   400   NtQueryValueKey  (76,  (76, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313   400   NtQueryValueKey  (76,  (76, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   400   NtQueryValueKey  (76,  (76, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   400   NtQueryValueKey  (76,  (76, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   400   NtQueryValueKey  (76,  (76, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00317   400   NtQueryValueKey  (76,  (76, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   400   NtQueryValueKey  (76,  (76, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00319   400   NtQueryValueKey  (76,  (76, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00320   400   NtQueryValueKey  (76,  (76, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321   400   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 00322   400   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 80, ) }, ... 80, ) == 0x0
 00323   400   NtQueryValueKey  (80,  (80, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00324   400   NtClose  (80, ... ) == 0x0
 00325   400   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 0, 0,  (0x1f0003, {24, 56, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00326   400   NtQueryValueKey  (76,  (76, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00327   400   NtQueryValueKey  (76,  (76, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00328   400   NtQueryValueKey  (76,  (76, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   400   NtQueryValueKey  (76,  (76, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330   400   NtQueryValueKey  (76,  (76, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00331   400   NtQueryValueKey  (76,  (76, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00332   400   NtQueryValueKey  (76,  (76, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00333   400   NtQueryValueKey  (76,  (76, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   400   NtQueryValueKey  (76,  (76, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335   400   NtQueryValueKey  (76,  (76, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12386304, 1048576, ) == 0x0
 00337   400   NtAllocateVirtualMemory  (-1, 13426688, 0, 8192, 4096, 4, ... 13426688, 8192, ) == 0x0
 00338   400   NtProtectVirtualMemory  (-1, (0xcce000), 4096, 260, ... (0xcce000), 4096, 4, ) == 0x0
 00339   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 80, {396, 564}, ) == 0x0
 00340   400   NtQueryInformationThread  (80, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=396,Tid=564,}, 0x0, ) == 0x0
 00341   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 538976288}  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 538976288} "\0\0\0\0\1\0\1\0-      (P\0\0\0\214\1\0\04\2\0\0" ... {28, 56, reply, 0, 396, 400, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (P\0\0\0\214\1\0\04\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1506, 0}  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 538976288} "\0\0\0\0\1\0\1\0-      (P\0\0\0\214\1\0\04\2\0\0" ... {28, 56, reply, 0, 396, 400, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (P\0\0\0\214\1\0\04\2\0\0" )  ) == 0x0
 00342   400   NtResumeThread  (80, ... 1, ) == 0x0
 00343   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13434880, 1048576, ) == 0x0
 00344   400   NtAllocateVirtualMemory  (-1, 14475264, 0, 8192, 4096, 4, ... 14475264, 8192, ) == 0x0
 00345   564   NtTestAlert  (... ) == 0x0
 00346   564   NtContinue  (13434160, 1, ...
 00347   564   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00348   564   NtDelayExecution  (0, {-150000, -1}, ...
 00349   400   NtProtectVirtualMemory  (-1, (0xdce000), 4096, 260, ... (0xdce000), 4096, 4, ) == 0x0
 00350   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 84, {396, 384}, ) == 0x0
 00351   400   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=396,Tid=384,}, 0x0, ) == 0x0
 00352   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1506, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (T\0\0\0\214\1\0\0\200\1\0\0" ... {28, 56, reply, 0, 396, 400, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (T\0\0\0\214\1\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 396, 400, 1507, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (T\0\0\0\214\1\0\0\200\1\0\0" ... {28, 56, reply, 0, 396, 400, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (T\0\0\0\214\1\0\0\200\1\0\0" )  ) == 0x0
 00353   400   NtResumeThread  (84, ... 1, ) == 0x0
 00354   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00355   384   NtTestAlert  (... ) == 0x0
 00356   384   NtContinue  (14482736, 1, ...
 00357   384   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00358   384   NtDelayExecution  (0, {-150000, -1}, ...
 00354   400   NtAllocateVirtualMemory  ... 14483456, 1048576, ) == 0x0
 00359   400   NtAllocateVirtualMemory  (-1, 15523840, 0, 8192, 4096, 4, ... 15523840, 8192, ) == 0x0
 00360   400   NtProtectVirtualMemory  (-1, (0xece000), 4096, 260, ... (0xece000), 4096, 4, ) == 0x0
 00361   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 88, {396, 380}, ) == 0x0
 00362   400   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=396,Tid=380,}, 0x0, ) == 0x0
 00363   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1507, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (X\0\0\0\214\1\0\0|\1\0\0" ... {28, 56, reply, 0, 396, 400, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (X\0\0\0\214\1\0\0|\1\0\0" )  ... {28, 56, reply, 0, 396, 400, 1508, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (X\0\0\0\214\1\0\0|\1\0\0" ... {28, 56, reply, 0, 396, 400, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (X\0\0\0\214\1\0\0|\1\0\0" )  ) == 0x0
 00364   400   NtResumeThread  (88, ... 1, ) == 0x0
 00365   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15532032, 1048576, ) == 0x0
 00366   400   NtAllocateVirtualMemory  (-1, 16572416, 0, 8192, 4096, 4, ... 16572416, 8192, ) == 0x0
 00367   380   NtTestAlert  (... ) == 0x0
 00368   380   NtContinue  (15531312, 1, ...
 00369   380   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00370   380   NtDelayExecution  (0, {-150000, -1}, ...
 00371   400   NtProtectVirtualMemory  (-1, (0xfce000), 4096, 260, ... (0xfce000), 4096, 4, ) == 0x0
 00372   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 92, {396, 568}, ) == 0x0
 00373   400   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=396,Tid=568,}, 0x0, ) == 0x0
 00374   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1508, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\\0\0\0\214\1\0\08\2\0\0" ... {28, 56, reply, 0, 396, 400, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\\0\0\0\214\1\0\08\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1509, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\\0\0\0\214\1\0\08\2\0\0" ... {28, 56, reply, 0, 396, 400, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\\0\0\0\214\1\0\08\2\0\0" )  ) == 0x0
 00375   400   NtResumeThread  (92, ... 1, ) == 0x0
 00376   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00377   568   NtTestAlert  (... ) == 0x0
 00378   568   NtContinue  (16579888, 1, ...
 00379   568   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00380   568   NtDelayExecution  (0, {-150000, -1}, ...
 00376   400   NtAllocateVirtualMemory  ... 16580608, 1048576, ) == 0x0
 00381   400   NtAllocateVirtualMemory  (-1, 17620992, 0, 8192, 4096, 4, ... 17620992, 8192, ) == 0x0
 00382   400   NtProtectVirtualMemory  (-1, (0x10ce000), 4096, 260, ... (0x10ce000), 4096, 4, ) == 0x0
 00383   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 96, {396, 572}, ) == 0x0
 00384   400   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=396,Tid=572,}, 0x0, ) == 0x0
 00385   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1509, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (`\0\0\0\214\1\0\0<\2\0\0" ... {28, 56, reply, 0, 396, 400, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (`\0\0\0\214\1\0\0<\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1510, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (`\0\0\0\214\1\0\0<\2\0\0" ... {28, 56, reply, 0, 396, 400, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (`\0\0\0\214\1\0\0<\2\0\0" )  ) == 0x0
 00386   400   NtResumeThread  (96, ... 1, ) == 0x0
 00387   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17629184, 1048576, ) == 0x0
 00388   400   NtAllocateVirtualMemory  (-1, 18669568, 0, 8192, 4096, 4, ... 18669568, 8192, ) == 0x0
 00389   572   NtTestAlert  (... ) == 0x0
 00390   572   NtContinue  (17628464, 1, ...
 00391   572   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00392   572   NtDelayExecution  (0, {-150000, -1}, ...
 00393   400   NtProtectVirtualMemory  (-1, (0x11ce000), 4096, 260, ... (0x11ce000), 4096, 4, ) == 0x0
 00394   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 100, {396, 588}, ) == 0x0
 00395   400   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=396,Tid=588,}, 0x0, ) == 0x0
 00396   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1510, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (d\0\0\0\214\1\0\0L\2\0\0" ... {28, 56, reply, 0, 396, 400, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (d\0\0\0\214\1\0\0L\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1511, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (d\0\0\0\214\1\0\0L\2\0\0" ... {28, 56, reply, 0, 396, 400, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (d\0\0\0\214\1\0\0L\2\0\0" )  ) == 0x0
 00397   400   NtResumeThread  (100, ... 1, ) == 0x0
 00398   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00399   588   NtTestAlert  (... ) == 0x0
 00400   588   NtContinue  (18677040, 1, ...
 00401   588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00402   588   NtDelayExecution  (0, {-150000, -1}, ...
 00398   400   NtAllocateVirtualMemory  ... 18677760, 1048576, ) == 0x0
 00403   400   NtAllocateVirtualMemory  (-1, 19718144, 0, 8192, 4096, 4, ... 19718144, 8192, ) == 0x0
 00404   400   NtProtectVirtualMemory  (-1, (0x12ce000), 4096, 260, ... (0x12ce000), 4096, 4, ) == 0x0
 00405   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 104, {396, 584}, ) == 0x0
 00406   400   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=396,Tid=584,}, 0x0, ) == 0x0
 00407   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1511, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\214\1\0\0H\2\0\0" ... {28, 56, reply, 0, 396, 400, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\214\1\0\0H\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1512, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\214\1\0\0H\2\0\0" ... {28, 56, reply, 0, 396, 400, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\214\1\0\0H\2\0\0" )  ) == 0x0
 00408   400   NtResumeThread  (104, ... 1, ) == 0x0
 00409   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19726336, 1048576, ) == 0x0
 00410   400   NtAllocateVirtualMemory  (-1, 20766720, 0, 8192, 4096, 4, ... 20766720, 8192, ) == 0x0
 00411   584   NtTestAlert  (... ) == 0x0
 00412   584   NtContinue  (19725616, 1, ...
 00413   584   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00414   584   NtDelayExecution  (0, {-150000, -1}, ...
 00415   400   NtProtectVirtualMemory  (-1, (0x13ce000), 4096, 260, ... (0x13ce000), 4096, 4, ) == 0x0
 00416   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 108, {396, 580}, ) == 0x0
 00417   400   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=396,Tid=580,}, 0x0, ) == 0x0
 00418   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1512, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\214\1\0\0D\2\0\0" ... {28, 56, reply, 0, 396, 400, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\214\1\0\0D\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1513, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\214\1\0\0D\2\0\0" ... {28, 56, reply, 0, 396, 400, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\214\1\0\0D\2\0\0" )  ) == 0x0
 00419   400   NtResumeThread  (108, ... 1, ) == 0x0
 00420   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00421   580   NtTestAlert  (... ) == 0x0
 00422   580   NtContinue  (20774192, 1, ...
 00423   580   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00424   580   NtDelayExecution  (0, {-20010000, -1}, ...
 00420   400   NtCreateEvent  ... 112, ) == 0x0
 00425   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00426   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 00427   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00428   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 128, ) == 0x0
 00429   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 00430   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 136, ) == 0x0
 00431   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00432   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00433   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 00434   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 00435   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 00436   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 00437   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 00438   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0
 00439   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 00440   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20774912, 1048576, ) == 0x0
 00441   400   NtAllocateVirtualMemory  (-1, 21815296, 0, 8192, 4096, 4, ... 21815296, 8192, ) == 0x0
 00442   400   NtProtectVirtualMemory  (-1, (0x14ce000), 4096, 260, ... (0x14ce000), 4096, 4, ) == 0x0
 00443   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 176, {396, 576}, ) == 0x0
 00444   400   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=396,Tid=576,}, 0x0, ) == 0x0
 00445   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 10264591, -24561, 10264591, 5455538}  (24, {28, 56, new_msg, 0, 10264591, -24561, 10264591, 5455538} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\260\0\0\0\214\1\0\0@\2\0\0" ... {28, 56, reply, 0, 396, 400, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\260\0\0\0\214\1\0\0@\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1514, 0}  (24, {28, 56, new_msg, 0, 10264591, -24561, 10264591, 5455538} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\260\0\0\0\214\1\0\0@\2\0\0" ... {28, 56, reply, 0, 396, 400, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\260\0\0\0\214\1\0\0@\2\0\0" )  ) == 0x0
 00446   400   NtResumeThread  (176, ... 1, ) == 0x0
 00447   400   NtSetInformationThread  (176, BasePriority, {thread info, class 3, size 4}, 4, ...
 00448   576   NtTestAlert  (... ) == 0x0
 00449   576   NtContinue  (21822768, 1, ...
 00450   576   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00451   576   NtWaitForSingleObject  (112, 0, 0x0, ...
 00447   400   NtSetInformationThread  ... ) == 0x0
 00452   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21823488, 1048576, ) == 0x0
 00453   400   NtAllocateVirtualMemory  (-1, 22863872, 0, 8192, 4096, 4, ... 22863872, 8192, ) == 0x0
 00454   400   NtProtectVirtualMemory  (-1, (0x15ce000), 4096, 260, ... (0x15ce000), 4096, 4, ) == 0x0
 00455   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 180, {396, 596}, ) == 0x0
 00456   400   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=396,Tid=596,}, 0x0, ) == 0x0
 00457   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1514, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\214\1\0\0T\2\0\0" ... {28, 56, reply, 0, 396, 400, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\214\1\0\0T\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1515, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\214\1\0\0T\2\0\0" ... {28, 56, reply, 0, 396, 400, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\214\1\0\0T\2\0\0" )  ) == 0x0
 00458   400   NtResumeThread  (180, ... 1, ) == 0x0
 00459   400   NtSetInformationThread  (180, BasePriority, {thread info, class 3, size 4}, 4, ...
 00460   596   NtTestAlert  (... ) == 0x0
 00461   596   NtContinue  (22871344, 1, ...
 00462   596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00463   596   NtWaitForSingleObject  (116, 0, 0x0, ...
 00459   400   NtSetInformationThread  ... ) == 0x0
 00464   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22872064, 1048576, ) == 0x0
 00465   400   NtAllocateVirtualMemory  (-1, 23912448, 0, 8192, 4096, 4, ... 23912448, 8192, ) == 0x0
 00466   400   NtProtectVirtualMemory  (-1, (0x16ce000), 4096, 260, ... (0x16ce000), 4096, 4, ) == 0x0
 00467   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 184, {396, 636}, ) == 0x0
 00468   400   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=396,Tid=636,}, 0x0, ) == 0x0
 00469   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1515, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\214\1\0\0|\2\0\0" ... {28, 56, reply, 0, 396, 400, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\214\1\0\0|\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1516, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\214\1\0\0|\2\0\0" ... {28, 56, reply, 0, 396, 400, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\214\1\0\0|\2\0\0" )  ) == 0x0
 00470   400   NtResumeThread  (184, ... 1, ) == 0x0
 00471   400   NtSetInformationThread  (184, BasePriority, {thread info, class 3, size 4}, 4, ...
 00472   636   NtTestAlert  (... ) == 0x0
 00473   636   NtContinue  (23919920, 1, ...
 00474   636   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00475   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 00471   400   NtSetInformationThread  ... ) == 0x0
 00476   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23920640, 1048576, ) == 0x0
 00477   400   NtAllocateVirtualMemory  (-1, 24961024, 0, 8192, 4096, 4, ... 24961024, 8192, ) == 0x0
 00478   400   NtProtectVirtualMemory  (-1, (0x17ce000), 4096, 260, ... (0x17ce000), 4096, 4, ) == 0x0
 00479   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 188, {396, 740}, ) == 0x0
 00480   400   NtQueryInformationThread  (188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=396,Tid=740,}, 0x0, ) == 0x0
 00481   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1516, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\214\1\0\0\344\2\0\0" ... {28, 56, reply, 0, 396, 400, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\214\1\0\0\344\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1517, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\214\1\0\0\344\2\0\0" ... {28, 56, reply, 0, 396, 400, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\214\1\0\0\344\2\0\0" )  ) == 0x0
 00482   400   NtResumeThread  (188, ... 1, ) == 0x0
 00483   400   NtSetInformationThread  (188, BasePriority, {thread info, class 3, size 4}, 4, ...
 00484   740   NtTestAlert  (... ) == 0x0
 00485   740   NtContinue  (24968496, 1, ...
 00486   740   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00487   740   NtWaitForSingleObject  (124, 0, 0x0, ...
 00483   400   NtSetInformationThread  ... ) == 0x0
 00488   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24969216, 1048576, ) == 0x0
 00489   400   NtAllocateVirtualMemory  (-1, 26009600, 0, 8192, 4096, 4, ... 26009600, 8192, ) == 0x0
 00490   400   NtProtectVirtualMemory  (-1, (0x18ce000), 4096, 260, ... (0x18ce000), 4096, 4, ) == 0x0
 00491   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 192, {396, 744}, ) == 0x0
 00492   400   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=396,Tid=744,}, 0x0, ) == 0x0
 00493   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1517, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\214\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 396, 400, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\214\1\0\0\350\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1518, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\214\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 396, 400, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\214\1\0\0\350\2\0\0" )  ) == 0x0
 00494   400   NtResumeThread  (192, ... 1, ) == 0x0
 00495   744   NtTestAlert  (... ) == 0x0
 00496   744   NtContinue  (26017072, 1, ...
 00497   744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00498   744   NtWaitForSingleObject  (128, 0, 0x0, ...
 00499   400   NtSetInformationThread  (192, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00500   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26017792, 1048576, ) == 0x0
 00501   400   NtAllocateVirtualMemory  (-1, 27058176, 0, 8192, 4096, 4, ... 27058176, 8192, ) == 0x0
 00502   400   NtProtectVirtualMemory  (-1, (0x19ce000), 4096, 260, ... (0x19ce000), 4096, 4, ) == 0x0
 00503   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 196, {396, 676}, ) == 0x0
 00504   400   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=396,Tid=676,}, 0x0, ) == 0x0
 00505   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1518, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\214\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 396, 400, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\214\1\0\0\244\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1519, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\214\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 396, 400, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\214\1\0\0\244\2\0\0" )  ) == 0x0
 00506   400   NtResumeThread  (196, ... 1, ) == 0x0
 00507   400   NtSetInformationThread  (196, BasePriority, {thread info, class 3, size 4}, 4, ...
 00508   676   NtTestAlert  (... ) == 0x0
 00509   676   NtContinue  (27065648, 1, ...
 00510   676   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00511   676   NtWaitForSingleObject  (132, 0, 0x0, ...
 00507   400   NtSetInformationThread  ... ) == 0x0
 00512   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27066368, 1048576, ) == 0x0
 00513   400   NtAllocateVirtualMemory  (-1, 28106752, 0, 8192, 4096, 4, ... 28106752, 8192, ) == 0x0
 00514   400   NtProtectVirtualMemory  (-1, (0x1ace000), 4096, 260, ... (0x1ace000), 4096, 4, ) == 0x0
 00515   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 200, {396, 796}, ) == 0x0
 00516   400   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=396,Tid=796,}, 0x0, ) == 0x0
 00517   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1519, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\214\1\0\0\34\3\0\0" ... {28, 56, reply, 0, 396, 400, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\214\1\0\0\34\3\0\0" )  ... {28, 56, reply, 0, 396, 400, 1520, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\214\1\0\0\34\3\0\0" ... {28, 56, reply, 0, 396, 400, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\214\1\0\0\34\3\0\0" )  ) == 0x0
 00518   400   NtResumeThread  (200, ... 1, ) == 0x0
 00519   400   NtSetInformationThread  (200, BasePriority, {thread info, class 3, size 4}, 4, ...
 00520   796   NtTestAlert  (... ) == 0x0
 00521   796   NtContinue  (28114224, 1, ...
 00522   796   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00523   796   NtWaitForSingleObject  (136, 0, 0x0, ...
 00519   400   NtSetInformationThread  ... ) == 0x0
 00524   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28114944, 1048576, ) == 0x0
 00525   400   NtAllocateVirtualMemory  (-1, 29155328, 0, 8192, 4096, 4, ... 29155328, 8192, ) == 0x0
 00526   400   NtProtectVirtualMemory  (-1, (0x1bce000), 4096, 260, ... (0x1bce000), 4096, 4, ) == 0x0
 00527   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 204, {396, 792}, ) == 0x0
 00528   400   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=396,Tid=792,}, 0x0, ) == 0x0
 00529   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1520, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\214\1\0\0\30\3\0\0" ... {28, 56, reply, 0, 396, 400, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\214\1\0\0\30\3\0\0" )  ... {28, 56, reply, 0, 396, 400, 1521, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\214\1\0\0\30\3\0\0" ... {28, 56, reply, 0, 396, 400, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\214\1\0\0\30\3\0\0" )  ) == 0x0
 00530   400   NtResumeThread  (204, ... 1, ) == 0x0
 00531   400   NtSetInformationThread  (204, BasePriority, {thread info, class 3, size 4}, 4, ...
 00532   792   NtTestAlert  (... ) == 0x0
 00533   792   NtContinue  (29162800, 1, ...
 00534   792   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00535   792   NtWaitForSingleObject  (140, 0, 0x0, ...
 00531   400   NtSetInformationThread  ... ) == 0x0
 00536   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29163520, 1048576, ) == 0x0
 00537   400   NtAllocateVirtualMemory  (-1, 30203904, 0, 8192, 4096, 4, ... 30203904, 8192, ) == 0x0
 00538   400   NtProtectVirtualMemory  (-1, (0x1cce000), 4096, 260, ... (0x1cce000), 4096, 4, ) == 0x0
 00539   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 208, {396, 716}, ) == 0x0
 00540   400   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=396,Tid=716,}, 0x0, ) == 0x0
 00541   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1521, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\214\1\0\0\314\2\0\0" ... {28, 56, reply, 0, 396, 400, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\214\1\0\0\314\2\0\0" )  ... {28, 56, reply, 0, 396, 400, 1522, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\214\1\0\0\314\2\0\0" ... {28, 56, reply, 0, 396, 400, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\214\1\0\0\314\2\0\0" )  ) == 0x0
 00542   400   NtResumeThread  (208, ... 1, ) == 0x0
 00543   400   NtSetInformationThread  (208, BasePriority, {thread info, class 3, size 4}, 4, ...
 00544   716   NtTestAlert  (... ) == 0x0
 00545   716   NtContinue  (30211376, 1, ...
 00546   716   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00547   716   NtWaitForSingleObject  (144, 0, 0x0, ...
 00543   400   NtSetInformationThread  ... ) == 0x0
 00548   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30212096, 1048576, ) == 0x0
 00549   400   NtAllocateVirtualMemory  (-1, 31252480, 0, 8192, 4096, 4, ... 31252480, 8192, ) == 0x0
 00550   400   NtProtectVirtualMemory  (-1, (0x1dce000), 4096, 260, ... (0x1dce000), 4096, 4, ) == 0x0
 00551   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 212, {396, 836}, ) == 0x0
 00552   400   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=396,Tid=836,}, 0x0, ) == 0x0
 00553   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1522, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\214\1\0\0D\3\0\0" ... {28, 56, reply, 0, 396, 400, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\214\1\0\0D\3\0\0" )  ... {28, 56, reply, 0, 396, 400, 1523, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\214\1\0\0D\3\0\0" ... {28, 56, reply, 0, 396, 400, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\214\1\0\0D\3\0\0" )  ) == 0x0
 00554   400   NtResumeThread  (212, ... 1, ) == 0x0
 00555   400   NtSetInformationThread  (212, BasePriority, {thread info, class 3, size 4}, 4, ...
 00556   836   NtTestAlert  (... ) == 0x0
 00557   836   NtContinue  (31259952, 1, ...
 00558   836   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00559   836   NtWaitForSingleObject  (148, 0, 0x0, ...
 00555   400   NtSetInformationThread  ... ) == 0x0
 00560   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31260672, 1048576, ) == 0x0
 00561   400   NtAllocateVirtualMemory  (-1, 32301056, 0, 8192, 4096, 4, ... 32301056, 8192, ) == 0x0
 00562   400   NtProtectVirtualMemory  (-1, (0x1ece000), 4096, 260, ... (0x1ece000), 4096, 4, ) == 0x0
 00563   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 216, {396, 856}, ) == 0x0
 00564   400   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=396,Tid=856,}, 0x0, ) == 0x0
 00565   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1523, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\214\1\0\0X\3\0\0" ... {28, 56, reply, 0, 396, 400, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\214\1\0\0X\3\0\0" )  ... {28, 56, reply, 0, 396, 400, 1524, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\214\1\0\0X\3\0\0" ... {28, 56, reply, 0, 396, 400, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\214\1\0\0X\3\0\0" )  ) == 0x0
 00566   400   NtResumeThread  (216, ... 1, ) == 0x0
 00567   856   NtTestAlert  (... ) == 0x0
 00568   856   NtContinue  (32308528, 1, ...
 00569   856   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00570   856   NtWaitForSingleObject  (152, 0, 0x0, ...
 00571   400   NtSetInformationThread  (216, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00572   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32309248, 1048576, ) == 0x0
 00573   400   NtAllocateVirtualMemory  (-1, 33349632, 0, 8192, 4096, 4, ... 33349632, 8192, ) == 0x0
 00574   400   NtProtectVirtualMemory  (-1, (0x1fce000), 4096, 260, ... (0x1fce000), 4096, 4, ) == 0x0
 00575   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 220, {396, 860}, ) == 0x0
 00576   400   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=396,Tid=860,}, 0x0, ) == 0x0
 00577   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1524, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\214\1\0\0\\3\0\0" ... {28, 56, reply, 0, 396, 400, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\214\1\0\0\\3\0\0" )  ... {28, 56, reply, 0, 396, 400, 1525, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\214\1\0\0\\3\0\0" ... {28, 56, reply, 0, 396, 400, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\214\1\0\0\\3\0\0" )  ) == 0x0
 00578   400   NtResumeThread  (220, ... 1, ) == 0x0
 00579   400   NtSetInformationThread  (220, BasePriority, {thread info, class 3, size 4}, 4, ...
 00580   860   NtTestAlert  (... ) == 0x0
 00581   860   NtContinue  (33357104, 1, ...
 00582   860   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00583   860   NtWaitForSingleObject  (156, 0, 0x0, ...
 00579   400   NtSetInformationThread  ... ) == 0x0
 00584   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33357824, 1048576, ) == 0x0
 00585   400   NtAllocateVirtualMemory  (-1, 34398208, 0, 8192, 4096, 4, ... 34398208, 8192, ) == 0x0
 00586   400   NtProtectVirtualMemory  (-1, (0x20ce000), 4096, 260, ... (0x20ce000), 4096, 4, ) == 0x0
 00587   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 224, {396, 864}, ) == 0x0
 00588   400   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=396,Tid=864,}, 0x0, ) == 0x0
 00589   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1525, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\214\1\0\0`\3\0\0" ... {28, 56, reply, 0, 396, 400, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\214\1\0\0`\3\0\0" )  ... {28, 56, reply, 0, 396, 400, 1526, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\214\1\0\0`\3\0\0" ... {28, 56, reply, 0, 396, 400, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\214\1\0\0`\3\0\0" )  ) == 0x0
 00590   400   NtResumeThread  (224, ... 1, ) == 0x0
 00591   400   NtSetInformationThread  (224, BasePriority, {thread info, class 3, size 4}, 4, ...
 00592   864   NtTestAlert  (... ) == 0x0
 00593   864   NtContinue  (34405680, 1, ...
 00594   864   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00595   864   NtWaitForSingleObject  (160, 0, 0x0, ...
 00591   400   NtSetInformationThread  ... ) == 0x0
 00596   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34406400, 1048576, ) == 0x0
 00597   400   NtAllocateVirtualMemory  (-1, 35446784, 0, 8192, 4096, 4, ... 35446784, 8192, ) == 0x0
 00598   400   NtProtectVirtualMemory  (-1, (0x21ce000), 4096, 260, ... (0x21ce000), 4096, 4, ) == 0x0
 00599   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 228, {396, 868}, ) == 0x0
 00600   400   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=396,Tid=868,}, 0x0, ) == 0x0
 00601   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1526, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\214\1\0\0d\3\0\0" ... {28, 56, reply, 0, 396, 400, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\214\1\0\0d\3\0\0" )  ... {28, 56, reply, 0, 396, 400, 1527, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\214\1\0\0d\3\0\0" ... {28, 56, reply, 0, 396, 400, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\214\1\0\0d\3\0\0" )  ) == 0x0
 00602   400   NtResumeThread  (228, ... 1, ) == 0x0
 00603   400   NtSetInformationThread  (228, BasePriority, {thread info, class 3, size 4}, 4, ...
 00604   868   NtTestAlert  (... ) == 0x0
 00605   868   NtContinue  (35454256, 1, ...
 00606   868   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00607   868   NtWaitForSingleObject  (164, 0, 0x0, ...
 00603   400   NtSetInformationThread  ... ) == 0x0
 00608   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35454976, 1048576, ) == 0x0
 00609   400   NtAllocateVirtualMemory  (-1, 36495360, 0, 8192, 4096, 4, ... 36495360, 8192, ) == 0x0
 00610   400   NtProtectVirtualMemory  (-1, (0x22ce000), 4096, 260, ... (0x22ce000), 4096, 4, ) == 0x0
 00611   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 232, {396, 872}, ) == 0x0
 00612   400   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=396,Tid=872,}, 0x0, ) == 0x0
 00613   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1527, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\214\1\0\0h\3\0\0" ... {28, 56, reply, 0, 396, 400, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\214\1\0\0h\3\0\0" )  ... {28, 56, reply, 0, 396, 400, 1528, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\214\1\0\0h\3\0\0" ... {28, 56, reply, 0, 396, 400, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\214\1\0\0h\3\0\0" )  ) == 0x0
 00614   400   NtResumeThread  (232, ... 1, ) == 0x0
 00615   400   NtSetInformationThread  (232, BasePriority, {thread info, class 3, size 4}, 4, ...
 00616   872   NtTestAlert  (... ) == 0x0
 00617   872   NtContinue  (36502832, 1, ...
 00618   872   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00619   872   NtWaitForSingleObject  (168, 0, 0x0, ...
 00615   400   NtSetInformationThread  ... ) == 0x0
 00620   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36503552, 1048576, ) == 0x0
 00621   400   NtAllocateVirtualMemory  (-1, 37543936, 0, 8192, 4096, 4, ... 37543936, 8192, ) == 0x0
 00622   400   NtProtectVirtualMemory  (-1, (0x23ce000), 4096, 260, ... (0x23ce000), 4096, 4, ) == 0x0
 00623   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 236, {396, 876}, ) == 0x0
 00624   400   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=396,Tid=876,}, 0x0, ) == 0x0
 00625   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 396, 400, 1528, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\214\1\0\0l\3\0\0" ... {28, 56, reply, 0, 396, 400, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\214\1\0\0l\3\0\0" )  ... {28, 56, reply, 0, 396, 400, 1529, 0}  (24, {28, 56, new_msg, 0, 396, 400, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\214\1\0\0l\3\0\0" ... {28, 56, reply, 0, 396, 400, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\214\1\0\0l\3\0\0" )  ) == 0x0
 00626   400   NtResumeThread  (236, ... 1, ) == 0x0
 00627   400   NtSetInformationThread  (236, BasePriority, {thread info, class 3, size 4}, 4, ...
 00628   876   NtTestAlert  (... ) == 0x0
 00629   876   NtContinue  (37551408, 1, ...
 00630   876   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00631   876   NtWaitForSingleObject  (172, 0, 0x0, ...
 00627   400   NtSetInformationThread  ... ) == 0x0
 00632   400   NtSetEvent  (132, ...
 00511   676   NtWaitForSingleObject  ... ) == 0x0
 00633   676   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00634   676   NtWaitForSingleObject  (132, 0, 0x0, ...
 00632   400   NtSetEvent  ... 0x0, ) == 0x0
 00635   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00636   400   NtSetEvent  (124, ...
 00487   740   NtWaitForSingleObject  ... ) == 0x0
 00637   740   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00638   740   NtWaitForSingleObject  (124, 0, 0x0, ...
 00636   400   NtSetEvent  ... 0x0, ) == 0x0
 00639   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00640   400   NtSetEvent  (132, ...
 00634   676   NtWaitForSingleObject  ... ) == 0x0
 00641   676   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00642   676   NtWaitForSingleObject  (132, 0, 0x0, ...
 00640   400   NtSetEvent  ... 0x0, ) == 0x0
 00643   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00644   400   NtSetEvent  (120, ...
 00475   636   NtWaitForSingleObject  ... ) == 0x0
 00645   636   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00646   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 00644   400   NtSetEvent  ... 0x0, ) == 0x0
 00647   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00648   400   NtQueryVirtualMemory  (-1, 0x10000, Basic, 28, ... {BaseAddress=0x10000,AllocationBase=0x10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 00649   400   NtUserGetForegroundWindow  (... ) == 0x2005e
 00650   400   NtUserQueryWindow  (131166, 0, ... ) == 0x7f8
 00651   400   NtSetEvent  (152, ...
 00570   856   NtWaitForSingleObject  ... ) == 0x0
 00652   856   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00653   856   NtWaitForSingleObject  (152, 0, 0x0, ...
 00651   400   NtSetEvent  ... 0x0, ) == 0x0
 00654   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00655   400   NtSetEvent  (136, ...
 00523   796   NtWaitForSingleObject  ... ) == 0x0
 00656   796   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00657   796   NtWaitForSingleObject  (136, 0, 0x0, ...
 00655   400   NtSetEvent  ... 0x0, ) == 0x0
 00658   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00659   400   NtSetEvent  (136, ...
 00657   796   NtWaitForSingleObject  ... ) == 0x0
 00660   796   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00661   796   NtWaitForSingleObject  (136, 0, 0x0, ...
 00659   400   NtSetEvent  ... 0x0, ) == 0x0
 00662   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00663   400   NtSetEvent  (164, ...
 00607   868   NtWaitForSingleObject  ... ) == 0x0
 00664   868   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00665   868   NtWaitForSingleObject  (164, 0, 0x0, ...
 00663   400   NtSetEvent  ... 0x0, ) == 0x0
 00666   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00667   400   NtSetEvent  (160, ...
 00595   864   NtWaitForSingleObject  ... ) == 0x0
 00668   864   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00669   864   NtWaitForSingleObject  (160, 0, 0x0, ...
 00667   400   NtSetEvent  ... 0x0, ) == 0x0
 00670   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00671   400   NtSetEvent  (168, ...
 00619   872   NtWaitForSingleObject  ... ) == 0x0
 00672   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00673   872   NtWaitForSingleObject  (168, 0, 0x0, ...
 00671   400   NtSetEvent  ... 0x0, ) == 0x0
 00674   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00675   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00676   400   NtQuerySystemInformation  (Module, 65536, ...
 00348   564   NtDelayExecution  ... ) == 0x0
 00677   564   NtDelayExecution  (0, {-20010000, -1}, ...
 00358   384   NtDelayExecution  ... ) == 0x0
 00678   384   NtDelayExecution  (0, {-20010000, -1}, ...
 00370   380   NtDelayExecution  ... ) == 0x0
 00679   380   NtContinue  (15531236, 0, ...
 00680   380   NtDelayExecution  (0, {-20010000, -1}, ...
 00380   568   NtDelayExecution  ... ) == 0x0
 00681   568   NtDelayExecution  (0, {-20010000, -1}, ...
 00392   572   NtDelayExecution  ... ) == 0x0
 00682   572   NtDelayExecution  (0, {-20010000, -1}, ...
 00402   588   NtDelayExecution  ... ) == 0x0
 00683   588   NtDelayExecution  (0, {-20010000, -1}, ...
 00414   584   NtDelayExecution  ... ) == 0x0
 00684   584   NtDelayExecution  (0, {-20010000, -1}, ...
 00676   400   NtQuerySystemInformation  ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00685   400   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00686   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00687   400   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00688   400   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00689   400   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00690   400   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00691   400   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00692   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00693   400   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00694   400   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 240, ) == 0x0
 00695   400   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x23e0000), 0x0, 4194304, ) == 0x0
 00696   400   NtAllocateVirtualMemory  (-1, 37617664, 0, 1, 4096, 4, ... 37617664, 4096, ) == 0x0
 00697   400   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 244, ) == 0x0
 00698   400   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x27e0000), 0x0, 4194304, ) == 0x0
 00699   400   NtAllocateVirtualMemory  (-1, 41811968, 0, 1, 4096, 4, ... 41811968, 4096, ) == 0x0
 00700   400   NtCreateSection  (0xf0007, 0x0, {29472, 0}, 4, 134217728, 0, ... 248, ) == 0x0
 00701   400   NtMapViewOfSection  (248, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2be0000), {0, 0}, 32768, ) == 0x0
 00702   400   NtUnmapViewOfSection  (-1, 0x2be0000, ... ) == 0x0
 00703   400   NtMapViewOfSection  (248, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2be0000), {0, 0}, 32768, ) == 0x0
 00704   400   NtClose  (244, ... ) == 0x0
 00705   400   NtUnmapViewOfSection  (-1, 0x27e0000, ... ) == 0x0
 00706   400   NtClose  (240, ... ) == 0x0
 00707   400   NtUnmapViewOfSection  (-1, 0x23e0000, ... ) == 0x0
 00708   400   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00709   400   NtUnmapViewOfSection  (-1, 0x2be0000, ... ) == 0x0
 00710   400   NtMapViewOfSection  (248, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x23d0000), {0, 0}, 32768, ) == 0x0
 00711   400   NtUnmapViewOfSection  (-1, 0x23d0000, ... ) == 0x0
 00712   400   NtMapViewOfSection  (248, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x23d0000), {0, 0}, 32768, ) == 0x0
 00713   400   NtUnmapViewOfSection  (-1, 0x23d0000, ... ) == 0x0
 00714   400   NtSetEvent  (152, ...
 00653   856   NtWaitForSingleObject  ... ) == 0x0
 00715   856   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00716   856   NtWaitForSingleObject  (152, 0, 0x0, ...
 00714   400   NtSetEvent  ... 0x0, ) == 0x0
 00717   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00718   400   NtSetEvent  (148, ...
 00559   836   NtWaitForSingleObject  ... ) == 0x0
 00719   836   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00720   836   NtWaitForSingleObject  (148, 0, 0x0, ...
 00718   400   NtSetEvent  ... 0x0, ) == 0x0
 00721   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00722   400   NtContinue  (1243040, 0, ...
 00723   400   NtSetEvent  (160, ...
 00669   864   NtWaitForSingleObject  ... ) == 0x0
 00724   864   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00725   864   NtWaitForSingleObject  (160, 0, 0x0, ...
 00723   400   NtSetEvent  ... 0x0, ) == 0x0
 00726   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00727   400   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00728   400   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00729   400   NtUserFindWindowEx  (0, 0,  (0, 0, "PROCMON_WINDOW_CLASS", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00730   400   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Process Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00731   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00732   400   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00733   400   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00734   400   NtSetEvent  (160, ...
 00725   864   NtWaitForSingleObject  ... ) == 0x0
 00735   864   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00736   864   NtWaitForSingleObject  (160, 0, 0x0, ...
 00734   400   NtSetEvent  ... 0x0, ) == 0x0
 00737   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00738   400   NtAllocateVirtualMemory  (-1, 0, 0, 1000, 4096, 4, ... 37552128, 4096, ) == 0x0
 00739   400   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 00740   400   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 4096, ) == 0x0
 00741   400   NtSetEvent  (136, ...
 00661   796   NtWaitForSingleObject  ... ) == 0x0
 00742   796   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00743   796   NtWaitForSingleObject  (136, 0, 0x0, ...
 00741   400   NtSetEvent  ... 0x0, ) == 0x0
 00744   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00745   400   NtUserFindWindowEx  (0, 0,  (0, 0, "RegmonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00746   400   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Registry Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00747   400   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00748   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00749   400   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00750   400   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00751   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00752   400   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00753   400   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00754   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00755   400   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00756   400   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00757   400   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "SOFTWARE\NuMega\DriverStudio"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00758   400   NtSetEvent  (168, ...
 00673   872   NtWaitForSingleObject  ... ) == 0x0
 00759   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00760   872   NtWaitForSingleObject  (168, 0, 0x0, ...
 00758   400   NtSetEvent  ... 0x0, ) == 0x0
 00761   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00762   400   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work"}, 3, 33, ... 240, {status=0x0, info=1}, ) }, 3, 33, ... 240, {status=0x0, info=1}, ) == 0x0
 00763   400   NtQueryVolumeInformationFile  (240, 1244908, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00764   400   NtClose  (12, ... ) == 0x0
 00765   400   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 37552128, 4096, ) == 0x0
 00766   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 12, ) }, ... 12, ) == 0x0
 00767   400   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00768   400   NtClose  (12, ... ) == 0x0
 00769   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.DLL"}, ... 12, ) }, ... 12, ) == 0x0
 00770   400   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00771   400   NtClose  (12, ... ) == 0x0
 00772   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 12, ) }, ... 12, ) == 0x0
 00773   400   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00774   400   NtClose  (12, ... ) == 0x0
 00775   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00776   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 37617664, 65536, ) == 0x0
 00777   400   NtAllocateVirtualMemory  (-1, 37617664, 0, 4096, 4096, 4, ... 37617664, 4096, ) == 0x0
 00778   400   NtAllocateVirtualMemory  (-1, 37621760, 0, 8192, 4096, 4, ... 37621760, 8192, ) == 0x0
 00779   400   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 12, ) }, ... 12, ) == 0x0
 00780   400   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x23f0000), 0x0, 12288, ) == 0x0
 00781   400   NtClose  (12, ... ) == 0x0
 00782   400   NtAllocateVirtualMemory  (-1, 37629952, 0, 4096, 4096, 4, ... 37629952, 4096, ) == 0x0
 00783   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00784   400   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00785   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 12, ) }, ... 12, ) == 0x0
 00786   400   NtQueryValueKey  (12,  (12, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (12, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00787   400   NtClose  (12, ... ) == 0x0
 00788   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00789   400   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00790   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00791   400   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00792   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 12, ) }, ... 12, ) == 0x0
 00793   400   NtQueryValueKey  (12,  (12, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00794   400   NtQueryValueKey  (12,  (12, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00795   400   NtQueryValueKey  (12,  (12, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00796   400   NtClose  (12, ... ) == 0x0
 00797   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 12, ) }, ... 12, ) == 0x0
 00798   400   NtQueryValueKey  (12,  (12, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00799   400   NtQueryValueKey  (12,  (12, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00800   400   NtClose  (12, ... ) == 0x0
 00801   400   NtOpenEvent  (0x1f0003, {24, 56, 0x0, 0, 0,  (0x1f0003, {24, 56, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00802   400   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00803   400   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   400   NtOpenKey  (0x9, {24, 48, 0x40, 0, 0,  (0x9, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00805   400   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00806   400   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00807   400   NtQueryVolumeInformationFile  (12, 1244912, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00808   400   NtClose  (240, ... ) == 0x0
 00809   400   NtSetEvent  (128, ...
 00498   744   NtWaitForSingleObject  ... ) == 0x0
 00810   744   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00811   744   NtWaitForSingleObject  (128, 0, 0x0, ...
 00809   400   NtSetEvent  ... 0x0, ) == 0x0
 00812   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00813   400   NtSetEvent  (128, ...
 00811   744   NtWaitForSingleObject  ... ) == 0x0
 00814   744   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00815   744   NtWaitForSingleObject  (128, 0, 0x0, ...
 00813   400   NtSetEvent  ... 0x0, ) == 0x0
 00816   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00817   400   NtSetEvent  (152, ...
 00716   856   NtWaitForSingleObject  ... ) == 0x0
 00818   856   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00819   856   NtWaitForSingleObject  (152, 0, 0x0, ...
 00817   400   NtSetEvent  ... 0x0, ) == 0x0
 00820   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00821   400   NtAllocateVirtualMemory  (-1, 0, 0, 200000, 4096, 4, ... 37748736, 200704, ) == 0x0
 00822   400   NtAllocateVirtualMemory  (-1, 0, 0, 1024, 4096, 4, ... 38010880, 4096, ) == 0x0
 00823   400   NtSetEvent  (140, ...
 00535   792   NtWaitForSingleObject  ... ) == 0x0
 00824   792   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00825   792   NtWaitForSingleObject  (140, 0, 0x0, ...
 00823   400   NtSetEvent  ... 0x0, ) == 0x0
 00826   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00827   400   NtSetEvent  (120, ...
 00646   636   NtWaitForSingleObject  ... ) == 0x0
 00828   636   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00829   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 00827   400   NtSetEvent  ... 0x0, ) == 0x0
 00830   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00831   400   NtSetEvent  (124, ...
 00638   740   NtWaitForSingleObject  ... ) == 0x0
 00832   740   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00833   740   NtWaitForSingleObject  (124, 0, 0x0, ...
 00831   400   NtSetEvent  ... 0x0, ) == 0x0
 00834   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00835   400   NtSetEvent  (120, ...
 00829   636   NtWaitForSingleObject  ... ) == 0x0
 00836   636   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00837   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 00835   400   NtSetEvent  ... 0x0, ) == 0x0
 00838   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00839   400   NtSetEvent  (128, ...
 00815   744   NtWaitForSingleObject  ... ) == 0x0
 00840   744   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00841   744   NtWaitForSingleObject  (128, 0, 0x0, ...
 00839   400   NtSetEvent  ... 0x0, ) == 0x0
 00842   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00843   400   NtSetEvent  (164, ...
 00665   868   NtWaitForSingleObject  ... ) == 0x0
 00844   868   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00845   868   NtWaitForSingleObject  (164, 0, 0x0, ...
 00843   400   NtSetEvent  ... 0x0, ) == 0x0
 00846   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00847   400   NtSetEvent  (164, ...
 00845   868   NtWaitForSingleObject  ... ) == 0x0
 00848   868   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00849   868   NtWaitForSingleObject  (164, 0, 0x0, ...
 00847   400   NtSetEvent  ... 0x0, ) == 0x0
 00850   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00851   400   NtSetEvent  (116, ...
 00463   596   NtWaitForSingleObject  ... ) == 0x0
 00852   596   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00853   596   NtWaitForSingleObject  (116, 0, 0x0, ...
 00851   400   NtSetEvent  ... 0x0, ) == 0x0
 00854   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00855   400   NtSetEvent  (152, ...
 00819   856   NtWaitForSingleObject  ... ) == 0x0
 00856   856   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00857   856   NtWaitForSingleObject  (152, 0, 0x0, ...
 00855   400   NtSetEvent  ... 0x0, ) == 0x0
 00858   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00859   400   NtSetEvent  (144, ...
 00547   716   NtWaitForSingleObject  ... ) == 0x0
 00860   716   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00861   716   NtWaitForSingleObject  (144, 0, 0x0, ...
 00859   400   NtSetEvent  ... 0x0, ) == 0x0
 00862   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00863   400   NtSetEvent  (120, ...
 00837   636   NtWaitForSingleObject  ... ) == 0x0
 00864   636   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00865   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 00863   400   NtSetEvent  ... 0x0, ) == 0x0
 00866   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00867   400   NtSetEvent  (156, ...
 00583   860   NtWaitForSingleObject  ... ) == 0x0
 00868   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00869   860   NtWaitForSingleObject  (156, 0, 0x0, ...
 00867   400   NtSetEvent  ... 0x0, ) == 0x0
 00870   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00871   400   NtSetEvent  (156, ...
 00869   860   NtWaitForSingleObject  ... ) == 0x0
 00872   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00873   860   NtWaitForSingleObject  (156, 0, 0x0, ...
 00871   400   NtSetEvent  ... 0x0, ) == 0x0
 00874   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00875   400   NtSetEvent  (172, ...
 00631   876   NtWaitForSingleObject  ... ) == 0x0
 00876   876   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00877   876   NtWaitForSingleObject  (172, 0, 0x0, ...
 00875   400   NtSetEvent  ... 0x0, ) == 0x0
 00878   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00879   400   NtProtectVirtualMemory  (-1, (0x401000), 52664, 64, ... (0x401000), 53248, 8, ) == 0x0
 00880   400   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00881   400   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00882   400   NtUserFindWindowEx  (0, 0,  (0, 0, "PROCMON_WINDOW_CLASS", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00883   400   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Process Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00884   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 38076416, 65536, ) == 0x0
 00885   400   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00886   400   NtFreeVirtualMemory  (-1, (0x2450000), 0, 32768, ... (0x2450000), 65536, ) == 0x0
 00887   400   NtSetEvent  (140, ...
 00825   792   NtWaitForSingleObject  ... ) == 0x0
 00888   792   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00889   792   NtWaitForSingleObject  (140, 0, 0x0, ...
 00887   400   NtSetEvent  ... 0x0, ) == 0x0
 00890   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00891   400   NtAllocateVirtualMemory  (-1, 0, 0, 532480, 4096, 4, ... 38076416, 532480, ) == 0x0
 00892   400   NtFreeVirtualMemory  (-1, (0x2450000), 0, 32768, ... (0x2450000), 532480, ) == 0x0
 00893   400   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38076416, 1048576, ) == 0x0
 00894   400   NtAllocateVirtualMemory  (-1, 39116800, 0, 8192, 4096, 4, ... 39116800, 8192, ) == 0x0
 00895   400   NtProtectVirtualMemory  (-1, (0x254e000), 4096, 260, ... (0x254e000), 4096, 4, ) == 0x0
 00896   400   NtCreateThread  (0x1f03ff, 0x0, -1, 1244208, 1244924, 1, ... 240, {396, 880}, ) == 0x0
 00897   400   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=396,Tid=880,}, 0x0, ) == 0x0
 00898   400   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 131108, 2147348480, 1243932, 34}  (24, {28, 56, new_msg, 0, 131108, 2147348480, 1243932, 34} "\0\0\0\0\1\0\1\07(\365w\240o\374w\360\0\0\0\214\1\0\0p\3\0\0" ... {28, 56, reply, 0, 396, 400, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\240o\374w\360\0\0\0\214\1\0\0p\3\0\0" )  ... {28, 56, reply, 0, 396, 400, 1530, 0}  (24, {28, 56, new_msg, 0, 131108, 2147348480, 1243932, 34} "\0\0\0\0\1\0\1\07(\365w\240o\374w\360\0\0\0\214\1\0\0p\3\0\0" ... {28, 56, reply, 0, 396, 400, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\240o\374w\360\0\0\0\214\1\0\0p\3\0\0" )  ) == 0x0
 00899   400   NtResumeThread  (240, ... 1, ) == 0x0
 00900   400   NtSetEvent  (148, ...
 00901   880   NtTestAlert  (... ) == 0x0
 00902   880   NtContinue  (39124272, 1, ...
 00903   880   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00904   880   NtDelayExecution  (0, {-40000000, -1}, ...
 00720   836   NtWaitForSingleObject  ... ) == 0x0
 00905   836   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00906   836   NtWaitForSingleObject  (148, 0, 0x0, ...
 00900   400   NtSetEvent  ... 0x0, ) == 0x0
 00907   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00908   400   NtSetEvent  (164, ...
 00849   868   NtWaitForSingleObject  ... ) == 0x0
 00909   868   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00910   868   NtWaitForSingleObject  (164, 0, 0x0, ...
 00908   400   NtSetEvent  ... 0x0, ) == 0x0
 00911   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00912   400   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 00913   400   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 00914   400   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 39124992, 4096, ) == 0x0
 00915   400   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 4, ... 39190528, 8192, ) == 0x0
 00916   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 64, ... 39256064, 65536, ) == 0x0
 00917   400   NtAllocateVirtualMemory  (-1, 0, 0, 2928, 4096, 4, ... 39321600, 4096, ) == 0x0
 00918   400   NtAllocateVirtualMemory  (-1, 0, 0, 1998, 4096, 64, ... 39387136, 4096, ) == 0x0
 00919   400   NtFreeVirtualMemory  (-1, (0x2580000), 0, 32768, ... (0x2580000), 4096, ) == 0x0
 00920   400   NtAllocateVirtualMemory  (-1, 0, 0, 1584, 4096, 4, ... 39321600, 4096, ) == 0x0
 00921   400   NtFreeVirtualMemory  (-1, (0x2580000), 0, 32768, ... (0x2580000), 4096, ) == 0x0
 00922   400   NtAllocateVirtualMemory  (-1, 0, 0, 3316, 4096, 4, ... 39321600, 4096, ) == 0x0
 00923   400   NtFreeVirtualMemory  (-1, (0x2580000), 0, 32768, ... (0x2580000), 4096, ) == 0x0
 00924   400   NtAllocateVirtualMemory  (-1, 0, 0, 3712, 4096, 4, ... 39321600, 4096, ) == 0x0
 00925   400   NtAllocateVirtualMemory  (-1, 0, 0, 364, 4096, 64, ... 39452672, 4096, ) == 0x0
 00926   400   NtAllocateVirtualMemory  (-1, 0, 0, 6849, 4096, 64, ... 39518208, 8192, ) == 0x0
 00927   400   NtAllocateVirtualMemory  (-1, 0, 0, 2036, 4096, 64, ... 39583744, 4096, ) == 0x0
 00928   400   NtAllocateVirtualMemory  (-1, 0, 0, 1684, 4096, 64, ... 39649280, 4096, ) == 0x0
 00929   400   NtAllocateVirtualMemory  (-1, 0, 0, 2547, 4096, 64, ... 39714816, 4096, ) == 0x0
 00930   400   NtAllocateVirtualMemory  (-1, 0, 0, 2854, 4096, 64, ... 39780352, 4096, ) == 0x0
 00931   400   NtAllocateVirtualMemory  (-1, 0, 0, 1913, 4096, 64, ... 39845888, 4096, ) == 0x0
 00932   400   NtAllocateVirtualMemory  (-1, 0, 0, 6999, 4096, 64, ... 39911424, 8192, ) == 0x0
 00933   400   NtAllocateVirtualMemory  (-1, 0, 0, 2469, 4096, 64, ... 39976960, 4096, ) == 0x0
 00934   400   NtAllocateVirtualMemory  (-1, 0, 0, 1476, 4096, 64, ... 40042496, 4096, ) == 0x0
 00935   400   NtAllocateVirtualMemory  (-1, 0, 0, 4143, 4096, 64, ... 40108032, 8192, ) == 0x0
 00936   400   NtAllocateVirtualMemory  (-1, 0, 0, 1082, 4096, 64, ... 40173568, 4096, ) == 0x0
 00937   400   NtAllocateVirtualMemory  (-1, 0, 0, 4523, 4096, 64, ... 40239104, 8192, ) == 0x0
 00938   400   NtAllocateVirtualMemory  (-1, 0, 0, 903, 4096, 64, ... 40304640, 4096, ) == 0x0
 00939   400   NtAllocateVirtualMemory  (-1, 0, 0, 2089, 4096, 64, ... 40370176, 4096, ) == 0x0
 00940   400   NtAllocateVirtualMemory  (-1, 0, 0, 1770, 4096, 64, ... 40435712, 4096, ) == 0x0
 00941   400   NtAllocateVirtualMemory  (-1, 0, 0, 2769, 4096, 64, ... 40501248, 4096, ) == 0x0
 00942   400   NtAllocateVirtualMemory  (-1, 0, 0, 2048, 4096, 64, ... 40566784, 4096, ) == 0x0
 00943   400   NtAllocateVirtualMemory  (-1, 0, 0, 6222, 4096, 64, ... 40632320, 8192, ) == 0x0
 00944   400   NtAllocateVirtualMemory  (-1, 0, 0, 1737, 4096, 64, ... 40697856, 4096, ) == 0x0
 00945   400   NtAllocateVirtualMemory  (-1, 0, 0, 2376, 4096, 64, ... 40763392, 4096, ) == 0x0
 00946   400   NtAllocateVirtualMemory  (-1, 0, 0, 1266, 4096, 64, ... 40828928, 4096, ) == 0x0
 00947   400   NtAllocateVirtualMemory  (-1, 0, 0, 1613, 4096, 64, ... 40894464, 4096, ) == 0x0
 00948   400   NtAllocateVirtualMemory  (-1, 0, 0, 3094, 4096, 64, ... 40960000, 4096, ) == 0x0
 00949   400   NtAllocateVirtualMemory  (-1, 0, 0, 2947, 4096, 64, ... 41025536, 4096, ) == 0x0
 00950   400   NtAllocateVirtualMemory  (-1, 0, 0, 1061, 4096, 64, ... 41091072, 4096, ) == 0x0
 00951   400   NtAllocateVirtualMemory  (-1, 0, 0, 3946, 4096, 64, ... 41156608, 4096, ) == 0x0
 00952   400   NtAllocateVirtualMemory  (-1, 0, 0, 645, 4096, 64, ... 41222144, 4096, ) == 0x0
 00953   400   NtAllocateVirtualMemory  (-1, 0, 0, 1719, 4096, 64, ... 41287680, 4096, ) == 0x0
 00954   400   NtAllocateVirtualMemory  (-1, 0, 0, 2447, 4096, 64, ... 41353216, 4096, ) == 0x0
 00955   400   NtFreeVirtualMemory  (-1, (0x2580000), 0, 32768, ... (0x2580000), 4096, ) == 0x0
 00956   400   NtFreeVirtualMemory  (-1, (0x2400000), 0, 32768, ... (0x2400000), 200704, ) == 0x0
 00957   400   NtFreeVirtualMemory  (-1, (0x2440000), 0, 32768, ... (0x2440000), 4096, ) == 0x0
 00958   400   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 8192, ) == 0x0
 00959   400   NtFreeVirtualMemory  (-1, (0x2570000), 0, 32768, ... (0x2570000), 65536, ) == 0x0
 00960   400   NtFreeVirtualMemory  (-1, (0x2550000), 0, 32768, ... (0x2550000), 4096, ) == 0x0
 00961   400   NtSetEvent  (120, ...
 00865   636   NtWaitForSingleObject  ... ) == 0x0
 00962   636   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00963   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 00961   400   NtSetEvent  ... 0x0, ) == 0x0
 00964   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00965   400   NtSetEvent  (132, ...
 00642   676   NtWaitForSingleObject  ... ) == 0x0
 00966   676   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00967   676   NtWaitForSingleObject  (132, 0, 0x0, ...
 00965   400   NtSetEvent  ... 0x0, ) == 0x0
 00968   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00969   400   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 00970   400   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 00971   400   NtSetEvent  (136, ...
 00743   796   NtWaitForSingleObject  ... ) == 0x0
 00972   796   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00973   796   NtWaitForSingleObject  (136, 0, 0x0, ...
 00971   400   NtSetEvent  ... 0x0, ) == 0x0
 00974   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00975   400   NtSetEvent  (116, ...
 00853   596   NtWaitForSingleObject  ... ) == 0x0
 00976   596   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00977   596   NtWaitForSingleObject  (116, 0, 0x0, ...
 00975   400   NtSetEvent  ... 0x0, ) == 0x0
 00978   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00979   400   NtSetEvent  (168, ...
 00760   872   NtWaitForSingleObject  ... ) == 0x0
 00980   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00981   872   NtWaitForSingleObject  (168, 0, 0x0, ...
 00979   400   NtSetEvent  ... 0x0, ) == 0x0
 00982   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00983   400   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 00984   400   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 00985   400   NtSetEvent  (124, ...
 00833   740   NtWaitForSingleObject  ... ) == 0x0
 00986   740   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00987   740   NtWaitForSingleObject  (124, 0, 0x0, ...
 00985   400   NtSetEvent  ... 0x0, ) == 0x0
 00988   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00989   400   NtSetEvent  (136, ...
 00973   796   NtWaitForSingleObject  ... ) == 0x0
 00990   796   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00991   796   NtWaitForSingleObject  (136, 0, 0x0, ...
 00989   400   NtSetEvent  ... 0x0, ) == 0x0
 00992   400   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00993   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ws2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ws2_32.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ws2_32.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00996   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ws2_32.dll"}, 1242008, ... ) }, 1242008, ... ) == 0x0
 00997   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ws2_32.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 00998   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 252, ) == 0x0
 00999   400   NtQuerySection  (252, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01000   400   NtClose  (244, ... ) == 0x0
 01001   400   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 01002   400   NtClose  (252, ... ) == 0x0
 01003   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01004   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241204, ... ) }, 1241204, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01005   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241204, ... ) }, 1241204, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01006   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241204, ... ) }, 1241204, ... ) == 0x0
 01007   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 252, {status=0x0, info=1}, ) }, 5, 96, ... 252, {status=0x0, info=1}, ) == 0x0
 01008   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 252, ... 244, ) == 0x0
 01009   400   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01010   400   NtClose  (252, ... ) == 0x0
 01011   400   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 01012   400   NtClose  (244, ... ) == 0x0
 01013   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01014   400   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01015   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 244, ) }, ... 244, ) == 0x0
 01016   400   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 01017   400   NtClose  (244, ... ) == 0x0
 01018   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 244, ) }, ... 244, ) == 0x0
 01019   400   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 01020   400   NtClose  (244, ... ) == 0x0
 01021   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 244, ) }, ... 244, ) == 0x0
 01022   400   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 01023   400   NtClose  (244, ... ) == 0x0
 01024   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 244, ) }, ... 244, ) == 0x0
 01025   400   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 01026   400   NtClose  (244, ... ) == 0x0
 01027   400   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01028   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01029   400   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 01030   400   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 01031   400   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 01032   400   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 01033   400   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 1242140, 0,  (0x1f0003, {24, 56, 0x80, 1242140, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01034   400   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 244, ) }, ... 244, ) == 0x0
 01035   400   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 01036   400   NtCreateKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 252, 2, ) }, 0, 0x0, 0, ... 252, 2, ) == 0x0
 01037   400   NtQueryDefaultUILanguage  (1240376, ...
 01038   400   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01039   400   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01040   400   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01041   400   NtClose  (-2147482020, ... ) == 0x0
 01042   400   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01043   400   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   400   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01045   400   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01046   400   NtClose  (-2147482032, ... ) == 0x0
 01047   400   NtClose  (-2147482020, ... ) == 0x0
 01037   400   NtQueryDefaultUILanguage  ... ) == 0x0
 01048   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   400   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 01050   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 256, {status=0x0, info=1}, ) }, 1, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 01051   400   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 256, ... 260, ) == 0x0
 01052   400   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2780000), 0x0, 593920, ) == 0x0
 01053   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01054   400   NtQueryDefaultUILanguage  (2013024600, ...
 01055   400   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01056   400   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01057   400   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01058   400   NtClose  (-2147482020, ... ) == 0x0
 01059   400   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01060   400   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01061   400   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01062   400   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01063   400   NtClose  (-2147482032, ... ) == 0x0
 01064   400   NtClose  (-2147482020, ... ) == 0x0
 01054   400   NtQueryDefaultUILanguage  ... ) == 0x0
 01065   400   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 01066   400   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 01067   400   NtQueryDefaultLocale  (1, 1238412, ... ) == 0x0
 01068   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01069   400   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1239268, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1239268, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\0\1\0\0\377\377\377\377\0\0\0\0P\275\177\2\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\344\357\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 400, 1531, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\0\1\0\0\377\377\377\377\0\0\0\0P\275\177\2\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\344\357\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 396, 400, 1531, 0}  (24, {128, 156, new_msg, 0, 1239268, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\0\1\0\0\377\377\377\377\0\0\0\0P\275\177\2\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\344\357\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 400, 1531, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\0\1\0\0\377\377\377\377\0\0\0\0P\275\177\2\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\344\357\22\0\0\0\0\0" )  ) == 0x0
 01070   400   NtClose  (256, ... ) == 0x0
 01071   400   NtClose  (260, ... ) == 0x0
 01072   400   NtUnmapViewOfSection  (-1, 0x2780000, ... ) == 0x0
 01073   400   NtUnmapViewOfSection  (-1, 0x12efe4, ... ) == STATUS_NOT_MAPPED_VIEW
 01074   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01075   400   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01076   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01077   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01078   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236952, ... ) }, 1236952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01079   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01080   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01081   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01082   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237544, ... ) }, 1237544, ... ) == 0x0
 01083   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 260, {status=0x0, info=1}, ) }, 3, 33, ... 260, {status=0x0, info=1}, ) == 0x0
 01084   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01085   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 256, {status=0x0, info=1}, ) }, 5, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 01086   400   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 256, ... 264, ) == 0x0
 01087   400   NtClose  (256, ... ) == 0x0
 01088   400   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2780000), 0x0, 921600, ) == 0x0
 01089   400   NtClose  (264, ... ) == 0x0
 01090   400   NtUnmapViewOfSection  (-1, 0x2780000, ... ) == 0x0
 01091   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 01092   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 264, ... 256, ) == 0x0
 01093   400   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01094   400   NtClose  (264, ... ) == 0x0
 01095   400   NtMapViewOfSection  (256, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 01096   400   NtClose  (256, ... ) == 0x0
 01097   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01098   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01099   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01100   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01101   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01102   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01103   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01104   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01105   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01106   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01107   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01108   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01109   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01110   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01111   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01112   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01113   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01114   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01115   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01116   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01117   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01118   400   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238728, ... ) , 42, 1238728, ... ) == 0x0
 01119   400   NtQueryDefaultUILanguage  (1237444, ...
 01120   400   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01121   400   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01122   400   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01123   400   NtClose  (-2147482020, ... ) == 0x0
 01124   400   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01125   400   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   400   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01127   400   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01128   400   NtClose  (-2147482032, ... ) == 0x0
 01129   400   NtClose  (-2147482020, ... ) == 0x0
 01119   400   NtQueryDefaultUILanguage  ... ) == 0x0
 01130   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01131   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236296, ... ) }, 1236296, ... ) == 0x0
 01132   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 256, {status=0x0, info=1}, ) }, 5, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 01133   400   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 256, ... 264, ) == 0x0
 01134   400   NtClose  (256, ... ) == 0x0
 01135   400   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2410000), 0x0, 4096, ) == 0x0
 01136   400   NtClose  (264, ... ) == 0x0
 01137   400   NtUnmapViewOfSection  (-1, 0x2410000, ... ) == 0x0
 01138   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235936, ... ) }, 1235936, ... ) == 0x0
 01139   400   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236636,  (0x80100080, {24, 0, 0x40, 0, 1236636, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 264, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 264, {status=0x0, info=1}, ) == 0x0
 01140   400   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 264, ... 256, ) == 0x0
 01141   400   NtClose  (264, ... ) == 0x0
 01142   400   NtMapViewOfSection  (256, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2410000), {0, 0}, 4096, ) == 0x0
 01143   400   NtClose  (256, ... ) == 0x0
 01144   400   NtUnmapViewOfSection  (-1, 0x2410000, ... ) == 0x0
 01145   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 256, {status=0x0, info=1}, ) }, 1, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 01146   400   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 256, ... 264, ) == 0x0
 01147   400   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2410000), 0x0, 4096, ) == 0x0
 01148   400   NtQueryInformationFile  (256, 1236256, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 01149   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01150   400   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236336, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236336, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\0\1\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0p\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 400, 1532, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\0\1\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0p\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 396, 400, 1532, 0}  (24, {128, 156, new_msg, 0, 1236336, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\0\1\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0p\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 400, 1532, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\0\1\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0p\344\22\0\0\0\0\0" )  ) == 0x0
 01151   400   NtClose  (256, ... ) == 0x0
 01152   400   NtClose  (264, ... ) == 0x0
 01153   400   NtUnmapViewOfSection  (-1, 0x2410000, ... ) == 0x0
 01154   400   NtUnmapViewOfSection  (-1, 0x12e470, ... ) == STATUS_NOT_MAPPED_VIEW
 01155   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01156   400   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01157   400   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 01158   400   NtUserGetDC  (0, ... ) == 0x1010051
 01159   400   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01160   400   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01161   400   NtContinue  (1236292, 0, ...
 01162   400   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01163   400   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 01164   400   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01165   400   NtUnmapViewOfSection  (-1, 0x2400000, ... ) == 0x0
 01166   400   NtClose  (260, ... ) == 0x0
 01167   400   NtCreateKey  (0x2001f, {24, 52, 0x40, 0, 0,  (0x2001f, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 260, 2, ) }, 0, 0x0, 0, ... 260, 2, ) == 0x0
 01168   400   NtQueryValueKey  (260,  (260, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   400   NtQueryValueKey  (260,  (260, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   400   NtQueryValueKey  (260,  (260, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   400   NtQueryValueKey  (260,  (260, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   400   NtQueryValueKey  (260,  (260, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   400   NtQueryValueKey  (260,  (260, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   400   NtQueryValueKey  (260,  (260, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01175   400   NtQueryValueKey  (260,  (260, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   400   NtQueryValueKey  (260,  (260, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01177   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01178   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1241480, ... ) }, 1241480, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01179   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1241480, ... ) }, 1241480, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01180   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1241480, ... ) }, 1241480, ... ) == 0x0
 01181   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 01182   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 264, ... 256, ) == 0x0
 01183   400   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01184   400   NtClose  (264, ... ) == 0x0
 01185   400   NtMapViewOfSection  (256, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 01186   400   NtClose  (256, ... ) == 0x0
 01187   400   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 256, ) == 0x0
 01188   400   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 264, ) == 0x0
 01189   400   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 268, ) }, ... 268, ) == 0x0
 01190   400   NtQueryEvent  (268, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01191   400   NtClose  (268, ... ) == 0x0
 01192   400   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1242964, 140, ... 268, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1242964, 140, ... 268, 0x0, 0x0, 256, 140, ) == 0x0
 01193   400   NtRequestWaitReplyPort  (268, {28, 52, new_msg, 0, 0, 0, 0, 0}  (268, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 396, 400, 1534, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 396, 400, 1534, 0}  (268, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 396, 400, 1534, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01194   400   NtQueryValueKey  (260,  (260, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01195   400   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 272, ) }, ... 272, ) == 0x0
 01196   400   NtQueryValueKey  (272,  (272, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01197   400   NtClose  (272, ... ) == 0x0
 01198   400   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 272, ) }, ... 272, ) == 0x0
 01199   400   NtQueryValueKey  (272,  (272, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01200   400   NtClose  (272, ... ) == 0x0
 01201   400   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 272, ) }, ... 272, ) == 0x0
 01202   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 276, ) }, ... 276, ) == 0x0
 01203   400   NtQueryValueKey  (276,  (276, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (276, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01204   400   NtClose  (276, ... ) == 0x0
 01205   400   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 276, ) }, ... 276, ) == 0x0
 01206   400   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 280, ) }, ... 280, ) == 0x0
 01207   400   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 284, ) }, ... 284, ) == 0x0
 01208   400   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 288, ) }, ... 288, ) == 0x0
 01209   400   NtQueryValueKey  (288,  (288, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01210   400   NtQueryValueKey  (288,  (288, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01211   400   NtClose  (288, ... ) == 0x0
 01212   400   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 288, ) }, ... 288, ) == 0x0
 01213   400   NtQueryValueKey  (288,  (288, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01214   400   NtQueryValueKey  (288,  (288, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01215   400   NtQueryValueKey  (288,  (288, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01216   400   NtQueryValueKey  (288,  (288, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01217   400   NtQueryValueKey  (288,  (288, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01218   400   NtQueryValueKey  (288,  (288, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01219   400   NtClose  (288, ... ) == 0x0
 01220   400   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "Content"}, ... 288, ) }, ... 288, ) == 0x0
 01221   400   NtQueryValueKey  (288,  (288, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01222   400   NtClose  (288, ... ) == 0x0
 01223   400   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "Content"}, ... 288, ) }, ... 288, ) == 0x0
 01224   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 292, ) }, ... 292, ) == 0x0
 01225   400   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 01226   400   NtClose  (292, ... ) == 0x0
 01227   400   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 292, ) }, ... 292, ) == 0x0
 01228   400   NtQueryValueKey  (292,  (292, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (292, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01229   400   NtClose  (292, ... ) == 0x0
 01230   400   NtQueryDefaultUILanguage  (1237932, ...
 01231   400   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01232   400   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01233   400   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01234   400   NtClose  (-2147482020, ... ) == 0x0
 01235   400   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01236   400   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   400   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01238   400   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01239   400   NtClose  (-2147482032, ... ) == 0x0
 01240   400   NtClose  (-2147482020, ... ) == 0x0
 01230   400   NtQueryDefaultUILanguage  ... ) == 0x0
 01241   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01242   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 292, {status=0x0, info=1}, ) }, 1, 96, ... 292, {status=0x0, info=1}, ) == 0x0
 01243   400   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 292, ... 296, ) == 0x0
 01244   400   NtMapViewOfSection  (296, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2780000), 0x0, 8323072, ) == 0x0
 01245   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01246   400   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01247   400   NtQueryDefaultLocale  (1, 1235968, ... ) == 0x0
 01248   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   400   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236824, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236824, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\342\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1$\1\0\0\377\377\377\377\0\0\0\0\20\311\257\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0X\346\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 400, 1535, 0} " S\26\0\33\0\1\0\0\0\0\0\1\342\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1$\1\0\0\377\377\377\377\0\0\0\0\20\311\257\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0X\346\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 396, 400, 1535, 0}  (24, {128, 156, new_msg, 0, 1236824, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\342\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1$\1\0\0\377\377\377\377\0\0\0\0\20\311\257\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0X\346\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 400, 1535, 0} " S\26\0\33\0\1\0\0\0\0\0\1\342\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1$\1\0\0\377\377\377\377\0\0\0\0\20\311\257\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0X\346\22\0\0\0\0\0" )  ) == 0x0
 01250   400   NtClose  (292, ... ) == 0x0
 01251   400   NtClose  (296, ... ) == 0x0
 01252   400   NtUnmapViewOfSection  (-1, 0x2780000, ... ) == 0x0
 01253   400   NtUnmapViewOfSection  (-1, 0x12e658, ... ) == STATUS_NOT_MAPPED_VIEW
 01254   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01255   400   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01256   400   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01258   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01259   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1235052, ... ) }, 1235052, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01261   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01262   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01263   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1235644, ... ) }, 1235644, ... ) == 0x0
 01264   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 296, {status=0x0, info=1}, ) }, 3, 33, ... 296, {status=0x0, info=1}, ) == 0x0
 01265   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01266   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 292, {status=0x0, info=1}, ) }, 5, 96, ... 292, {status=0x0, info=1}, ) == 0x0
 01267   400   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 292, ... 300, ) == 0x0
 01268   400   NtClose  (292, ... ) == 0x0
 01269   400   NtMapViewOfSection  (300, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2780000), 0x0, 921600, ) == 0x0
 01270   400   NtClose  (300, ... ) == 0x0
 01271   400   NtUnmapViewOfSection  (-1, 0x2780000, ... ) == 0x0
 01272   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 300, {status=0x0, info=1}, ) }, 5, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01273   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 300, ... 292, ) == 0x0
 01274   400   NtQuerySection  (292, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01275   400   NtClose  (300, ... ) == 0x0
 01276   400   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 01277   400   NtClose  (292, ... ) == 0x0
 01278   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01279   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01280   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01281   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01282   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01283   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01284   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01285   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01286   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01287   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01288   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01289   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01290   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01291   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01292   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01293   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01294   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01295   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01296   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01297   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01298   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01299   400   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1236828, ... ) , 42, 1236828, ... ) == 0x0
 01300   400   NtQueryDefaultUILanguage  (1235544, ...
 01301   400   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01302   400   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01303   400   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01304   400   NtClose  (-2147482020, ... ) == 0x0
 01305   400   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01306   400   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   400   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01308   400   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01309   400   NtClose  (-2147482032, ... ) == 0x0
 01310   400   NtClose  (-2147482020, ... ) == 0x0
 01300   400   NtQueryDefaultUILanguage  ... ) == 0x0
 01311   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234396, ... ) }, 1234396, ... ) == 0x0
 01313   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 292, {status=0x0, info=1}, ) }, 5, 96, ... 292, {status=0x0, info=1}, ) == 0x0
 01314   400   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 292, ... 300, ) == 0x0
 01315   400   NtClose  (292, ... ) == 0x0
 01316   400   NtMapViewOfSection  (300, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2410000), 0x0, 4096, ) == 0x0
 01317   400   NtClose  (300, ... ) == 0x0
 01318   400   NtUnmapViewOfSection  (-1, 0x2410000, ... ) == 0x0
 01319   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234036, ... ) }, 1234036, ... ) == 0x0
 01320   400   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234736,  (0x80100080, {24, 0, 0x40, 0, 1234736, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 300, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 300, {status=0x0, info=1}, ) == 0x0
 01321   400   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 300, ... 292, ) == 0x0
 01322   400   NtClose  (300, ... ) == 0x0
 01323   400   NtMapViewOfSection  (292, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2410000), {0, 0}, 4096, ) == 0x0
 01324   400   NtClose  (292, ... ) == 0x0
 01325   400   NtUnmapViewOfSection  (-1, 0x2410000, ... ) == 0x0
 01326   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 292, {status=0x0, info=1}, ) }, 1, 96, ... 292, {status=0x0, info=1}, ) == 0x0
 01327   400   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 292, ... 300, ) == 0x0
 01328   400   NtMapViewOfSection  (300, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2410000), 0x0, 4096, ) == 0x0
 01329   400   NtQueryInformationFile  (292, 1234356, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 01330   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01331   400   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234436, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234436, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1$\1\0\0,\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 400, 1536, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1$\1\0\0,\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 396, 400, 1536, 0}  (24, {128, 156, new_msg, 0, 1234436, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1$\1\0\0,\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 400, 1536, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1$\1\0\0,\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" )  ) == 0x0
 01332   400   NtClose  (292, ... ) == 0x0
 01333   400   NtClose  (300, ... ) == 0x0
 01334   400   NtUnmapViewOfSection  (-1, 0x2410000, ... ) == 0x0
 01335   400   NtUnmapViewOfSection  (-1, 0x12dd04, ... ) == STATUS_NOT_MAPPED_VIEW
 01336   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01337   400   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01338   400   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 01339   400   NtUserGetDC  (0, ... ) == 0x1010053
 01340   400   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01341   400   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01342   400   NtContinue  (1234400, 0, ...
 01343   400   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01344   400   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 01345   400   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01346   400   NtUnmapViewOfSection  (-1, 0x2400000, ... ) == 0x0
 01347   400   NtClose  (296, ... ) == 0x0
 01348   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc03b
 01349   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc03d
 01350   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc03f
 01351   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc041
 01352   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc043
 01353   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc045
 01354   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc047
 01355   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc049
 01356   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc04b
 01357   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc04d
 01358   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc04f
 01359   400   NtUserGetClassInfo  (1999896576, 1239672, 1239624, 1239700, 0, ... ) == 0xc051
 01360   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc053
 01361   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc055
 01362   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc059
 01363   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc05b
 01364   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc05d
 01365   400   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc05f
 01366   400   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01367   400   NtCreateSemaphore  (0x1f0003, {24, 56, 0x80, 1353424, 0,  (0x1f0003, {24, 56, 0x80, 1353424, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 296, ) }, 0, 2147483647, ... 296, ) == STATUS_OBJECT_NAME_EXISTS
 01368   400   NtReleaseSemaphore  (296, 1, ... 0, ) == 0x0
 01369   400   NtWaitForSingleObject  (296, 0, {0, 0}, ... ) == 0x0
 01370   400   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01371   400   NtQueryValueKey  (300,  (300, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (300, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01372   400   NtClose  (300, ... ) == 0x0
 01373   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1240192, ... ) }, 1240192, ... ) == 0x0
 01374   400   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01375   400   NtSetValueKey  (300,  (300, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (300, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 01376   400   NtClose  (300, ... ) == 0x0
 01377   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1241524, ... ) }, 1241524, ... ) == 0x0
 01378   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1241256, ... ) }, 1241256, ... ) == 0x0
 01379   400   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 300, {status=0x0, info=1}, ) }, 7, 2113568, ... 300, {status=0x0, info=1}, ) == 0x0
 01380   400   NtSetInformationFile  (300, 1241232, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01381   400   NtClose  (300, ... ) == 0x0
 01382   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1241256, ... ) }, 1241256, ... ) == 0x0
 01383   400   NtQueryValueKey  (288,  (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01384   400   NtQueryValueKey  (288,  (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01385   400   NtQueryValueKey  (288,  (288, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 01386   400   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 300, ) }, ... 300, ) == 0x0
 01387   400   NtOpenKey  (0xf, {24, 300, 0x40, 0, 0,  (0xf, {24, 300, 0x40, 0, 0, "Paths"}, ... 292, ) }, ... 292, ) == 0x0
 01388   400   NtOpenKey  (0xf, {24, 292, 0x40, 0, 0,  (0xf, {24, 292, 0x40, 0, 0, "Path1"}, ... 304, ) }, ... 304, ) == 0x0
 01389   400   NtOpenKey  (0xf, {24, 292, 0x40, 0, 0,  (0xf, {24, 292, 0x40, 0, 0, "Path2"}, ... 308, ) }, ... 308, ) == 0x0
 01390   400   NtOpenKey  (0xf, {24, 292, 0x40, 0, 0,  (0xf, {24, 292, 0x40, 0, 0, "Path3"}, ... 312, ) }, ... 312, ) == 0x0
 01391   400   NtOpenKey  (0xf, {24, 292, 0x40, 0, 0,  (0xf, {24, 292, 0x40, 0, 0, "Path4"}, ... 316, ) }, ... 316, ) == 0x0
 01392   400   NtOpenKey  (0xf, {24, 300, 0x40, 0, 0,  (0xf, {24, 300, 0x40, 0, 0, "Special Paths"}, ... 320, ) }, ... 320, ) == 0x0
 01393   400   NtSetValueKey  (292,  (292, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (292, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 01394   400   NtSetValueKey  (292,  (292, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (292, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01395   400   NtSetValueKey  (304,  (304, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (304, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01396   400   NtSetValueKey  (308,  (308, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (308, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01397   400   NtSetValueKey  (312,  (312, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (312, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01398   400   NtSetValueKey  (316,  (316, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (316, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01399   400   NtSetValueKey  (304,  (304, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (304, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01400   400   NtSetValueKey  (308,  (308, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (308, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01401   400   NtSetValueKey  (312,  (312, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (312, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01402   400   NtSetValueKey  (316,  (316, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (316, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01403   400   NtClose  (316, ... ) == 0x0
 01404   400   NtClose  (312, ... ) == 0x0
 01405   400   NtClose  (308, ... ) == 0x0
 01406   400   NtClose  (304, ... ) == 0x0
 01407   400   NtClose  (292, ... ) == 0x0
 01408   400   NtClose  (320, ... ) == 0x0
 01409   400   NtClose  (300, ... ) == 0x0
 01410   400   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "Cookies"}, ... 300, ) }, ... 300, ) == 0x0
 01411   400   NtQueryValueKey  (300,  (300, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (300, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01412   400   NtClose  (300, ... ) == 0x0
 01413   400   NtClose  (288, ... ) == 0x0
 01414   400   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "Cookies"}, ... 288, ) }, ... 288, ) == 0x0
 01415   400   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01416   400   NtReleaseSemaphore  (296, 1, ... 0, ) == 0x0
 01417   400   NtWaitForSingleObject  (296, 0, {0, 0}, ... ) == 0x0
 01418   400   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01419   400   NtQueryValueKey  (300,  (300, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (300, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01420   400   NtClose  (300, ... ) == 0x0
 01421   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1240192, ... ) }, 1240192, ... ) == 0x0
 01422   400   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01423   400   NtSetValueKey  (300,  (300, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (300, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01424   400   NtClose  (300, ... ) == 0x0
 01425   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1241524, ... ) }, 1241524, ... ) == 0x0
 01426   400   NtQueryValueKey  (288,  (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01427   400   NtQueryValueKey  (288,  (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01428   400   NtQueryValueKey  (288,  (288, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01429   400   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "History"}, ... 300, ) }, ... 300, ) == 0x0
 01430   400   NtQueryValueKey  (300,  (300, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (300, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01431   400   NtClose  (300, ... ) == 0x0
 01432   400   NtClose  (288, ... ) == 0x0
 01433   400   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "History"}, ... 288, ) }, ... 288, ) == 0x0
 01434   400   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01435   400   NtReleaseSemaphore  (296, 1, ... 0, ) == 0x0
 01436   400   NtWaitForSingleObject  (296, 0, {0, 0}, ... ) == 0x0
 01437   400   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01438   400   NtQueryValueKey  (300,  (300, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (300, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01439   400   NtClose  (300, ... ) == 0x0
 01440   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1240192, ... ) }, 1240192, ... ) == 0x0
 01441   400   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01442   400   NtSetValueKey  (300,  (300, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (300, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 01443   400   NtClose  (300, ... ) == 0x0
 01444   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1241524, ... ) }, 1241524, ... ) == 0x0
 01445   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1241256, ... ) }, 1241256, ... ) == 0x0
 01446   400   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 300, {status=0x0, info=1}, ) }, 7, 2113568, ... 300, {status=0x0, info=1}, ) == 0x0
 01447   400   NtSetInformationFile  (300, 1241232, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01448   400   NtClose  (300, ... ) == 0x0
 01449   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1241256, ... ) }, 1241256, ... ) == 0x0
 01450   400   NtQueryValueKey  (288,  (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01451   400   NtQueryValueKey  (288,  (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01452   400   NtQueryValueKey  (288,  (288, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01453   400   NtClose  (288, ... ) == 0x0
 01454   400   NtClose  (284, ... ) == 0x0
 01455   400   NtClose  (276, ... ) == 0x0
 01456   400   NtClose  (280, ... ) == 0x0
 01457   400   NtClose  (272, ... ) == 0x0
 01458   400   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 272, ) }, ... 272, ) == 0x0
 01459   400   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 280, ) }, ... 280, ) == 0x0
 01460   400   NtWaitForSingleObject  (280, 0, 0x0, ... ) == 0x0
 01461   400   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 276, {status=0x0, info=1}, ) }, 3, 8388641, ... 276, {status=0x0, info=1}, ) == 0x0
 01462   400   NtQueryVolumeInformationFile  (276, 1242776, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01463   400   NtClose  (276, ... ) == 0x0
 01464   400   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 276, {status=0x0, info=1}, ) }, 3, 8388641, ... 276, {status=0x0, info=1}, ) == 0x0
 01465   400   NtQueryVolumeInformationFile  (276, 1242800, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01466   400   NtClose  (276, ... ) == 0x0
 01467   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1243128, ... ) }, 1243128, ... ) == 0x0
 01468   400   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 276, {status=0x0, info=1}, ) }, 7, 2113568, ... 276, {status=0x0, info=1}, ) == 0x0
 01469   400   NtSetInformationFile  (276, 1243104, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01470   400   NtClose  (276, ... ) == 0x0
 01471   400   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1353424, 1243120,  (0xc0100080, {24, 0, 0x40, 1353424, 1243120, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 276, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 276, {status=0x0, info=1}, ) == 0x0
 01472   400   NtSetInformationFile  (276, 1243172, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01473   400   NtQueryInformationFile  (276, 1243172, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01474   400   NtClose  (276, ... ) == 0x0
 01475   400   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1353424, 1243104,  (0xc0100080, {24, 0, 0x40, 1353424, 1243104, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 276, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 276, {status=0x0, info=1}, ) == 0x0
 01476   400   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 284, ) }, ... 284, ) == 0x0
 01477   400   NtMapViewOfSection  (284, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2400000), {0, 0}, 32768, ) == 0x0
 01478   400   NtReleaseMutant  (280, ... 0x0, ) == 0x0
 01479   400   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 288, ) }, ... 288, ) == 0x0
 01480   400   NtWaitForSingleObject  (288, 0, 0x0, ... ) == 0x0
 01481   400   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 300, {status=0x0, info=1}, ) }, 3, 8388641, ... 300, {status=0x0, info=1}, ) == 0x0
 01482   400   NtQueryVolumeInformationFile  (300, 1242776, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01483   400   NtClose  (300, ... ) == 0x0
 01484   400   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 300, {status=0x0, info=1}, ) }, 3, 8388641, ... 300, {status=0x0, info=1}, ) == 0x0
 01485   400   NtQueryVolumeInformationFile  (300, 1242800, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01486   400   NtClose  (300, ... ) == 0x0
 01487   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1243128, ... ) }, 1243128, ... ) == 0x0
 01488   400   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 300, {status=0x0, info=1}, ) }, 7, 2113568, ... 300, {status=0x0, info=1}, ) == 0x0
 01489   400   NtSetInformationFile  (300, 1243104, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01490   400   NtClose  (300, ... ) == 0x0
 01491   400   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1353424, 1243120,  (0xc0100080, {24, 0, 0x40, 1353424, 1243120, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 300, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 300, {status=0x0, info=1}, ) == 0x0
 01492   400   NtSetInformationFile  (300, 1243172, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01493   400   NtQueryInformationFile  (300, 1243172, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01494   400   NtClose  (300, ... ) == 0x0
 01495   400   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1353424, 1243104,  (0xc0100080, {24, 0, 0x40, 1353424, 1243104, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 300, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 300, {status=0x0, info=1}, ) == 0x0
 01496   400   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 320, ) }, ... 320, ) == 0x0
 01497   400   NtMapViewOfSection  (320, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2410000), {0, 0}, 16384, ) == 0x0
 01498   400   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 01499   400   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 292, ) }, ... 292, ) == 0x0
 01500   400   NtWaitForSingleObject  (292, 0, 0x0, ... ) == 0x0
 01501   400   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 304, {status=0x0, info=1}, ) }, 3, 8388641, ... 304, {status=0x0, info=1}, ) == 0x0
 01502   400   NtQueryVolumeInformationFile  (304, 1242776, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01503   400   NtClose  (304, ... ) == 0x0
 01504   400   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 304, {status=0x0, info=1}, ) }, 3, 8388641, ... 304, {status=0x0, info=1}, ) == 0x0
 01505   400   NtQueryVolumeInformationFile  (304, 1242800, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01506   400   NtClose  (304, ... ) == 0x0
 01507   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1243128, ... ) }, 1243128, ... ) == 0x0
 01508   400   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 304, {status=0x0, info=1}, ) }, 7, 2113568, ... 304, {status=0x0, info=1}, ) == 0x0
 01509   400   NtSetInformationFile  (304, 1243104, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01510   400   NtClose  (304, ... ) == 0x0
 01511   400   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1353424, 1243120,  (0xc0100080, {24, 0, 0x40, 1353424, 1243120, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 304, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 304, {status=0x0, info=1}, ) == 0x0
 01512   400   NtSetInformationFile  (304, 1243172, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01513   400   NtQueryInformationFile  (304, 1243172, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01514   400   NtClose  (304, ... ) == 0x0
 01515   400   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1353424, 1243104,  (0xc0100080, {24, 0, 0x40, 1353424, 1243104, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 304, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 304, {status=0x0, info=1}, ) == 0x0
 01516   400   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 308, ) }, ... 308, ) == 0x0
 01517   400   NtMapViewOfSection  (308, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2440000), {0, 0}, 32768, ) == 0x0
 01518   400   NtReleaseMutant  (292, ... 0x0, ) == 0x0
 01519   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1243184, ... ) }, 1243184, ... ) == 0x0
 01520   400   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 312, {status=0x0, info=1}, ) }, 7, 2113568, ... 312, {status=0x0, info=1}, ) == 0x0
 01521   400   NtSetInformationFile  (312, 1243160, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01522   400   NtClose  (312, ... ) == 0x0
 01523   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1243184, ... ) }, 1243184, ... ) == 0x0
 01524   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1243184, ... ) }, 1243184, ... ) == 0x0
 01525   400   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 312, {status=0x0, info=1}, ) }, 7, 2113568, ... 312, {status=0x0, info=1}, ) == 0x0
 01526   400   NtSetInformationFile  (312, 1243160, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01527   400   NtClose  (312, ... ) == 0x0
 01528   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1243184, ... ) }, 1243184, ... ) == 0x0
 01529   400   NtWaitForSingleObject  (280, 0, 0x0, ... ) == 0x0
 01530   400   NtQueryInformationFile  (276, 1241568, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01531   400   NtReleaseMutant  (280, ... 0x0, ) == 0x0
 01532   400   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 312, ) }, ... 312, ) == 0x0
 01533   400   NtOpenKey  (0xf, {24, 312, 0x40, 0, 0,  (0xf, {24, 312, 0x40, 0, 0, "Extensible Cache"}, ... 316, ) }, ... 316, ) == 0x0
 01534   400   NtClose  (312, ... ) == 0x0
 01535   400   NtWaitForSingleObject  (272, 0, {-600000000, -1}, ... ) == 0x0
 01536   400   NtEnumerateKey  (316, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (316, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 01537   400   NtOpenKey  (0xf, {24, 316, 0x40, 0, 0,  (0xf, {24, 316, 0x40, 0, 0, "MSHist012007051420070521"}, ... 312, ) }, ... 312, ) == 0x0
 01538   400   NtQueryValueKey  (312,  (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01539   400   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01540   400   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01541   400   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01542   400   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01543   400   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01544   400   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01545   400   NtQueryValueKey  (312,  (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01546   400   NtQueryValueKey  (312,  (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01547   400   NtClose  (312, ... ) == 0x0
 01548   400   NtEnumerateKey  (316, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (316, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 01549   400   NtOpenKey  (0xf, {24, 316, 0x40, 0, 0,  (0xf, {24, 316, 0x40, 0, 0, "MSHist012007052120070528"}, ... 312, ) }, ... 312, ) == 0x0
 01550   400   NtQueryValueKey  (312,  (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01551   400   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01552   400   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01553   400   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01554   400   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01555   400   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01556   400   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01557   400   NtQueryValueKey  (312,  (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01558   400   NtQueryValueKey  (312,  (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01559   400   NtClose  (312, ... ) == 0x0
 01560   400   NtEnumerateKey  (316, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (316, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 01561   400   NtOpenKey  (0xf, {24, 316, 0x40, 0, 0,  (0xf, {24, 316, 0x40, 0, 0, "MSHist012007053120070601"}, ... 312, ) }, ... 312, ) == 0x0
 01562   400   NtQueryValueKey  (312,  (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01563   400   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01564   400   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01565   400   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01566   400   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01567   400   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01568   400   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01569   400   NtQueryValueKey  (312,  (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01570   400   NtQueryValueKey  (312,  (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01571   400   NtClose  (312, ... ) == 0x0
 01572   400   NtEnumerateKey  (316, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01573   400   NtReleaseMutant  (272, ... 0x0, ) == 0x0
 01574   400   NtClose  (316, ... ) == 0x0
 01575   400   NtWaitForSingleObject  (280, 0, 0x0, ... ) == 0x0
 01576   400   NtQueryInformationFile  (276, 1243496, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01577   400   NtReleaseMutant  (280, ... 0x0, ) == 0x0
 01578   400   NtWaitForSingleObject  (280, 0, 0x0, ... ) == 0x0
 01579   400   NtQueryInformationFile  (276, 1243568, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01580   400   NtReleaseMutant  (280, ... 0x0, ) == 0x0
 01581   400   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01582   400   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583   400   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584   400   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585   400   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   400   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 316, ) }, ... 316, ) == 0x0
 01587   400   NtQueryValueKey  (316,  (316, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588   400   NtClose  (316, ... ) == 0x0
 01589   400   NtQueryValueKey  (260,  (260, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590   400   NtQueryValueKey  (260,  (260, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591   400   NtQueryValueKey  (260,  (260, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   400   NtQueryValueKey  (260,  (260, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   400   NtQueryValueKey  (260,  (260, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01594   400   NtQueryValueKey  (260,  (260, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01595   400   NtQueryValueKey  (260,  (260, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01596   400   NtQueryValueKey  (260,  (260, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01597   400   NtQueryValueKey  (260,  (260, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598   400   NtQueryValueKey  (260,  (260, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599   400   NtQueryValueKey  (260,  (260, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600   400   NtQueryValueKey  (260,  (260, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601   400   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 316, ) }, ... 316, ) == 0x0
 01602   400   NtQueryValueKey  (316,  (316, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01603   400   NtClose  (316, ... ) == 0x0
 01604   400   NtQueryValueKey  (260,  (260, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01605   400   NtQueryValueKey  (260,  (260, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01606   400   NtQueryValueKey  (260,  (260, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01607   400   NtQueryValueKey  (260,  (260, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01608   400   NtQueryValueKey  (260,  (260, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01609   400   NtQueryValueKey  (260,  (260, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01610   400   NtQueryValueKey  (260,  (260, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01611   400   NtQueryValueKey  (260,  (260, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01612   400   NtQueryValueKey  (260,  (260, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   400   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 316, ) }, ... 316, ) == 0x0
 01614   400   NtQueryValueKey  (316,  (316, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01615   400   NtClose  (316, ... ) == 0x0
 01616   400   NtQueryValueKey  (260,  (260, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01617   400   NtQueryValueKey  (260,  (260, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01618   400   NtQueryValueKey  (260,  (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01619   400   NtQueryValueKey  (260,  (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01620   400   NtQueryValueKey  (260,  (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01621   400   NtQueryValueKey  (260,  (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01622   400   NtQueryValueKey  (260,  (260, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01623   400   NtQueryValueKey  (260,  (260, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   400   NtQueryValueKey  (260,  (260, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01625   400   NtQueryValueKey  (260,  (260, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01626   400   NtQueryValueKey  (260,  (260, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (260, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01627   400   NtQueryValueKey  (260,  (260, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01628   400   NtQueryValueKey  (260,  (260, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01629   400   NtQueryValueKey  (260,  (260, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01630   400   NtQueryValueKey  (260,  (260, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   400   NtQueryValueKey  (260,  (260, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01632   400   NtQueryValueKey  (260,  (260, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01633   400   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "WininetStartupMutex"}, ... 316, ) }, ... 316, ) == 0x0
 01634   400   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 312, ) == 0x0
 01635   400   NtQueryValueKey  (260,  (260, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01636   400   NtWaitForSingleObject  (280, 0, 0x0, ... ) == 0x0
 01637   400   NtQueryInformationFile  (276, 1243544, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01638   400   NtReleaseMutant  (280, ... 0x0, ) == 0x0
 01639   400   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "WininetConnectionMutex"}, ... 324, ) }, ... 324, ) == 0x0
 01640   400   NtCreateMutant  (0x1f0001, 0x0, 0, ... 328, ) == 0x0
 01641   400   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 332, ) }, ... 332, ) == 0x0
 01642   400   NtQueryValueKey  (260,  (260, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01643   400   NtQueryValueKey  (260,  (260, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01644   400   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 336, ) }, ... 336, ) == 0x0
 01645   400   NtQueryValueKey  (336,  (336, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01646   400   NtQueryValueKey  (336,  (336, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01647   400   NtClose  (336, ... ) == 0x0
 01648   400   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01649   400   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 336, ) == 0x0
 01650   400   NtWaitForSingleObject  (336, 0, 0x0, ... ) == 0x0
 01651   400   NtClearEvent  (336, ... ) == 0x0
 01652   400   NtSetEvent  (336, ... 0x0, ) == 0x0
 01653   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01654   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1241476, ... ) }, 1241476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01655   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 1241476, ... ) }, 1241476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01656   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 1241476, ... ) }, 1241476, ... ) == 0x0
 01657   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 340, {status=0x0, info=1}, ) }, 5, 96, ... 340, {status=0x0, info=1}, ) == 0x0
 01658   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 340, ... 344, ) == 0x0
 01659   400   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01660   400   NtClose  (340, ... ) == 0x0
 01661   400   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 01662   400   NtClose  (344, ... ) == 0x0
 01663   400   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 344, ) }, ... 344, ) == 0x0
 01664   400   NtQueryValueKey  (344,  (344, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01665   400   NtQueryValueKey  (344,  (344, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01666   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 340, ) == 0x0
 01667   400   NtOpenKey  (0x2000000, {24, 344, 0x40, 0, 0,  (0x2000000, {24, 344, 0x40, 0, 0, "Protocol_Catalog9"}, ... 348, ) }, ... 348, ) == 0x0
 01668   400   NtQueryValueKey  (348,  (348, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01669   400   NtNotifyChangeKey  (348, 340, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01670   400   NtQueryValueKey  (348,  (348, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01671   400   NtOpenKey  (0x2000000, {24, 348, 0x40, 0, 0,  (0x2000000, {24, 348, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01672   400   NtQueryValueKey  (348,  (348, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 01673   400   NtQueryValueKey  (348,  (348, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01674   400   NtOpenKey  (0x2000000, {24, 348, 0x40, 0, 0,  (0x2000000, {24, 348, 0x40, 0, 0, "Catalog_Entries"}, ... 352, ) }, ... 352, ) == 0x0
 01675   400   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000001"}, ... 356, ) }, ... 356, ) == 0x0
 01676   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01677   400   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01678   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01679   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\220\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\220\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\221\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\222\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\220\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\220\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\221\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\222\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\220\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\220\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\221\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\222\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01680   400   NtClose  (356, ... ) == 0x0
 01681   400   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000002"}, ... 356, ) }, ... 356, ) == 0x0
 01682   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01683   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01684   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\225\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\225\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\226\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\227\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\225\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\225\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\226\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\227\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\225\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\225\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\226\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\227\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01685   400   NtClose  (356, ... ) == 0x0
 01686   400   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000003"}, ... 356, ) }, ... 356, ) == 0x0
 01687   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01688   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01689   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\232\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\232\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\233\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\234\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\232\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\232\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\233\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\234\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\232\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\232\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\233\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\234\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01690   400   NtClose  (356, ... ) == 0x0
 01691   400   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000004"}, ... 356, ) }, ... 356, ) == 0x0
 01692   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01693   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01694   400   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01695   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\240\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\240\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\241\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\242\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\240\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\240\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\241\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\242\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\240\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\240\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\241\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\242\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01696   400   NtClose  (356, ... ) == 0x0
 01697   400   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000005"}, ... 356, ) }, ... 356, ) == 0x0
 01698   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01699   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01700   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\245\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\245\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\246\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\247\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\245\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\245\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\246\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\247\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\245\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\245\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\246\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\247\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01701   400   NtClose  (356, ... ) == 0x0
 01702   400   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000006"}, ... 356, ) }, ... 356, ) == 0x0
 01703   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01704   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01705   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\252\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\252\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\253\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\253\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\254\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\252\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\252\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\253\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\253\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\254\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\252\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\252\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\253\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\253\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\254\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01706   400   NtClose  (356, ... ) == 0x0
 01707   400   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000007"}, ... 356, ) }, ... 356, ) == 0x0
 01708   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01709   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01710   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\257\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\257\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\260\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\261\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\257\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\257\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\260\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\261\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\257\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\257\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\260\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\261\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01711   400   NtClose  (356, ... ) == 0x0
 01712   400   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000008"}, ... 356, ) }, ... 356, ) == 0x0
 01713   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01714   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01715   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\264\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\264\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\265\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\266\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\264\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\264\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\265\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\266\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\264\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\264\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\265\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\266\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01716   400   NtClose  (356, ... ) == 0x0
 01717   400   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000009"}, ... 356, ) }, ... 356, ) == 0x0
 01718   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01719   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01720   400   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01721   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\272\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\272\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\273\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\274\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\272\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\272\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\273\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\274\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\272\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\272\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\273\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\274\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01722   400   NtClose  (356, ... ) == 0x0
 01723   400   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000010"}, ... 356, ) }, ... 356, ) == 0x0
 01724   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01725   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01726   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\277\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\277\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\300\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\301\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\277\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\277\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\300\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\301\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\277\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\277\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\300\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\301\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\6\0\0\214\1\0\0\220\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01727   400   NtClose  (356, ... ) == 0x0
 01728   400   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000011"}, ... 356, ) }, ... 356, ) == 0x0
 01729   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01730   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01731   400   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\304\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\304\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\1\0\0\305\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\6\0\0\214\1\0\0\220\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0T\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\6\0\0\214\1\0\0\220\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\307\6\0\0\214\1\0\0\220\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\307\6\0\0\214\1\0\0\220\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\1\0\0\310\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\1\0\0p\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250\312\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\304\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\304\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\1\0\0\305\6\0\0\214\1\0\0\220\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\6\0\0\214\1\0\0\220\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0T\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\6\0\0\214\1\0\0\220\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\307\6\0\0\214\1\0\0\220\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\307\6\0\0\214\1\0\0\220\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\1\0\0\310\6\0\0\214\1\0\0\220\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\1\0\0p\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250\312\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01732   400   NtClose  (356, ... ) == 0x0
 01733   400   NtClose  (352, ... ) == 0x0
 01734   400   NtWaitForSingleObject  (340, 0, {0, 0}, ... ) == 0x102
 01735   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 352, ) == 0x0
 01736   400   NtOpenKey  (0x2000000, {24, 344, 0x40, 0, 0,  (0x2000000, {24, 344, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 356, ) }, ... 356, ) == 0x0
 01737   400   NtQueryValueKey  (356,  (356, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01738   400   NtNotifyChangeKey  (356, 352, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01739   400   NtQueryValueKey  (356,  (356, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01740   400   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01741   400   NtQueryValueKey  (356,  (356, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01742   400   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, "Catalog_Entries"}, ... 360, ) }, ... 360, ) == 0x0
 01743   400   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "000000000001"}, ... 364, ) }, ... 364, ) == 0x0
 01744   400   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01745   400   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01746   400   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01747   400   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01748   400   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01749   400   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01750   400   NtQueryValueKey  (364,  (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01751   400   NtQueryValueKey  (364,  (364, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01752   400   NtQueryValueKey  (364,  (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01753   400   NtQueryValueKey  (364,  (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01754   400   NtQueryValueKey  (364,  (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01755   400   NtQueryValueKey  (364,  (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01756   400   NtClose  (364, ... ) == 0x0
 01757   400   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "000000000002"}, ... 364, ) }, ... 364, ) == 0x0
 01758   400   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01759   400   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01760   400   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01761   400   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01762   400   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01763   400   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01764   400   NtQueryValueKey  (364,  (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01765   400   NtQueryValueKey  (364,  (364, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766   400   NtQueryValueKey  (364,  (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01767   400   NtQueryValueKey  (364,  (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01768   400   NtQueryValueKey  (364,  (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01769   400   NtQueryValueKey  (364,  (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01770   400   NtClose  (364, ... ) == 0x0
 01771   400   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01772   400   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "000000000003"}, ... 364, ) }, ... 364, ) == 0x0
 01773   400   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01774   400   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01775   400   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01776   400   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01777   400   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01778   400   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01779   400   NtQueryValueKey  (364,  (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01780   400   NtQueryValueKey  (364,  (364, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01781   400   NtQueryValueKey  (364,  (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01782   400   NtQueryValueKey  (364,  (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01783   400   NtQueryValueKey  (364,  (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01784   400   NtQueryValueKey  (364,  (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01785   400   NtClose  (364, ... ) == 0x0
 01786   400   NtClose  (360, ... ) == 0x0
 01787   400   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x102
 01788   400   NtClose  (344, ... ) == 0x0
 01789   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01790   400   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01791   400   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 344, ) }, ... 344, ) == 0x0
 01792   400   NtQueryValueKey  (344,  (344, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793   400   NtClose  (344, ... ) == 0x0
 01794   400   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 344, ) == 0x0
 01795   400   NtClearEvent  (312, ... ) == 0x0
 01796   400   NtSetEvent  (312, ... 0x0, ) == 0x0
 01797   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\icmp.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01799   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "icmp.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01800   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 1242008, ... ) }, 1242008, ... ) == 0x0
 01801   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01802   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01803   400   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01804   400   NtClose  (360, ... ) == 0x0
 01805   400   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 01806   400   NtClose  (364, ... ) == 0x0
 01807   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242472, ... ) }, 1242472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01809   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "iphlpapi.dll"}, 1242472, ... ) }, 1242472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01810   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 1242472, ... ) }, 1242472, ... ) == 0x0
 01811   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01812   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01813   400   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01814   400   NtClose  (364, ... ) == 0x0
 01815   400   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 01816   400   NtClose  (360, ... ) == 0x0
 01817   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01818   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 1241668, ... ) }, 1241668, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01819   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netman.dll"}, 1241668, ... ) }, 1241668, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01820   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 1241668, ... ) }, 1241668, ... ) == 0x0
 01821   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01822   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01823   400   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01824   400   NtClose  (360, ... ) == 0x0
 01825   400   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 01826   400   NtClose  (364, ... ) == 0x0
 01827   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01828   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 1240864, ... ) }, 1240864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01829   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MPRAPI.dll"}, 1240864, ... ) }, 1240864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01830   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 1240864, ... ) }, 1240864, ... ) == 0x0
 01831   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01832   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01833   400   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01834   400   NtClose  (364, ... ) == 0x0
 01835   400   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 01836   400   NtClose  (360, ... ) == 0x0
 01837   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01838   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01839   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ACTIVEDS.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01840   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01841   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01842   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01843   400   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01844   400   NtClose  (360, ... ) == 0x0
 01845   400   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 01846   400   NtClose  (364, ... ) == 0x0
 01847   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01848   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01849   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "adsldpc.dll"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01850   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 1239256, ... ) }, 1239256, ... ) == 0x0
 01851   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01852   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01853   400   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01854   400   NtClose  (364, ... ) == 0x0
 01855   400   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 01856   400   NtClose  (360, ... ) == 0x0
 01857   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01858   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1238452, ... ) }, 1238452, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01859   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1238452, ... ) }, 1238452, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01860   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1238452, ... ) }, 1238452, ... ) == 0x0
 01861   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01862   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01863   400   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01864   400   NtClose  (360, ... ) == 0x0
 01865   400   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01866   400   NtClose  (364, ... ) == 0x0
 01867   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 364, ) }, ... 364, ) == 0x0
 01868   400   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01869   400   NtClose  (364, ... ) == 0x0
 01870   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01871   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01872   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01873   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1239256, ... ) }, 1239256, ... ) == 0x0
 01874   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01875   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01876   400   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01877   400   NtClose  (364, ... ) == 0x0
 01878   400   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01879   400   NtClose  (360, ... ) == 0x0
 01880   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01881   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01882   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01883   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01884   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01885   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01886   400   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01887   400   NtClose  (360, ... ) == 0x0
 01888   400   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 01889   400   NtClose  (364, ... ) == 0x0
 01890   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01891   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01892   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SAMLIB.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01893   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01894   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01895   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01896   400   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01897   400   NtClose  (364, ... ) == 0x0
 01898   400   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 01899   400   NtClose  (360, ... ) == 0x0
 01900   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01901   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01902   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01903   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01904   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01905   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01906   400   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01907   400   NtClose  (360, ... ) == 0x0
 01908   400   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01909   400   NtClose  (364, ... ) == 0x0
 01910   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01911   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 1240864, ... ) }, 1240864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01912   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.dll"}, 1240864, ... ) }, 1240864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01913   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 1240864, ... ) }, 1240864, ... ) == 0x0
 01914   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01915   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01916   400   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01917   400   NtClose  (364, ... ) == 0x0
 01918   400   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 01919   400   NtClose  (360, ... ) == 0x0
 01920   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01921   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01922   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01923   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01924   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01925   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01926   400   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01927   400   NtClose  (360, ... ) == 0x0
 01928   400   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 01929   400   NtClose  (364, ... ) == 0x0
 01930   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01931   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01932   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01933   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01934   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01935   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01936   400   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01937   400   NtClose  (364, ... ) == 0x0
 01938   400   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 01939   400   NtClose  (360, ... ) == 0x0
 01940   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01941   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 1240864, ... ) }, 1240864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01942   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WZCSvc.DLL"}, 1240864, ... ) }, 1240864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01943   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 1240864, ... ) }, 1240864, ... ) == 0x0
 01944   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01945   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01946   400   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01947   400   NtClose  (360, ... ) == 0x0
 01948   400   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 01949   400   NtClose  (364, ... ) == 0x0
 01950   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01951   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01952   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WMI.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01953   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01954   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01955   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01956   400   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01957   400   NtClose  (364, ... ) == 0x0
 01958   400   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 01959   400   NtClose  (360, ... ) == 0x0
 01960   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01961   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01962   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DHCPCSVC.DLL"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01963   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01964   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01965   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01966   400   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01967   400   NtClose  (360, ... ) == 0x0
 01968   400   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 01969   400   NtClose  (364, ... ) == 0x0
 01970   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01971   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01972   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01973   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1239256, ... ) }, 1239256, ... ) == 0x0
 01974   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01975   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01976   400   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01977   400   NtClose  (364, ... ) == 0x0
 01978   400   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01979   400   NtClose  (360, ... ) == 0x0
 01980   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01981   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01982   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01983   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01984   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01985   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01986   400   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01987   400   NtClose  (360, ... ) == 0x0
 01988   400   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01989   400   NtClose  (364, ... ) == 0x0
 01990   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01991   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01992   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01993   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1239256, ... ) }, 1239256, ... ) == 0x0
 01994   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01995   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01996   400   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01997   400   NtClose  (364, ... ) == 0x0
 01998   400   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 01999   400   NtClose  (360, ... ) == 0x0
 02000   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 360, ) == 0x0
 02001   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 364, ) }, ... 364, ) == 0x0
 02002   400   NtQueryValueKey  (364,  (364, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02003   400   NtClose  (364, ... ) == 0x0
 02004   400   NtQueryDefaultLocale  (1, 1243116, ... ) == 0x0
 02005   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02006   400   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 39124992, 262144, ) == 0x0
 02007   400   NtAllocateVirtualMemory  (-1, 39124992, 0, 4096, 4096, 4, ... 39124992, 4096, ) == 0x0
 02008   400   NtAllocateVirtualMemory  (-1, 39129088, 0, 8192, 4096, 4, ... 39129088, 8192, ) == 0x0
 02009   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02010   400   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02011   400   NtQueryDefaultLocale  (1, 1243076, ... ) == 0x0
 02012   400   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02013   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 364, ) }, ... 364, ) == 0x0
 02014   400   NtQueryValueKey  (364,  (364, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02015   400   NtClose  (364, ... ) == 0x0
 02016   400   NtUserGetProcessWindowStation  (... ) == 0x24
 02017   400   NtUserGetObjectInformation  (36, 1, 1242748, 12, 1242760, ... ) == 0x1
 02018   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 364, ) }, ... 364, ) == 0x0
 02019   400   NtQueryValueKey  (364,  (364, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 02020   400   NtClose  (364, ... ) == 0x0
 02021   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 364, ) }, ... 364, ) == 0x0
 02022   400   NtQueryValueKey  (364,  (364, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02023   400   NtQueryValueKey  (364,  (364, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02024   400   NtClose  (364, ... ) == 0x0
 02025   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 364, ) }, ... 364, ) == 0x0
 02026   400   NtQueryValueKey  (364,  (364, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02027   400   NtQueryValueKey  (364,  (364, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02028   400   NtClose  (364, ... ) == 0x0
 02029   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 364, ) }, ... 364, ) == 0x0
 02030   400   NtQueryValueKey  (364,  (364, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02031   400   NtQueryValueKey  (364,  (364, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02032   400   NtClose  (364, ... ) == 0x0
 02033   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 364, ) }, ... 364, ) == 0x0
 02034   400   NtQueryValueKey  (364,  (364, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02035   400   NtQueryValueKey  (364,  (364, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02036   400   NtClose  (364, ... ) == 0x0
 02037   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 364, ) }, ... 364, ) == 0x0
 02038   400   NtQueryValueKey  (364,  (364, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (364, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02039   400   NtQueryValueKey  (364,  (364, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (364, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02040   400   NtClose  (364, ... ) == 0x0
 02041   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 364, ) }, ... 364, ) == 0x0
 02042   400   NtQueryValueKey  (364,  (364, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (364, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 02043   400   NtClose  (364, ... ) == 0x0
 02044   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 364, ) == 0x0
 02045   400   NtCreateMutant  (0x1f0001, 0x0, 0, ... 368, ) == 0x0
 02046   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 372, ) == 0x0
 02047   400   NtCreateMutant  (0x1f0001, 0x0, 0, ... 376, ) == 0x0
 02048   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 380, ) == 0x0
 02049   400   NtCreateMutant  (0x1f0001, 0x0, 0, ... 384, ) == 0x0
 02050   400   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 388, ) }, ... 388, ) == 0x0
 02051   400   NtQueryValueKey  (388,  (388, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02052   400   NtQueryValueKey  (388,  (388, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02053   400   NtOpenKey  (0x1, {24, 388, 0x40, 0, 0,  (0x1, {24, 388, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02054   400   NtClose  (388, ... ) == 0x0
 02055   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1242668, ... ) }, 1242668, ... ) == 0x0
 02056   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 388, ) }, ... 388, ) == 0x0
 02057   400   NtQueryValueKey  (388,  (388, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (388, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (388, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02058   400   NtClose  (388, ... ) == 0x0
 02059   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 388, ) }, ... 388, ) == 0x0
 02060   400   NtQueryValueKey  (388,  (388, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (388, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (388, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 02061   400   NtClose  (388, ... ) == 0x0
 02062   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02063   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 388, ) }, ... 388, ) == 0x0
 02064   400   NtQueryValueKey  (388,  (388, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (388, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (388, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02065   400   NtClose  (388, ... ) == 0x0
 02066   400   NtQueryDefaultUILanguage  (1241636, ...
 02067   400   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02068   400   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 02069   400   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02070   400   NtClose  (-2147482020, ... ) == 0x0
 02071   400   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 02072   400   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02073   400   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 02074   400   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02075   400   NtClose  (-2147482032, ... ) == 0x0
 02076   400   NtClose  (-2147482020, ... ) == 0x0
 02066   400   NtQueryDefaultUILanguage  ... ) == 0x0
 02077   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 388, {status=0x0, info=1}, ) }, 1, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02079   400   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 388, ... 392, ) == 0x0
 02080   400   NtMapViewOfSection  (392, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2780000), 0x0, 163840, ) == 0x0
 02081   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02082   400   NtQueryDefaultLocale  (1, 1239672, ... ) == 0x0
 02083   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02084   400   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240528, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240528, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\204\1\0\0\377\377\377\377\0\0\0\0\360Zz\2\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\320\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 400, 1537, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\204\1\0\0\377\377\377\377\0\0\0\0\360Zz\2\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\320\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 396, 400, 1537, 0}  (24, {128, 156, new_msg, 0, 1240528, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\204\1\0\0\377\377\377\377\0\0\0\0\360Zz\2\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\320\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 400, 1537, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\204\1\0\0\377\377\377\377\0\0\0\0\360Zz\2\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\320\364\22\0\0\0\0\0" )  ) == 0x0
 02085   400   NtClose  (388, ... ) == 0x0
 02086   400   NtClose  (392, ... ) == 0x0
 02087   400   NtUnmapViewOfSection  (-1, 0x2780000, ... ) == 0x0
 02088   400   NtUnmapViewOfSection  (-1, 0x12f4d0, ... ) == STATUS_NOT_MAPPED_VIEW
 02089   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02090   400   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 02091   400   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02092   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02093   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02094   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238756, ... ) }, 1238756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02096   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02097   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02098   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239348, ... ) }, 1239348, ... ) == 0x0
 02099   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 392, {status=0x0, info=1}, ) }, 3, 33, ... 392, {status=0x0, info=1}, ) == 0x0
 02100   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02101   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02102   400   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 396, ) == 0x0
 02103   400   NtClose  (388, ... ) == 0x0
 02104   400   NtMapViewOfSection  (396, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x27c0000), 0x0, 921600, ) == 0x0
 02105   400   NtClose  (396, ... ) == 0x0
 02106   400   NtUnmapViewOfSection  (-1, 0x27c0000, ... ) == 0x0
 02107   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 396, {status=0x0, info=1}, ) }, 5, 96, ... 396, {status=0x0, info=1}, ) == 0x0
 02108   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 396, ... 388, ) == 0x0
 02109   400   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02110   400   NtClose  (396, ... ) == 0x0
 02111   400   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 02112   400   NtClose  (388, ... ) == 0x0
 02113   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02114   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02115   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02116   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02117   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02118   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02119   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02120   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02121   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02122   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02123   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02124   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02125   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02126   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02127   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02128   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02129   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02130   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02131   400   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02132   400   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02133   400   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02134   400   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240532, ... ) , 42, 1240532, ... ) == 0x0
 02135   400   NtQueryDefaultUILanguage  (1239248, ...
 02136   400   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02137   400   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 02138   400   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02139   400   NtClose  (-2147482020, ... ) == 0x0
 02140   400   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 02141   400   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02142   400   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 02143   400   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02144   400   NtClose  (-2147482032, ... ) == 0x0
 02145   400   NtClose  (-2147482020, ... ) == 0x0
 02135   400   NtQueryDefaultUILanguage  ... ) == 0x0
 02146   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02147   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238100, ... ) }, 1238100, ... ) == 0x0
 02148   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02149   400   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 396, ) == 0x0
 02150   400   NtClose  (388, ... ) == 0x0
 02151   400   NtMapViewOfSection  (396, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2780000), 0x0, 4096, ) == 0x0
 02152   400   NtClose  (396, ... ) == 0x0
 02153   400   NtUnmapViewOfSection  (-1, 0x2780000, ... ) == 0x0
 02154   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237740, ... ) }, 1237740, ... ) == 0x0
 02155   400   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238440,  (0x80100080, {24, 0, 0x40, 0, 1238440, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 02156   400   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 396, ... 388, ) == 0x0
 02157   400   NtClose  (396, ... ) == 0x0
 02158   400   NtMapViewOfSection  (388, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2780000), {0, 0}, 4096, ) == 0x0
 02159   400   NtClose  (388, ... ) == 0x0
 02160   400   NtUnmapViewOfSection  (-1, 0x2780000, ... ) == 0x0
 02161   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 388, {status=0x0, info=1}, ) }, 1, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02162   400   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 388, ... 396, ) == 0x0
 02163   400   NtMapViewOfSection  (396, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2780000), 0x0, 4096, ) == 0x0
 02164   400   NtQueryInformationFile  (388, 1238060, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 02165   400   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02166   400   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238140, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238140, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\204\1\0\0\214\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0|\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 400, 1538, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\204\1\0\0\214\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0|\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 396, 400, 1538, 0}  (24, {128, 156, new_msg, 0, 1238140, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\204\1\0\0\214\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0|\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 400, 1538, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\204\1\0\0\214\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0|\353\22\0\0\0\0\0" )  ) == 0x0
 02167   400   NtClose  (388, ... ) == 0x0
 02168   400   NtClose  (396, ... ) == 0x0
 02169   400   NtUnmapViewOfSection  (-1, 0x2780000, ... ) == 0x0
 02170   400   NtUnmapViewOfSection  (-1, 0x12eb7c, ... ) == STATUS_NOT_MAPPED_VIEW
 02171   400   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02172   400   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 02173   400   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 02174   400   NtUserGetDC  (0, ... ) == 0x1010050
 02175   400   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 02176   400   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 02177   400   NtContinue  (1238104, 0, ...
 02178   400   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 02179   400   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 02180   400   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 02181   400   NtUnmapViewOfSection  (-1, 0x27b0000, ... ) == 0x0
 02182   400   NtClose  (392, ... ) == 0x0
 02183   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 392, ) }, ... 392, ) == 0x0
 02184   400   NtQueryValueKey  (392,  (392, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02185   400   NtQueryValueKey  (392,  (392, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02186   400   NtClose  (392, ... ) == 0x0
 02187   400   NtCreateMutant  (0x1f0001, 0x0, 0, ... 392, ) == 0x0
 02188   400   NtCreateMutant  (0x1f0001, {24, 56, 0x80, 1381520, 0,  (0x1f0001, {24, 56, 0x80, 1381520, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 02189   400   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "RasPbFile"}, ... 396, ) }, ... 396, ) == 0x0
 02190   400   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 388, ) == 0x0
 02191   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 400, ) == 0x0
 02192   400   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 404, ) == 0x0
 02193   400   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) , 0, ... 408, 2, ) == 0x0
 02194   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 412, ) }, ... 412, ) == 0x0
 02195   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02196   400   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02197   400   NtQueryValueKey  (412,  (412, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02198   400   NtQueryValueKey  (408,  (408, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02199   400   NtQueryValueKey  (412,  (412, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   400   NtQueryValueKey  (408,  (408, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (408, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02201   400   NtQueryValueKey  (412,  (412, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   400   NtQueryValueKey  (408,  (408, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   400   NtQueryValueKey  (412,  (412, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02204   400   NtQueryValueKey  (408,  (408, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02205   400   NtQueryValueKey  (412,  (412, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02206   400   NtQueryValueKey  (412,  (412, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02207   400   NtQueryValueKey  (412,  (412, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02208   400   NtQueryValueKey  (412,  (412, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   400   NtQueryValueKey  (412,  (412, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02210   400   NtQueryValueKey  (412,  (412, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   400   NtQueryValueKey  (412,  (412, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02212   400   NtQueryValueKey  (408,  (408, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02213   400   NtQueryValueKey  (412,  (412, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02214   400   NtQueryValueKey  (412,  (412, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02215   400   NtQueryValueKey  (408,  (408, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02216   400   NtQueryValueKey  (412,  (412, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02217   400   NtQueryValueKey  (408,  (408, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   400   NtQueryValueKey  (412,  (412, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02219   400   NtQueryValueKey  (408,  (408, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02220   400   NtQueryValueKey  (412,  (412, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   400   NtQueryValueKey  (408,  (408, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02222   400   NtQueryValueKey  (412,  (412, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02223   400   NtQueryValueKey  (408,  (408, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02224   400   NtQueryValueKey  (412,  (412, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02225   400   NtQueryValueKey  (408,  (408, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02226   400   NtQueryValueKey  (412,  (412, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02227   400   NtQueryValueKey  (408,  (408, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   400   NtQueryValueKey  (412,  (412, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02229   400   NtQueryValueKey  (408,  (408, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230   400   NtQueryValueKey  (412,  (412, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02231   400   NtQueryValueKey  (412,  (412, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02232   400   NtQueryValueKey  (412,  (412, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02233   400   NtQueryValueKey  (412,  (412, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02234   400   NtQueryValueKey  (412,  (412, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02235   400   NtQueryValueKey  (412,  (412, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02236   400   NtQueryValueKey  (412,  (412, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02237   400   NtQueryValueKey  (412,  (412, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02238   400   NtQueryValueKey  (412,  (412, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02239   400   NtQueryValueKey  (412,  (412, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02240   400   NtQueryValueKey  (412,  (412, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02241   400   NtQueryValueKey  (412,  (412, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02242   400   NtQueryValueKey  (412,  (412, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02243   400   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 416, ) }, ... 416, ) == 0x0
 02244   400   NtQueryValueKey  (416,  (416, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02245   400   NtClose  (416, ... ) == 0x0
 02246   400   NtClose  (408, ... ) == 0x0
 02247   400   NtClose  (412, ... ) == 0x0
 02248   400   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 412, ) }, ... 412, ) == 0x0
 02249   400   NtQueryValueKey  (412,  (412, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02250   400   NtQueryValueKey  (412,  (412, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02251   400   NtQueryValueKey  (412,  (412, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02252   400   NtClose  (412, ... ) == 0x0
 02253   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 412, ) == 0x0
 02254   400   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 408, ) == 0x0
 02255   400   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 416, ) == 0x0
 02256   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02257   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02258   400   NtAllocateVirtualMemory  (-1, 41418752, 0, 4096, 4096, 4, ... 41418752, 4096, ) == 0x0
 02259   400   NtAllocateVirtualMemory  (-1, 41422848, 0, 8192, 4096, 4, ... 41422848, 8192, ) == 0x0
 02260   400   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 420, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 420, {status=0x0, info=0}, ) == 0x0
 02261   400   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 424, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 424, {status=0x0, info=0}, ) == 0x0
 02262   400   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 428, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 428, {status=0x0, info=0}, ) == 0x0
 02263   400   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 432, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 432, {status=0x0, info=0}, ) == 0x0
 02264   400   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1243200,  (0x20100080, {24, 0, 0x40, 0, 1243200, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 436, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 436, {status=0x0, info=0}, ) == 0x0
 02265   400   NtAllocateVirtualMemory  (-1, 41431040, 0, 36864, 4096, 4, ... 41431040, 36864, ) == 0x0
 02266   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 440, ) == 0x0
 02267   400   NtDeviceIoControlFile  (420, 440, 0x0, 0x0, 0x120003,  (420, 440, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (420, 440, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 02268   400   NtClose  (440, ... ) == 0x0
 02269   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 440, ) == 0x0
 02270   400   NtDeviceIoControlFile  (420, 440, 0x0, 0x0, 0x120003,  (420, 440, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\5\2118\273\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (420, 440, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\5\2118\273\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 02271   400   NtClose  (440, ... ) == 0x0
 02272   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 440, ) == 0x0
 02273   400   NtDeviceIoControlFile  (420, 440, 0x0, 0x0, 0x120003,  (420, 440, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0%\2118\273\26|\10\0\361\1\0\0/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\243\0\0S\1\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (420, 440, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0%\2118\273\26|\10\0\361\1\0\0/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\243\0\0S\1\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 02274   400   NtClose  (440, ... ) == 0x0
 02275   400   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02276   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 440, ) == 0x0
 02277   400   NtDeviceIoControlFile  (420, 440, 0x0, 0x0, 0x120003,  (420, 440, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (420, 440, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 02278   400   NtClose  (440, ... ) == 0x0
 02279   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 440, ) == 0x0
 02280   400   NtDeviceIoControlFile  (420, 440, 0x0, 0x0, 0x120003,  (420, 440, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (420, 440, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 02281   400   NtClose  (440, ... ) == 0x0
 02282   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 440, ) == 0x0
 02283   400   NtDeviceIoControlFile  (420, 440, 0x0, 0x0, 0x120003,  (420, 440, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (420, 440, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 02284   400   NtClose  (440, ... ) == 0x0
 02285   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02286   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02287   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02288   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02289   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02290   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02291   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02292   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02293   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02294   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02295   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02296   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02297   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02298   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02299   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02300   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02301   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02302   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02303   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02304   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02305   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02306   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02307   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02308   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02309   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02310   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02311   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02312   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02313   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02314   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02315   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02316   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02317   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02318   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02319   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02320   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02321   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02322   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02323   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02324   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02325   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02326   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02327   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02328   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02329   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02330   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02331   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02332   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02333   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02334   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02335   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02336   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02337   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02338   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02339   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02340   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02341   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02342   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02343   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02344   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02345   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02346   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02347   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02348   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02349   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02350   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02351   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02352   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02353   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02354   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02355   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02356   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02357   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02358   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02359   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02360   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02361   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02362   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02363   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02364   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02365   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02366   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02367   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02368   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02369   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02370   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02371   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02372   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02373   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02374   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02375   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02376   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02377   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02378   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02379   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02380   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02381   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02382   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02383   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02384   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02385   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02386   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02387   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02388   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02389   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02390   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02391   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02392   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02393   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02394   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02395   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02396   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02397   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02398   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02399   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02400   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02401   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02402   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02403   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02404   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02405   400   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41549824, 65536, ) == 0x0
 02406   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02407   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 1, 4096, 4, ... 41549824, 4096, ) == 0x0
 02408   400   NtQueryVirtualMemory  (-1, 0x27a0000, Basic, 28, ... {BaseAddress=0x27a0000,AllocationBase=0x27a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02409   400   NtFreeVirtualMemory  (-1, (0x27a0000), 0, 32768, ... (0x27a0000), 65536, ) == 0x0
 02410   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 440, ) }, ... 440, ) == 0x0
 02411   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 444, ) }, ... 444, ) == 0x0
 02412   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 448, ) }, ... 448, ) == 0x0
 02413   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 452, ) }, ... 452, ) == 0x0
 02414   400   NtQueryDefaultLocale  (1, 1243136, ... ) == 0x0
 02415   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 456, ) }, ... 456, ) == 0x0
 02416   400   NtMapViewOfSection  (456, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 02417   400   NtClose  (456, ... ) == 0x0
 02418   400   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 456, ) == 0x0
 02419   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 460, ) == 0x0
 02420   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 464, ) }, ... 464, ) == 0x0
 02421   400   NtNotifyChangeKey  (464, 460, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 02422   400   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 02423   400   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 468, ) == 0x0
 02424   400   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 472, ) == 0x0
 02425   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02426   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\odbc32.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02427   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "odbc32.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 1242008, ... ) }, 1242008, ... ) == 0x0
 02429   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 5, 96, ... 476, {status=0x0, info=1}, ) }, 5, 96, ... 476, {status=0x0, info=1}, ) == 0x0
 02430   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 476, ... 480, ) == 0x0
 02431   400   NtQuerySection  (480, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02432   400   NtClose  (476, ... ) == 0x0
 02433   400   NtMapViewOfSection  (480, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 02434   400   NtClose  (480, ... ) == 0x0
 02435   400   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 02436   400   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 02437   400   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 02438   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 480, ) }, ... 480, ) == 0x0
 02439   400   NtMapViewOfSection  (480, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02440   400   NtClose  (480, ... ) == 0x0
 02441   400   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02442   400   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02443   400   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02444   400   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02445   400   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02446   400   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02447   400   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02448   400   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02449   400   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02450   400   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02451   400   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02452   400   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02453   400   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02454   400   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02455   400   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02456   400   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02457   400   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02458   400   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02459   400   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02460   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02461   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02462   400   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02463   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02464   400   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 41549824, 262144, ) == 0x0
 02465   400   NtAllocateVirtualMemory  (-1, 41549824, 0, 4096, 4096, 4, ... 41549824, 4096, ) == 0x0
 02466   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02467   400   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 41811968, 262144, ) == 0x0
 02468   400   NtAllocateVirtualMemory  (-1, 41811968, 0, 4096, 4096, 4, ... 41811968, 4096, ) == 0x0
 02469   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02470   400   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 42074112, 262144, ) == 0x0
 02471   400   NtAllocateVirtualMemory  (-1, 42074112, 0, 4096, 4096, 4, ... 42074112, 4096, ) == 0x0
 02472   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02473   400   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 42336256, 262144, ) == 0x0
 02474   400   NtAllocateVirtualMemory  (-1, 42336256, 0, 4096, 4096, 4, ... 42336256, 4096, ) == 0x0
 02475   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02476   400   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02477   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02478   400   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02479   400   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 02480   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237980, ... ) }, 1237980, ... ) == 0x0
 02481   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 480, {status=0x0, info=1}, ) }, 5, 96, ... 480, {status=0x0, info=1}, ) == 0x0
 02482   400   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 480, ... 476, ) == 0x0
 02483   400   NtClose  (480, ... ) == 0x0
 02484   400   NtMapViewOfSection  (476, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x28a0000), 0x0, 90112, ) == 0x0
 02485   400   NtClose  (476, ... ) == 0x0
 02486   400   NtUnmapViewOfSection  (-1, 0x28a0000, ... ) == 0x0
 02487   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1238296, ... ) }, 1238296, ... ) == 0x0
 02488   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 476, {status=0x0, info=1}, ) }, 5, 96, ... 476, {status=0x0, info=1}, ) == 0x0
 02489   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 476, ... 480, ) == 0x0
 02490   400   NtQuerySection  (480, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02491   400   NtClose  (476, ... ) == 0x0
 02492   400   NtMapViewOfSection  (480, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 02493   400   NtClose  (480, ... ) == 0x0
 02494   400   NtQueryDefaultLocale  (1, 1239984, ... ) == 0x0
 02495   400   NtAllocateVirtualMemory  (-1, 41553920, 0, 4096, 4096, 4, ... 41553920, 4096, ) == 0x0
 02496   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE"}, ... 480, ) }, ... 480, ) == 0x0
 02497   400   NtClose  (480, ... ) == 0x0
 02498   400   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02499   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02500   400   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02501   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02502   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02503   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02504   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02505   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1242008, ... ) }, 1242008, ... ) == 0x0
 02506   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 480, {status=0x0, info=1}, ) }, 5, 96, ... 480, {status=0x0, info=1}, ) == 0x0
 02507   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 480, ... 476, ) == 0x0
 02508   400   NtQuerySection  (476, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02509   400   NtClose  (480, ... ) == 0x0
 02510   400   NtMapViewOfSection  (476, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 02511   400   NtClose  (476, ... ) == 0x0
 02512   400   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02513   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02514   400   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02515   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1242008, ... ) }, 1242008, ... ) == 0x0
 02516   400   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 476, {status=0x0, info=1}, ) }, 5, 96, ... 476, {status=0x0, info=1}, ) == 0x0
 02517   400   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 476, ... 480, ) == 0x0
 02518   400   NtQuerySection  (480, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02519   400   NtClose  (476, ... ) == 0x0
 02520   400   NtMapViewOfSection  (480, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 02521   400   NtClose  (480, ... ) == 0x0
 02522   400   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02523   400   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02524   400   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\ntvdm.exe"}, 1243132, ... ) }, 1243132, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02525   400   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242044,  (0x80100080, {24, 0, 0x40, 0, 1242044, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 480, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 480, {status=0x0, info=1}, ) == 0x0
 02526   400   NtQueryInformationFile  (480, 1242980, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 02527   400   NtQueryInformationFile  (480, 1242952, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02528   400   NtQueryInformationFile  (480, 1242904, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02529   400   NtAllocateVirtualMemory  (-1, 1388544, 0, 8192, 4096, 4, ... 1388544, 8192, ) == 0x0
 02530   400   NtQueryInformationFile  (480, 1385320, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 02531   400   NtQueryInformationFile  (480, 1241448, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02532   400   NtQueryInformationFile  (480, 1241292, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 02533   400   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241300,  (0x40110080, {24, 0, 0x40, 0, 1241300, "\??\C:\WINDOWS\ntvdm.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 02534   400   NtClose  (-2147482020, ... ) == 0x0
 02533   400   NtCreateFile  ... 476, {status=0x0, info=2}, ) == 0x0
 02535   400   NtQueryVolumeInformationFile  (476, 1240672, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 02536   400   NtQueryInformationFile  (476, 1240632, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02537   400   NtQueryVolumeInformationFile  (480, 1240672, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02538   400   NtQueryVolumeInformationFile  (480, 1240356, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02539   400   NtSetInformationFile  (476, 1240460, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02540   400   NtAllocateVirtualMemory  (-1, 1396736, 0, 65536, 4096, 4, ... 1396736, 65536, ) == 0x0
 02541   400   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250\0\0\0\321\370\216\370\225\231\340\253\225\231\340\253\225\231\340\253\356\205\354\253\226\231\340\253\26\205\356\253\220\231\340\253}\206\352\253\236\231\340\253V\226\275\253\223\231\340\253\225\231\341\2534\231\340\253}\206\344\253\220\231\340\253}\206\353\253\265\231\340\253Rich\225\231\340\253\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\251&\204F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\1\0\0\342\6\0\0\0\0\0\24P\10\0\0\20\0\0\0@\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\30\0\0\4\0\0\3663\10\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24@\10\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0   \0    \0 \10\0\0\20\0\0\0\316\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc   \0\20\0\0\00\10\0\0\0\0\0\0\336\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.ida", ) , ) == 0x0
 02542   400   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250\0\0\0\321\370\216\370\225\231\340\253\225\231\340\253\225\231\340\253\356\205\354\253\226\231\340\253\26\205\356\253\220\231\340\253}\206\352\253\236\231\340\253V\226\275\253\223\231\340\253\225\231\341\2534\231\340\253}\206\344\253\220\231\340\253}\206\353\253\265\231\340\253Rich\225\231\340\253\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\251&\204F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\1\0\0\342\6\0\0\0\0\0\24P\10\0\0\20\0\0\0@\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\30\0\0\4\0\0\3663\10\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24@\10\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0   \0    \0 \10\0\0\20\0\0\0\316\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc   \0\20\0\0\00\10\0\0\0\0\0\0\336\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.ida", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02543   400   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "HG\274\204N\344hU\30\236_m`a\341\224h&d\21\375<\373a9\20cX\215a\347\321\251\356\20\354o\200\363i\14\305\14\370\344qd\27g\35\307\0\250\345\245\24\276\331%\256L\212\264p\203d:b'\21\200\336\24\7\235F\344\331\305\3122 \374\220\274\32\320\316Hpi\274\4\234\337\200\240\315\307]\270\210'\214\352\202\350'CP \17\345a\342S\376>\200;\356\344g:|8\0\272\316I0\32\270\354D\0\333\3\307ix\267\230\0\303\254\222G\342Z\352\2758\304\0\365\261e\11&\265\7\16\\353@\25\200_\335\357\314j7D\301@1\252\223F\0\324\275\361\0*\326\374\261s\15\14\216\0\34P\351\26\270\260\6\262\17\23\314\31\265 8*\323\252\247\31T\342_\270\367\350\324\374,\253\37xT\207\4\375\312\370\207^\347\343b,\326@\330j\2\0\12\206\34H\330[\272\253\17Wd\360\302\301\202\304\312\227\310\247\230\14\24C\352@6z\356=kt\0@\216\27\271\354\350\254\0\275R\335\33\7wa\364\0\340\355\373\266\227\36\342F\17\352\341\3575p\0n41\277\35\\351\3\342\220\227[\262\7\317\340\202 \4\234\0\372\266\250A4D\300\366\0\357)\377\247dhs2&\277\138\22!.\224\272\00\356\376\363\17\360\365\0\256e4#\216\35[\351\1\343\264\275\6\242\23\302\310x\2\36\301\235\303\305\324T3\203\214\346\221;\221\300k:\0\11\12\270\34\207\331\356\246\0\300A\325\334cr\250\10\36\307\351\305\314\360\2@\354\20\344\355<\0\235:\16%\216\37\207\0\327\32\265\231X\251\322\336\0\23\274\3046\355\305\215\223\0T.p\325\344\341*\221\0\367gq\13%\214\37\235\263\214WPh_\177\\1\275\3563\377\365\240j\3644\205\2", ) , ) == 0x0
 02544   400   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "HG\274\204N\344hU\30\236_m`a\341\224h&d\21\375<\373a9\20cX\215a\347\321\251\356\20\354o\200\363i\14\305\14\370\344qd\27g\35\307\0\250\345\245\24\276\331%\256L\212\264p\203d:b'\21\200\336\24\7\235F\344\331\305\3122 \374\220\274\32\320\316Hpi\274\4\234\337\200\240\315\307]\270\210'\214\352\202\350'CP \17\345a\342S\376>\200;\356\344g:|8\0\272\316I0\32\270\354D\0\333\3\307ix\267\230\0\303\254\222G\342Z\352\2758\304\0\365\261e\11&\265\7\16\\353@\25\200_\335\357\314j7D\301@1\252\223F\0\324\275\361\0*\326\374\261s\15\14\216\0\34P\351\26\270\260\6\262\17\23\314\31\265 8*\323\252\247\31T\342_\270\367\350\324\374,\253\37xT\207\4\375\312\370\207^\347\343b,\326@\330j\2\0\12\206\34H\330[\272\253\17Wd\360\302\301\202\304\312\227\310\247\230\14\24C\352@6z\356=kt\0@\216\27\271\354\350\254\0\275R\335\33\7wa\364\0\340\355\373\266\227\36\342F\17\352\341\3575p\0n41\277\35\\351\3\342\220\227[\262\7\317\340\202 \4\234\0\372\266\250A4D\300\366\0\357)\377\247dhs2&\277\138\22!.\224\272\00\356\376\363\17\360\365\0\256e4#\216\35[\351\1\343\264\275\6\242\23\302\310x\2\36\301\235\303\305\324T3\203\214\346\221;\221\300k:\0\11\12\270\34\207\331\356\246\0\300A\325\334cr\250\10\36\307\351\305\314\360\2@\354\20\344\355<\0\235:\16%\216\37\207\0\327\32\265\231X\251\322\336\0\23\274\3046\355\305\215\223\0T.p\325\344\341*\221\0\367gq\13%\214\37\235\263\214WPh_\177\\1\275\3563\377\365\240j\3644\205\2", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02545   400   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\15\23\214p\357\305;&;:[\275\133*S\370\335\24r\J\233\22\310\3177e\203\321,,\20RQ@Z\200\316\307\307\6\305\376i\327&\210(\14eY6\364^#g\326\331/\276Hq\351T}\307y]K\332\207'j\265w\253\324\177\370](\362\14\311\272>\260\213\343\17\200\211\342\270\13\3UN\245V\201\363\300\14/9\267Y,K\60\377\3\220\237\11oV+TUb\35\5\10Y\370\375\320\357\22\320\244\376=\301hf\326\354WZ\370:\262\211\377\356|LZ4\22(J\374\306\364\276\242\314\227\250J\241\351\267(\352\7\5\36L\31\300\11\305XM\267\16\212i\2W\4&]\253\317\232N\217\245>\351\251\316\370\261p\314W\4\372\367 \323)\305\177\342\376\304\243}\263\332\4\202\256\311q\356\243WXfM@L\24\2\347\365B\220x\300\266\320\\267\372\4\26\260G\312\0 \315B,eS\227\360\210\240\24)K'b\5\302\374\0\217\236\207\311\230-\351 `S\267*\340\375\265\247}Q\343o\353V\34\14@\375Z,P\20k\10\2572\0-\267Te{]bS<\357\317\3\1\315\7\242v=\265t\323\33i\4\32\262~ \321\201\277\3115\314\301`\220\271\22Yh\247\300!\351\\265\200)\307\227~fk\364{#\266\11\351\366\244\6X\276\302\254\337P\202\237\334\7\353l\243\11\300\351\212N\377\224\246'U\244y,B\216?\200\212\5\26\25`\363*\11N#\300\270)\363\337IKlG\253L\372_\5H\11'PZ\253, ) , ) == 0x0
 02546   400   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "\15\23\214p\357\305;&;:[\275\133*S\370\335\24r\J\233\22\310\3177e\203\321,,\20RQ@Z\200\316\307\307\6\305\376i\327&\210(\14eY6\364^#g\326\331/\276Hq\351T}\307y]K\332\207'j\265w\253\324\177\370](\362\14\311\272>\260\213\343\17\200\211\342\270\13\3UN\245V\201\363\300\14/9\267Y,K\60\377\3\220\237\11oV+TUb\35\5\10Y\370\375\320\357\22\320\244\376=\301hf\326\354WZ\370:\262\211\377\356|LZ4\22(J\374\306\364\276\242\314\227\250J\241\351\267(\352\7\5\36L\31\300\11\305XM\267\16\212i\2W\4&]\253\317\232N\217\245>\351\251\316\370\261p\314W\4\372\367 \323)\305\177\342\376\304\243}\263\332\4\202\256\311q\356\243WXfM@L\24\2\347\365B\220x\300\266\320\\267\372\4\26\260G\312\0 \315B,eS\227\360\210\240\24)K'b\5\302\374\0\217\236\207\311\230-\351 `S\267*\340\375\265\247}Q\343o\353V\34\14@\375Z,P\20k\10\2572\0-\267Te{]bS<\357\317\3\1\315\7\242v=\265t\323\33i\4\32\262~ \321\201\277\3115\314\301`\220\271\22Yh\247\300!\351\\265\200)\307\227~fk\364{#\266\11\351\366\244\6X\276\302\254\337P\202\237\334\7\353l\243\11\300\351\212N\377\224\246'U\244y,B\216?\200\212\5\26\25`\363*\11N#\300\270)\363\337IKlG\253L\372_\5H\11'PZ\253, 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02547   400   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\5\275\244C\1\201\267\261\345@d\2025\221\230k-\253E$\6\306\276\354\242,\256\33\235\254\226O\302\225XL\360XTY6\350\222H\341R\306Y\260\307-\313\26) 2\12\335\5\7\22Z\217\344O\30uR\270\340\201P\210\16x\307\11\1\312`#E\260\226\342\202\305\374\16#`f\355\26\1!\30D\1\325W\277U\10\353\224\26\23\27\276a\2f\323\257\16a\31(=Dw&\274!\\237\336\204\12\332\376\26\272"\203z\324\361&bYh~\350+:\211M\215\241I(>0\202\226p\333Xm\21\1y'\254w\351N1\200.N\224k\303\365\301u\202k\250O\227\241>z<\343\351*\356J\257\4h^kd:\270F/\1\20\243[\367\240\334Z{\347!I<\16-\307T<\204\351\267\242\257\242\177\337\214\333\303\2601X\360Iy-\374~yx\226?\261vj\316A\3\227^\214 W \26210YV\250_\22/H|8\4\233\257-\372\320\273j\346\364\371aghv\30\350\16]F\376\0\206\374s\362\306\200\333\316\0\314\311C[Q\17\207\27\241`\22@H\332}\264\0\354\3\267ioX\235\246\0-\251\376\207\214)[Z\5\213\275%*\33\356\201\354P]\213@\265\260\331\214(\332H\20\365\0\322\376z\33^1\2050\311\2;\366\24o\3465\12)\215q\36\14\7\311<\235\227\365w\306\267\357\222d\374\200\231\2)\2059b\15.\267&\312\10\200\12\376\201\370H\277\1E\17\205\271\326\244\215\10@\247oV\256U\1\341\\2661\235\315\3\200N_\15\24\340\252\367\50\2\211\316&\16\2338\340\21\265\3732\24\17\212\312l\361\200\214B\357\253\364\\16n\3\224.\311\3378\362]\236\4\1\37\345\\253\230*\207\30+%)\320Kt", ) \203z\324\361&bYh~\350+:\211M\215\241I(>0\202\226p\333Xm\21\1y'\254w\351N1\200.N\224k\303\365\301u\202k\250O\227\241>z<\343\351*\356J\257\4h^kd:\270F/\1\20\243[\367\240\334Z{\347!I<\16-\307T<\204\351\267\242\257\242\177\337\214\333\303\2601X\360Iy-\374~yx\226?\261vj\316A\3\227^\214 W \26210YV\250_\22/H|8\4\233\257-\372\320\273j\346\364\371aghv\30\350\16]F\376\0\206\374s\362\306\200\333\316\0\314\311C[Q\17\207\27\241`\22@H\332}\264\0\354\3\267ioX\235\246\0-\251\376\207\214)[Z\5\213\275%*\33\356\201\354P]\213@\265\260\331\214(\332H\20\365\0\322\376z\33^1\2050\311\2;\366\24o\3465\12)\215q\36\14\7\311<\235\227\365w\306\267\357\222d\374\200\231\2)\2059b\15.\267&\312\10\200\12\376\201\370H\277\1E\17\205\271\326\244\215\10@\247oV\256U\1\341\\2661\235\315\3\200N_\15\24\340\252\367\50\2\211\316&\16\2338\340\21\265\3732\24\17\212\312l\361\200\214B\357\253\364\\16n\3\224.\311\3378\362]\236\4\1\37\345\\253\230*\207\30+%)\320Kt", ) == 0x0
 02548   400   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "\5\275\244C\1\201\267\261\345@d\2025\221\230k-\253E$\6\306\276\354\242,\256\33\235\254\226O\302\225XL\360XTY6\350\222H\341R\306Y\260\307-\313\26) 2\12\335\5\7\22Z\217\344O\30uR\270\340\201P\210\16x\307\11\1\312`#E\260\226\342\202\305\374\16#`f\355\26\1!\30D\1\325W\277U\10\353\224\26\23\27\276a\2f\323\257\16a\31(=Dw&\274!\\237\336\204\12\332\376\26\272"\203z\324\361&bYh~\350+:\211M\215\241I(>0\202\226p\333Xm\21\1y'\254w\351N1\200.N\224k\303\365\301u\202k\250O\227\241>z<\343\351*\356J\257\4h^kd:\270F/\1\20\243[\367\240\334Z{\347!I<\16-\307T<\204\351\267\242\257\242\177\337\214\333\303\2601X\360Iy-\374~yx\226?\261vj\316A\3\227^\214 W \26210YV\250_\22/H|8\4\233\257-\372\320\273j\346\364\371aghv\30\350\16]F\376\0\206\374s\362\306\200\333\316\0\314\311C[Q\17\207\27\241`\22@H\332}\264\0\354\3\267ioX\235\246\0-\251\376\207\214)[Z\5\213\275%*\33\356\201\354P]\213@\265\260\331\214(\332H\20\365\0\322\376z\33^1\2050\311\2;\366\24o\3465\12)\215q\36\14\7\311<\235\227\365w\306\267\357\222d\374\200\231\2)\2059b\15.\267&\312\10\200\12\376\201\370H\277\1E\17\205\271\326\244\215\10@\247oV\256U\1\341\\2661\235\315\3\200N_\15\24\340\252\367\50\2\211\316&\16\2338\340\21\265\3732\24\17\212\312l\361\200\214B\357\253\364\\16n\3\224.\311\3378\362]\236\4\1\37\345\\253\230*\207\30+%)\320Kt", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \203z\324\361&bYh~\350+:\211M\215\241I(>0\202\226p\333Xm\21\1y'\254w\351N1\200.N\224k\303\365\301u\202k\250O\227\241>z<\343\351*\356J\257\4h^kd:\270F/\1\20\243[\367\240\334Z{\347!I<\16-\307T<\204\351\267\242\257\242\177\337\214\333\303\2601X\360Iy-\374~yx\226?\261vj\316A\3\227^\214 W \26210YV\250_\22/H|8\4\233\257-\372\320\273j\346\364\371aghv\30\350\16]F\376\0\206\374s\362\306\200\333\316\0\314\311C[Q\17\207\27\241`\22@H\332}\264\0\354\3\267ioX\235\246\0-\251\376\207\214)[Z\5\213\275%*\33\356\201\354P]\213@\265\260\331\214(\332H\20\365\0\322\376z\33^1\2050\311\2;\366\24o\3465\12)\215q\36\14\7\311<\235\227\365w\306\267\357\222d\374\200\231\2)\2059b\15.\267&\312\10\200\12\376\201\370H\277\1E\17\205\271\326\244\215\10@\247oV\256U\1\341\\2661\235\315\3\200N_\15\24\340\252\367\50\2\211\316&\16\2338\340\21\265\3732\24\17\212\312l\361\200\214B\357\253\364\\16n\3\224.\311\3378\362]\236\4\1\37\345\\253\230*\207\30+%)\320Kt", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02549   400   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\4\3\10\366\272"\212\354\4h\362\6\243\211\37\24\22\14\0$\5\315'\230\360\372\5Pdo\333\246\310\10\217\214\4\3728\247 \315\316\30Q\277\350\373\201I\256$\0\242\213\207G\324\3r\65\343tu\2471\2\260\370\313\360 \276#NO\17\311H1"\340U\327\264\233\345PI\214\250\37\2657o\34\363\7\35\372 \261C|Fap2T\26\23\354 \14\363l\20\0\#xp`\220\275\254\2\364\362&\12Dn\300P\272\246\203\251/*\345\355D\220\200\250-lX\24\6S\255\214\29Fq\242\17E\374\344]`X\211\255\7\274.\77z` 2\272\371\250\324\16\367R\212\300#\215=\48\241 \335\316,\36b\360\200\331\36\35g\203\242\10\314c\231|\27\33S\274:d#\346\7\340\13\25\300f\342T?%\301z\27T\221R\200r@\4\266t\17\267\351\362~\215\244\36010\300\316\1\6\324\205\332\27P8\17'S\230\215\341\246\360\6\327Q\220.f0\350\26\214\2\244\346\374\362\245E\31B\27%\254\300`\233\30f\4\223\324t\373\32\340\240L`\177)d\214\3646kw\30\267\34\0Ix\356\255\20\251\260H /\252\10N\22Z\301\2\366~\33\227\237\370\21T\2169\2230\230`\217/\0\351\366\261\3\30\35\354 1\245_H2\372%l\350;o\1.~\242\3\33\228@\350\213\331\241\210\377\225;[c\5\323\312\240\33\26\204:\250#\344\0\310a[J\303\343\36<\255%\307\351Vv\20#\267\274\340\177\242\11\372\310x\324\2\270\277\213\0&\31~_\0'KU:(\351\211\241'\364\261\20\350\327T\0\246\275\37\370\307'\236\225\0\321O\4R\\372\226oH&\213;\252\30\23\3719\177P\0\304\237\236m}\233\242\33\0\377\203\261)\250,", ) \212\354\4h\362\6\243\211\37\24\22\14\0$\5\315'\230\360\372\5Pdo\333\246\310\10\217\214\4\3728\247 \315\316\30Q\277\350\373\201I\256$\0\242\213\207G\324\3r\65\343tu\2471\2\260\370\313\360 \276#NO\17\311H1 (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\4\3\10\366\272"\212\354\4h\362\6\243\211\37\24\22\14\0$\5\315'\230\360\372\5Pdo\333\246\310\10\217\214\4\3728\247 \315\316\30Q\277\350\373\201I\256$\0\242\213\207G\324\3r\65\343tu\2471\2\260\370\313\360 \276#NO\17\311H1"\340U\327\264\233\345PI\214\250\37\2657o\34\363\7\35\372 \261C|Fap2T\26\23\354 \14\363l\20\0\#xp`\220\275\254\2\364\362&\12Dn\300P\272\246\203\251/*\345\355D\220\200\250-lX\24\6S\255\214\29Fq\242\17E\374\344]`X\211\255\7\274.\77z` 2\272\371\250\324\16\367R\212\300#\215=\48\241 \335\316,\36b\360\200\331\36\35g\203\242\10\314c\231|\27\33S\274:d#\346\7\340\13\25\300f\342T?%\301z\27T\221R\200r@\4\266t\17\267\351\362~\215\244\36010\300\316\1\6\324\205\332\27P8\17'S\230\215\341\246\360\6\327Q\220.f0\350\26\214\2\244\346\374\362\245E\31B\27%\254\300`\233\30f\4\223\324t\373\32\340\240L`\177)d\214\3646kw\30\267\34\0Ix\356\255\20\251\260H /\252\10N\22Z\301\2\366~\33\227\237\370\21T\2169\2230\230`\217/\0\351\366\261\3\30\35\354 1\245_H2\372%l\350;o\1.~\242\3\33\228@\350\213\331\241\210\377\225;[c\5\323\312\240\33\26\204:\250#\344\0\310a[J\303\343\36<\255%\307\351Vv\20#\267\274\340\177\242\11\372\310x\324\2\270\277\213\0&\31~_\0'KU:(\351\211\241'\364\261\20\350\327T\0\246\275\37\370\307'\236\225\0\321O\4R\\372\226oH&\213;\252\30\23\3719\177P\0\304\237\236m}\233\242\33\0\377\203\261)\250,", ) , ) == 0x0
 02550   400   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "\4\3\10\366\272"\212\354\4h\362\6\243\211\37\24\22\14\0$\5\315'\230\360\372\5Pdo\333\246\310\10\217\214\4\3728\247 \315\316\30Q\277\350\373\201I\256$\0\242\213\207G\324\3r\65\343tu\2471\2\260\370\313\360 \276#NO\17\311H1"\340U\327\264\233\345PI\214\250\37\2657o\34\363\7\35\372 \261C|Fap2T\26\23\354 \14\363l\20\0\#xp`\220\275\254\2\364\362&\12Dn\300P\272\246\203\251/*\345\355D\220\200\250-lX\24\6S\255\214\29Fq\242\17E\374\344]`X\211\255\7\274.\77z` 2\272\371\250\324\16\367R\212\300#\215=\48\241 \335\316,\36b\360\200\331\36\35g\203\242\10\314c\231|\27\33S\274:d#\346\7\340\13\25\300f\342T?%\301z\27T\221R\200r@\4\266t\17\267\351\362~\215\244\36010\300\316\1\6\324\205\332\27P8\17'S\230\215\341\246\360\6\327Q\220.f0\350\26\214\2\244\346\374\362\245E\31B\27%\254\300`\233\30f\4\223\324t\373\32\340\240L`\177)d\214\3646kw\30\267\34\0Ix\356\255\20\251\260H /\252\10N\22Z\301\2\366~\33\227\237\370\21T\2169\2230\230`\217/\0\351\366\261\3\30\35\354 1\245_H2\372%l\350;o\1.~\242\3\33\228@\350\213\331\241\210\377\225;[c\5\323\312\240\33\26\204:\250#\344\0\310a[J\303\343\36<\255%\307\351Vv\20#\267\274\340\177\242\11\372\310x\324\2\270\277\213\0&\31~_\0'KU:(\351\211\241'\364\261\20\350\327T\0\246\275\37\370\307'\236\225\0\321O\4R\\372\226oH&\213;\252\30\23\3719\177P\0\304\237\236m}\233\242\33\0\377\203\261)\250,", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \212\354\4h\362\6\243\211\37\24\22\14\0$\5\315'\230\360\372\5Pdo\333\246\310\10\217\214\4\3728\247 \315\316\30Q\277\350\373\201I\256$\0\242\213\207G\324\3r\65\343tu\2471\2\260\370\313\360 \276#NO\17\311H1 (476, 0, 0, 0, "\4\3\10\366\272"\212\354\4h\362\6\243\211\37\24\22\14\0$\5\315'\230\360\372\5Pdo\333\246\310\10\217\214\4\3728\247 \315\316\30Q\277\350\373\201I\256$\0\242\213\207G\324\3r\65\343tu\2471\2\260\370\313\360 \276#NO\17\311H1"\340U\327\264\233\345PI\214\250\37\2657o\34\363\7\35\372 \261C|Fap2T\26\23\354 \14\363l\20\0\#xp`\220\275\254\2\364\362&\12Dn\300P\272\246\203\251/*\345\355D\220\200\250-lX\24\6S\255\214\29Fq\242\17E\374\344]`X\211\255\7\274.\77z` 2\272\371\250\324\16\367R\212\300#\215=\48\241 \335\316,\36b\360\200\331\36\35g\203\242\10\314c\231|\27\33S\274:d#\346\7\340\13\25\300f\342T?%\301z\27T\221R\200r@\4\266t\17\267\351\362~\215\244\36010\300\316\1\6\324\205\332\27P8\17'S\230\215\341\246\360\6\327Q\220.f0\350\26\214\2\244\346\374\362\245E\31B\27%\254\300`\233\30f\4\223\324t\373\32\340\240L`\177)d\214\3646kw\30\267\34\0Ix\356\255\20\251\260H /\252\10N\22Z\301\2\366~\33\227\237\370\21T\2169\2230\230`\217/\0\351\366\261\3\30\35\354 1\245_H2\372%l\350;o\1.~\242\3\33\228@\350\213\331\241\210\377\225;[c\5\323\312\240\33\26\204:\250#\344\0\310a[J\303\343\36<\255%\307\351Vv\20#\267\274\340\177\242\11\372\310x\324\2\270\277\213\0&\31~_\0'KU:(\351\211\241'\364\261\20\350\327T\0\246\275\37\370\307'\236\225\0\321O\4R\\372\226oH&\213;\252\30\23\3719\177P\0\304\237\236m}\233\242\33\0\377\203\261)\250,", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02551   400   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\313\6'\372\\355 d[\0\201\234\306\212\275\251\213\203\0\217qs\324g\34\227\363\7&\225\376\321n\36\300d\265\257#:\7\327\323\216\366\\220\350\2\26208Sr\3bf\307o\3\361j\325\330B\210\1&Q\223\1\4T\235R\2742@\3663o\0\22\323\213,\202\36\253-\0\270kQ\13\3054\341\263;P\30\276\24\2009#\2767\325v\37\0\356g\254\377\271Qy\373\1\33\13m/\376\310\260`\207\3\0Th\23\234\332:L\327\374\274\26\314u\320@\214\203\237z\302\347\177i\0\270)\377k\2365\243\275\0\3659\232\254\375\322\242%\3\345\2248\233 ,\300\215w\236\0b\4\213JS/\210\366\0:\235\245B\370\303\275\203\241\360\253\354ug\0/\306\230$\337r\246`\240\364\355\357\17\267\207\255\252\343\217\350\257\1\270\331y02\265b \341\275\0\223\311\271a\240\235\200\138\2\212\200\314|\254\206\322\266\252\0\264\210n\263\233\211>\274\0\15\346\342\307u\270D^\372\22\0\2345\3542\304\366&\334H\236d\1\256\10;\26\13\250\310J\216\0I'B9M8\217\251\374\377\171\3\246add\331\200\Jt\347\3n\255_\272@>\340\365\252\363\5!\360QU\367\1\371\304\341\364\21$\\35\220g.\366\354\230\203\367w=\351\360\320j\363\0~\306\17\36H\307&\243<\310\334\2w\2215\202\4@`\203\211\0*\312~y/\237\371\332\4?\333 \331\341\220\254E\377\315\17"\205P\347\263G@J\326\305a\0\264\21\14>)\356\17\211hN\303\202w\344t\203\332\310\307\250V\2401\17(y\212\304\3005\30\375\227\251?@\233\200\326\305\276Mi\337\335LX\335\7'\16\306\203\340\317~\204C\7\256\316\32]\331p\201,\353v\0\374R\235U.\346", ) \205P\347\263G@J\326\305a\0\264\21\14>)\356\17\211hN\303\202w\344t\203\332\310\307\250V\2401\17(y\212\304\3005\30\375\227\251?@\233\200\326\305\276Mi\337\335LX\335\7'\16\306\203\340\317~\204C\7\256\316\32]\331p\201,\353v\0\374R\235U.\346", ) == 0x0
 02552   400   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "\313\6'\372\\355 d[\0\201\234\306\212\275\251\213\203\0\217qs\324g\34\227\363\7&\225\376\321n\36\300d\265\257#:\7\327\323\216\366\\220\350\2\26208Sr\3bf\307o\3\361j\325\330B\210\1&Q\223\1\4T\235R\2742@\3663o\0\22\323\213,\202\36\253-\0\270kQ\13\3054\341\263;P\30\276\24\2009#\2767\325v\37\0\356g\254\377\271Qy\373\1\33\13m/\376\310\260`\207\3\0Th\23\234\332:L\327\374\274\26\314u\320@\214\203\237z\302\347\177i\0\270)\377k\2365\243\275\0\3659\232\254\375\322\242%\3\345\2248\233 ,\300\215w\236\0b\4\213JS/\210\366\0:\235\245B\370\303\275\203\241\360\253\354ug\0/\306\230$\337r\246`\240\364\355\357\17\267\207\255\252\343\217\350\257\1\270\331y02\265b \341\275\0\223\311\271a\240\235\200\138\2\212\200\314|\254\206\322\266\252\0\264\210n\263\233\211>\274\0\15\346\342\307u\270D^\372\22\0\2345\3542\304\366&\334H\236d\1\256\10;\26\13\250\310J\216\0I'B9M8\217\251\374\377\171\3\246add\331\200\Jt\347\3n\255_\272@>\340\365\252\363\5!\360QU\367\1\371\304\341\364\21$\\35\220g.\366\354\230\203\367w=\351\360\320j\363\0~\306\17\36H\307&\243<\310\334\2w\2215\202\4@`\203\211\0*\312~y/\237\371\332\4?\333 \331\341\220\254E\377\315\17"\205P\347\263G@J\326\305a\0\264\21\14>)\356\17\211hN\303\202w\344t\203\332\310\307\250V\2401\17(y\212\304\3005\30\375\227\251?@\233\200\326\305\276Mi\337\335LX\335\7'\16\306\203\340\317~\204C\7\256\316\32]\331p\201,\353v\0\374R\235U.\346", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \205P\347\263G@J\326\305a\0\264\21\14>)\356\17\211hN\303\202w\344t\203\332\310\307\250V\2401\17(y\212\304\3005\30\375\227\251?@\233\200\326\305\276Mi\337\335LX\335\7'\16\306\203\340\317~\204C\7\256\316\32]\331p\201,\353v\0\374R\235U.\346", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02553   400   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "6\2,\307\347\325\201\210\223\341\200\370\336\253\0v\237\243~\263F\354\227\11p\373\244@ ,\377O\234\205\0\254\324\300\35H/w'\0\16\354\262E\364j@\26\0+J\3411T\35\4\7\0)\20\30\331\177\3326yq\252;\234\247\22\301`\01\302\334\310\241\32v#\334\240\2\226\212W\365@\320e\1\17\4_ [\135\240\304\300fIR\0Be\5\207\354\245A\230\36\307\10\22\244\374\201|gEf\226\200\200{&\303:o\22\0u\13\207\322\342\240/\346\0\364t+d\371^\262o\36\21\357\313\14\177M\340\34\1\331\322\351\334\213\31\15\334\4\1\26\227?\313\35\214\200\315B\256\210r\332\4\276q!\37\14\240\30\333\0m"\232\277\214-b%y\253\30j&\346 \316Q\34Iz\327\300\354\254{\2249\263\23\37|i\0\24\267\3330\265\344\235\300\17\227\217\0zta;h:\260\332\260L\0rl\351@\266\370\31\334g\5:\200AB6u\324K\303\0\20\22{MH\35\217\350\7\344\363x\361\1\342a\314\300\333\240\232rG|\365s_\0VE\323\347\370s\373\212\0\263\311\16M\252G\5\265\0\315\371J2j\264\307Q\270\16\0\301\230\360yk\266\377G>a|\30]j\20+\225\17q&\207i\3\370\321\370\0\264\323M\7\31Ac\212\0_/f\254%\247\275\15\16\277$Z\207\0by\276j\177;\303@\330T\0\376\5\224\204\20\3566\7\215"\2`\377 \16\225+\374\0;\321{\272\331\313\201\316\7p\301\315\3\356`\362\234~\345\1\355iW\340\304D\2550\372F\0\2117OI&\201sK\7\247\243\210\13\33\220\3766%8\0\3742\315p\324'\2\211\0\225[\366A4\177\2310\0Fc\264\13\243\237\305\365\0m\356Z\200\267\377", ) \232\277\214-b%y\253\30j&\346 \316Q\34Iz\327\300\354\254{\2249\263\23\37|i\0\24\267\3330\265\344\235\300\17\227\217\0zta;h:\260\332\260L\0rl\351@\266\370\31\334g\5:\200AB6u\324K\303\0\20\22{MH\35\217\350\7\344\363x\361\1\342a\314\300\333\240\232rG|\365s_\0VE\323\347\370s\373\212\0\263\311\16M\252G\5\265\0\315\371J2j\264\307Q\270\16\0\301\230\360yk\266\377G>a|\30]j\20+\225\17q&\207i\3\370\321\370\0\264\323M\7\31Ac\212\0_/f\254%\247\275\15\16\277$Z\207\0by\276j\177;\303@\330T\0\376\5\224\204\20\3566\7\215 (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "6\2,\307\347\325\201\210\223\341\200\370\336\253\0v\237\243~\263F\354\227\11p\373\244@ ,\377O\234\205\0\254\324\300\35H/w'\0\16\354\262E\364j@\26\0+J\3411T\35\4\7\0)\20\30\331\177\3326yq\252;\234\247\22\301`\01\302\334\310\241\32v#\334\240\2\226\212W\365@\320e\1\17\4_ [\135\240\304\300fIR\0Be\5\207\354\245A\230\36\307\10\22\244\374\201|gEf\226\200\200{&\303:o\22\0u\13\207\322\342\240/\346\0\364t+d\371^\262o\36\21\357\313\14\177M\340\34\1\331\322\351\334\213\31\15\334\4\1\26\227?\313\35\214\200\315B\256\210r\332\4\276q!\37\14\240\30\333\0m"\232\277\214-b%y\253\30j&\346 \316Q\34Iz\327\300\354\254{\2249\263\23\37|i\0\24\267\3330\265\344\235\300\17\227\217\0zta;h:\260\332\260L\0rl\351@\266\370\31\334g\5:\200AB6u\324K\303\0\20\22{MH\35\217\350\7\344\363x\361\1\342a\314\300\333\240\232rG|\365s_\0VE\323\347\370s\373\212\0\263\311\16M\252G\5\265\0\315\371J2j\264\307Q\270\16\0\301\230\360yk\266\377G>a|\30]j\20+\225\17q&\207i\3\370\321\370\0\264\323M\7\31Ac\212\0_/f\254%\247\275\15\16\277$Z\207\0by\276j\177;\303@\330T\0\376\5\224\204\20\3566\7\215"\2`\377 \16\225+\374\0;\321{\272\331\313\201\316\7p\301\315\3\356`\362\234~\345\1\355iW\340\304D\2550\372F\0\2117OI&\201sK\7\247\243\210\13\33\220\3766%8\0\3742\315p\324'\2\211\0\225[\366A4\177\2310\0Fc\264\13\243\237\305\365\0m\356Z\200\267\377", ) , ) == 0x0
 02554   400   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "6\2,\307\347\325\201\210\223\341\200\370\336\253\0v\237\243~\263F\354\227\11p\373\244@ ,\377O\234\205\0\254\324\300\35H/w'\0\16\354\262E\364j@\26\0+J\3411T\35\4\7\0)\20\30\331\177\3326yq\252;\234\247\22\301`\01\302\334\310\241\32v#\334\240\2\226\212W\365@\320e\1\17\4_ [\135\240\304\300fIR\0Be\5\207\354\245A\230\36\307\10\22\244\374\201|gEf\226\200\200{&\303:o\22\0u\13\207\322\342\240/\346\0\364t+d\371^\262o\36\21\357\313\14\177M\340\34\1\331\322\351\334\213\31\15\334\4\1\26\227?\313\35\214\200\315B\256\210r\332\4\276q!\37\14\240\30\333\0m"\232\277\214-b%y\253\30j&\346 \316Q\34Iz\327\300\354\254{\2249\263\23\37|i\0\24\267\3330\265\344\235\300\17\227\217\0zta;h:\260\332\260L\0rl\351@\266\370\31\334g\5:\200AB6u\324K\303\0\20\22{MH\35\217\350\7\344\363x\361\1\342a\314\300\333\240\232rG|\365s_\0VE\323\347\370s\373\212\0\263\311\16M\252G\5\265\0\315\371J2j\264\307Q\270\16\0\301\230\360yk\266\377G>a|\30]j\20+\225\17q&\207i\3\370\321\370\0\264\323M\7\31Ac\212\0_/f\254%\247\275\15\16\277$Z\207\0by\276j\177;\303@\330T\0\376\5\224\204\20\3566\7\215"\2`\377 \16\225+\374\0;\321{\272\331\313\201\316\7p\301\315\3\356`\362\234~\345\1\355iW\340\304D\2550\372F\0\2117OI&\201sK\7\247\243\210\13\33\220\3766%8\0\3742\315p\324'\2\211\0\225[\366A4\177\2310\0Fc\264\13\243\237\305\365\0m\356Z\200\267\377", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \232\277\214-b%y\253\30j&\346 \316Q\34Iz\327\300\354\254{\2249\263\23\37|i\0\24\267\3330\265\344\235\300\17\227\217\0zta;h:\260\332\260L\0rl\351@\266\370\31\334g\5:\200AB6u\324K\303\0\20\22{MH\35\217\350\7\344\363x\361\1\342a\314\300\333\240\232rG|\365s_\0VE\323\347\370s\373\212\0\263\311\16M\252G\5\265\0\315\371J2j\264\307Q\270\16\0\301\230\360yk\266\377G>a|\30]j\20+\225\17q&\207i\3\370\321\370\0\264\323M\7\31Ac\212\0_/f\254%\247\275\15\16\277$Z\207\0by\276j\177;\303@\330T\0\376\5\224\204\20\3566\7\215 (476, 0, 0, 0, "6\2,\307\347\325\201\210\223\341\200\370\336\253\0v\237\243~\263F\354\227\11p\373\244@ ,\377O\234\205\0\254\324\300\35H/w'\0\16\354\262E\364j@\26\0+J\3411T\35\4\7\0)\20\30\331\177\3326yq\252;\234\247\22\301`\01\302\334\310\241\32v#\334\240\2\226\212W\365@\320e\1\17\4_ [\135\240\304\300fIR\0Be\5\207\354\245A\230\36\307\10\22\244\374\201|gEf\226\200\200{&\303:o\22\0u\13\207\322\342\240/\346\0\364t+d\371^\262o\36\21\357\313\14\177M\340\34\1\331\322\351\334\213\31\15\334\4\1\26\227?\313\35\214\200\315B\256\210r\332\4\276q!\37\14\240\30\333\0m"\232\277\214-b%y\253\30j&\346 \316Q\34Iz\327\300\354\254{\2249\263\23\37|i\0\24\267\3330\265\344\235\300\17\227\217\0zta;h:\260\332\260L\0rl\351@\266\370\31\334g\5:\200AB6u\324K\303\0\20\22{MH\35\217\350\7\344\363x\361\1\342a\314\300\333\240\232rG|\365s_\0VE\323\347\370s\373\212\0\263\311\16M\252G\5\265\0\315\371J2j\264\307Q\270\16\0\301\230\360yk\266\377G>a|\30]j\20+\225\17q&\207i\3\370\321\370\0\264\323M\7\31Ac\212\0_/f\254%\247\275\15\16\277$Z\207\0by\276j\177;\303@\330T\0\376\5\224\204\20\3566\7\215"\2`\377 \16\225+\374\0;\321{\272\331\313\201\316\7p\301\315\3\356`\362\234~\345\1\355iW\340\304D\2550\372F\0\2117OI&\201sK\7\247\243\210\13\33\220\3766%8\0\3742\315p\324'\2\211\0\225[\366A4\177\2310\0Fc\264\13\243\237\305\365\0m\356Z\200\267\377", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02555   400   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "b\346\10\274\207\273\0\202"\303_\212\354\267X\5M|SY\336\300 \200\301\237\7\25\263y5\271\177\217k\263\0s,o\17d\16;\255\376\234\354c\200\201N>\271\236\32\1\375'\276\233<\342\365\354\323\320\0D\177x\221\37\240U\34%s\14\200\233go\360 y\1\254\26<\362$\253\340\200\211\11t\27\10{\316\0\272\341\332H\335\3318\24x\206\37\122u\1\333^e\177/\20489\Y\303\30.\310\274\234R\3[j\363\237\372S\0\30iE\235\16\260\253\331\50wZ\270\334\200U\271Di\3\345\237\3037\242\4Y\2429mq\220L[\220A\0\327\1\374\300MD}\2;\352\22\200\367\31\206\3\232\261\362\13\30\237!}I\333b\0'd\233E\243\27L\345\2\234\204{\245s\300\200\271\363\320B&\260\323\0 VT\17\205\211\344l\0\347\271R\264\20\365K"\1\370\30\277o\16\26k\344L=\0\257\352N*\203\6U\265\0\264\337\377\313'\322fT\2\200Ip\311{H\340y\223\14\37\2418\307g\355\342P\213*\259\0P\365\23\220\177V\244\231\0H\204\266\24\236\302C!\354\361\@\1\347\326\235\252l?5(\13HU8\315H'\34\205\262\300\322\204\306nV\212q\375\350\251\0\2421\310\376\273\37\200v\0<\322\364\260\341AD\25.sB\244\1\206\240\212n\337\364z\355\16r9+\316\212W\304\200\25\310\305$\14\250\350\223\0\15\33%\20\204\247"\232\354\12\4c\344CK,\2008\217\16\375z\377\354\342\35p\177b\214\207.P\362)D\313@\0T\215=\342J\320\206DV\33\0\35o\225\215\255,\321\272\1\277\352\13\226\204j\212\345\365Bl", ) \303_\212\354\267X\5M|SY\336\300 \200\301\237\7\25\263y5\271\177\217k\263\0s,o\17d\16;\255\376\234\354c\200\201N>\271\236\32\1\375'\276\233<\342\365\354\323\320\0D\177x\221\37\240U\34%s\14\200\233go\360 y\1\254\26<\362$\253\340\200\211\11t\27\10{\316\0\272\341\332H\335\3318\24x\206\37\122u\1\333^e\177/\20489\Y\303\30.\310\274\234R\3[j\363\237\372S\0\30iE\235\16\260\253\331\50wZ\270\334\200U\271Di\3\345\237\3037\242\4Y\2429mq\220L[\220A\0\327\1\374\300MD}\2;\352\22\200\367\31\206\3\232\261\362\13\30\237!}I\333b\0'd\233E\243\27L\345\2\234\204{\245s\300\200\271\363\320B&\260\323\0 VT\17\205\211\344l\0\347\271R\264\20\365K (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "b\346\10\274\207\273\0\202"\303_\212\354\267X\5M|SY\336\300 \200\301\237\7\25\263y5\271\177\217k\263\0s,o\17d\16;\255\376\234\354c\200\201N>\271\236\32\1\375'\276\233<\342\365\354\323\320\0D\177x\221\37\240U\34%s\14\200\233go\360 y\1\254\26<\362$\253\340\200\211\11t\27\10{\316\0\272\341\332H\335\3318\24x\206\37\122u\1\333^e\177/\20489\Y\303\30.\310\274\234R\3[j\363\237\372S\0\30iE\235\16\260\253\331\50wZ\270\334\200U\271Di\3\345\237\3037\242\4Y\2429mq\220L[\220A\0\327\1\374\300MD}\2;\352\22\200\367\31\206\3\232\261\362\13\30\237!}I\333b\0'd\233E\243\27L\345\2\234\204{\245s\300\200\271\363\320B&\260\323\0 VT\17\205\211\344l\0\347\271R\264\20\365K"\1\370\30\277o\16\26k\344L=\0\257\352N*\203\6U\265\0\264\337\377\313'\322fT\2\200Ip\311{H\340y\223\14\37\2418\307g\355\342P\213*\259\0P\365\23\220\177V\244\231\0H\204\266\24\236\302C!\354\361\@\1\347\326\235\252l?5(\13HU8\315H'\34\205\262\300\322\204\306nV\212q\375\350\251\0\2421\310\376\273\37\200v\0<\322\364\260\341AD\25.sB\244\1\206\240\212n\337\364z\355\16r9+\316\212W\304\200\25\310\305$\14\250\350\223\0\15\33%\20\204\247"\232\354\12\4c\344CK,\2008\217\16\375z\377\354\342\35p\177b\214\207.P\362)D\313@\0T\215=\342J\320\206DV\33\0\35o\225\215\255,\321\272\1\277\352\13\226\204j\212\345\365Bl", ) \232\354\12\4c\344CK,\2008\217\16\375z\377\354\342\35p\177b\214\207.P\362)D\313@\0T\215=\342J\320\206DV\33\0\35o\225\215\255,\321\272\1\277\352\13\226\204j\212\345\365Bl", ) == 0x0
 02556   400   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "b\346\10\274\207\273\0\202"\303_\212\354\267X\5M|SY\336\300 \200\301\237\7\25\263y5\271\177\217k\263\0s,o\17d\16;\255\376\234\354c\200\201N>\271\236\32\1\375'\276\233<\342\365\354\323\320\0D\177x\221\37\240U\34%s\14\200\233go\360 y\1\254\26<\362$\253\340\200\211\11t\27\10{\316\0\272\341\332H\335\3318\24x\206\37\122u\1\333^e\177/\20489\Y\303\30.\310\274\234R\3[j\363\237\372S\0\30iE\235\16\260\253\331\50wZ\270\334\200U\271Di\3\345\237\3037\242\4Y\2429mq\220L[\220A\0\327\1\374\300MD}\2;\352\22\200\367\31\206\3\232\261\362\13\30\237!}I\333b\0'd\233E\243\27L\345\2\234\204{\245s\300\200\271\363\320B&\260\323\0 VT\17\205\211\344l\0\347\271R\264\20\365K"\1\370\30\277o\16\26k\344L=\0\257\352N*\203\6U\265\0\264\337\377\313'\322fT\2\200Ip\311{H\340y\223\14\37\2418\307g\355\342P\213*\259\0P\365\23\220\177V\244\231\0H\204\266\24\236\302C!\354\361\@\1\347\326\235\252l?5(\13HU8\315H'\34\205\262\300\322\204\306nV\212q\375\350\251\0\2421\310\376\273\37\200v\0<\322\364\260\341AD\25.sB\244\1\206\240\212n\337\364z\355\16r9+\316\212W\304\200\25\310\305$\14\250\350\223\0\15\33%\20\204\247"\232\354\12\4c\344CK,\2008\217\16\375z\377\354\342\35p\177b\214\207.P\362)D\313@\0T\215=\342J\320\206DV\33\0\35o\225\215\255,\321\272\1\277\352\13\226\204j\212\345\365Bl", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \303_\212\354\267X\5M|SY\336\300 \200\301\237\7\25\263y5\271\177\217k\263\0s,o\17d\16;\255\376\234\354c\200\201N>\271\236\32\1\375'\276\233<\342\365\354\323\320\0D\177x\221\37\240U\34%s\14\200\233go\360 y\1\254\26<\362$\253\340\200\211\11t\27\10{\316\0\272\341\332H\335\3318\24x\206\37\122u\1\333^e\177/\20489\Y\303\30.\310\274\234R\3[j\363\237\372S\0\30iE\235\16\260\253\331\50wZ\270\334\200U\271Di\3\345\237\3037\242\4Y\2429mq\220L[\220A\0\327\1\374\300MD}\2;\352\22\200\367\31\206\3\232\261\362\13\30\237!}I\333b\0'd\233E\243\27L\345\2\234\204{\245s\300\200\271\363\320B&\260\323\0 VT\17\205\211\344l\0\347\271R\264\20\365K (476, 0, 0, 0, "b\346\10\274\207\273\0\202"\303_\212\354\267X\5M|SY\336\300 \200\301\237\7\25\263y5\271\177\217k\263\0s,o\17d\16;\255\376\234\354c\200\201N>\271\236\32\1\375'\276\233<\342\365\354\323\320\0D\177x\221\37\240U\34%s\14\200\233go\360 y\1\254\26<\362$\253\340\200\211\11t\27\10{\316\0\272\341\332H\335\3318\24x\206\37\122u\1\333^e\177/\20489\Y\303\30.\310\274\234R\3[j\363\237\372S\0\30iE\235\16\260\253\331\50wZ\270\334\200U\271Di\3\345\237\3037\242\4Y\2429mq\220L[\220A\0\327\1\374\300MD}\2;\352\22\200\367\31\206\3\232\261\362\13\30\237!}I\333b\0'd\233E\243\27L\345\2\234\204{\245s\300\200\271\363\320B&\260\323\0 VT\17\205\211\344l\0\347\271R\264\20\365K"\1\370\30\277o\16\26k\344L=\0\257\352N*\203\6U\265\0\264\337\377\313'\322fT\2\200Ip\311{H\340y\223\14\37\2418\307g\355\342P\213*\259\0P\365\23\220\177V\244\231\0H\204\266\24\236\302C!\354\361\@\1\347\326\235\252l?5(\13HU8\315H'\34\205\262\300\322\204\306nV\212q\375\350\251\0\2421\310\376\273\37\200v\0<\322\364\260\341AD\25.sB\244\1\206\240\212n\337\364z\355\16r9+\316\212W\304\200\25\310\305$\14\250\350\223\0\15\33%\20\204\247"\232\354\12\4c\344CK,\2008\217\16\375z\377\354\342\35p\177b\214\207.P\362)D\313@\0T\215=\342J\320\206DV\33\0\35o\225\215\255,\321\272\1\277\352\13\226\204j\212\345\365Bl", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \232\354\12\4c\344CK,\2008\217\16\375z\377\354\342\35p\177b\214\207.P\362)D\313@\0T\215=\342J\320\206DV\33\0\35o\225\215\255,\321\272\1\277\352\13\226\204j\212\345\365Bl", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02557   400   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=28160},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=28160}, "a`\270G=T\273x\0\377[\312*\24#\14\1\36\316-\32\203\323\25\33w\270\254\252\20\3009Es\204\361\242\0m\347&\230:v\3667\177%\0\337V^zK\352\340y\2&\253\224\211=\270\300h8\271\0e\324\7\12\27F\320\177}\243\1\360\300\220B\302%\277\313\300+9K\2\312\33$\315j[\300J8`\0g\326!f\311\301\304]\0'\15\330\340\254\3542c{\306\3R^_\3569f\00\302Lw\215s\324\216\1\271\363:\204U\2067\331\246\377\250\337\252\326\362\255\2\351\347\374\360;\200\343\20\2238\330\201\203\216\0g\224a\16yxMY\3\222;D&\260\263\200\206\31\275\0\371wpZ+\212\216\234\0W\340\266\10\341\377\214r\%\\37o>\1\33\211{\243\16\200`\215dy_g\220\0\277\30\230>\225w}\342\0\260\360\12q\215@Vs\31m\302\207\240\213\334_\261\1^\233\231~\263,\352C\270$\370\346\264\37\0\106\303\34\245>+\21(\214q\350\0\306\320|kH@m\240\35\25\317\367Cx"7\11\340\30\326I\276\275(\Z\350BP\1GF\353\340\244\300\364\344\2417\234P\0|\335J\357\330\345\0B\327\360\202\17X\3662\0p\263\7(\372l\305P\236l\11c\226\243\220\300\240\250\260\26J;d\232\230\332hh\341zXY\10\0=I\250\234j5\222\16\302\256h~`\237\32\252\346\14W\361,\33280\0M\274ko\343\277\21\323\14@\266\214\206!\205\0\26}\357y\232\330\2\336\3\256\352\370\307.M\310c\261(\0\313\266)\225\222\316\14B\230X\203\264\360\275\274\216\356T\0(a\3S\205\341\277\344\300\210\300\267\317~:\7%9v\10-\341\220DA@\340\201\351c\376\227\37\253\335<\2\14\224Y'", ) 7\11\340\30\326I\276\275(\Z\350BP\1GF\353\340\244\300\364\344\2417\234P\0|\335J\357\330\345\0B\327\360\202\17X\3662\0p\263\7(\372l\305P\236l\11c\226\243\220\300\240\250\260\26J;d\232\230\332hh\341zXY\10\0=I\250\234j5\222\16\302\256h~`\237\32\252\346\14W\361,\33280\0M\274ko\343\277\21\323\14@\266\214\206!\205\0\26}\357y\232\330\2\336\3\256\352\370\307.M\310c\261(\0\313\266)\225\222\316\14B\230X\203\264\360\275\274\216\356T\0(a\3S\205\341\277\344\300\210\300\267\317~:\7%9v\10-\341\220DA@\340\201\351c\376\227\37\253\335<\2\14\224Y'", ) == 0x0
 02558   400   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "a`\270G=T\273x\0\377[\312*\24#\14\1\36\316-\32\203\323\25\33w\270\254\252\20\3009Es\204\361\242\0m\347&\230:v\3667\177%\0\337V^zK\352\340y\2&\253\224\211=\270\300h8\271\0e\324\7\12\27F\320\177}\243\1\360\300\220B\302%\277\313\300+9K\2\312\33$\315j[\300J8`\0g\326!f\311\301\304]\0'\15\330\340\254\3542c{\306\3R^_\3569f\00\302Lw\215s\324\216\1\271\363:\204U\2067\331\246\377\250\337\252\326\362\255\2\351\347\374\360;\200\343\20\2238\330\201\203\216\0g\224a\16yxMY\3\222;D&\260\263\200\206\31\275\0\371wpZ+\212\216\234\0W\340\266\10\341\377\214r\%\\37o>\1\33\211{\243\16\200`\215dy_g\220\0\277\30\230>\225w}\342\0\260\360\12q\215@Vs\31m\302\207\240\213\334_\261\1^\233\231~\263,\352C\270$\370\346\264\37\0\106\303\34\245>+\21(\214q\350\0\306\320|kH@m\240\35\25\317\367Cx"7\11\340\30\326I\276\275(\Z\350BP\1GF\353\340\244\300\364\344\2417\234P\0|\335J\357\330\345\0B\327\360\202\17X\3662\0p\263\7(\372l\305P\236l\11c\226\243\220\300\240\250\260\26J;d\232\230\332hh\341zXY\10\0=I\250\234j5\222\16\302\256h~`\237\32\252\346\14W\361,\33280\0M\274ko\343\277\21\323\14@\266\214\206!\205\0\26}\357y\232\330\2\336\3\256\352\370\307.M\310c\261(\0\313\266)\225\222\316\14B\230X\203\264\360\275\274\216\356T\0(a\3S\205\341\277\344\300\210\300\267\317~:\7%9v\10-\341\220DA@\340\201\351c\376\227\37\253\335<\2\14\224Y'", 28160, 0x0, 0, ... {status=0x0, info=28160}, ) 7\11\340\30\326I\276\275(\Z\350BP\1GF\353\340\244\300\364\344\2417\234P\0|\335J\357\330\345\0B\327\360\202\17X\3662\0p\263\7(\372l\305P\236l\11c\226\243\220\300\240\250\260\26J;d\232\230\332hh\341zXY\10\0=I\250\234j5\222\16\302\256h~`\237\32\252\346\14W\361,\33280\0M\274ko\343\277\21\323\14@\266\214\206!\205\0\26}\357y\232\330\2\336\3\256\352\370\307.M\310c\261(\0\313\266)\225\222\316\14B\230X\203\264\360\275\274\216\356T\0(a\3S\205\341\277\344\300\210\300\267\317~:\7%9v\10-\341\220DA@\340\201\351c\376\227\37\253\335<\2\14\224Y'", 28160, 0x0, 0, ... {status=0x0, info=28160}, ) == 0x0
 02559   400   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... ) == STATUS_END_OF_FILE
 02560   400   NtFreeVirtualMemory  (-1, (0x154000), 69632, 16384, ... (0x154000), 69632, ) == 0x0
 02561   400   NtSetInformationFile  (476, 1242904, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02562   400   NtClose  (480, ... ) == 0x0
 02563   400   NtClose  (476, ... ) == 0x0
 02564   400   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 476, ) }, ... 476, ) == 0x0
 02565   400   NtQueryValueKey  (476,  (476, "Shell", Partial, 144, ... TitleIdx=0, Type=1, Data="E\0x\0p\0l\0o\0r\0e\0r\0.\0e\0x\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (476, "Shell", Partial, 144, ... TitleIdx=0, Type=1, Data="E\0x\0p\0l\0o\0r\0e\0r\0.\0e\0x\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 02566   400   NtQueryValueKey  (476,  (476, "Shell", Partial, 144, ... TitleIdx=0, Type=1, Data="E\0x\0p\0l\0o\0r\0e\0r\0.\0e\0x\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (476, "Shell", Partial, 144, ... TitleIdx=0, Type=1, Data="E\0x\0p\0l\0o\0r\0e\0r\0.\0e\0x\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 02567   400   NtClose  (476, ... ) == 0x0
 02568   400   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242812,  (0x80100080, {24, 0, 0x40, 0, 1242812, "\??\C:\WINDOWSExplorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02569   400   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\ntvdm.exe"}, 7, 2113568, ... 476, {status=0x0, info=1}, ) }, 7, 2113568, ... 476, {status=0x0, info=1}, ) == 0x0
 02570   400   NtSetInformationFile  (476, 1243104, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02571   400   NtClose  (476, ... ) == 0x0
 02572   400   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02573   400   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 02574   400   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 02575   400   NtAllocateVirtualMemory  (-1, 1208320, 0, 4096, 4096, 260, ... 1208320, 4096, ) == 0x0
 02576   400   NtAllocateVirtualMemory  (-1, 1204224, 0, 4096, 4096, 260, ... 1204224, 4096, ) == 0x0
 02577   400   NtAllocateVirtualMemory  (-1, 1200128, 0, 4096, 4096, 260, ... 1200128, 4096, ) == 0x0
 02578   400   NtAllocateVirtualMemory  (-1, 1196032, 0, 4096, 4096, 260, ... 1196032, 4096, ) == 0x0
 02579   400   NtAllocateVirtualMemory  (-1, 1191936, 0, 4096, 4096, 260, ... 1191936, 4096, ) == 0x0
 02580   400   NtAllocateVirtualMemory  (-1, 1187840, 0, 4096, 4096, 260, ... 1187840, 4096, ) == 0x0
 02581   400   NtAllocateVirtualMemory  (-1, 1183744, 0, 4096, 4096, 260, ... 1183744, 4096, ) == 0x0
 02582   400   NtAllocateVirtualMemory  (-1, 1179648, 0, 4096, 4096, 260, ... 1179648, 4096, ) == 0x0
 02583   400   NtAllocateVirtualMemory  (-1, 1175552, 0, 4096, 4096, 260, ... 1175552, 4096, ) == 0x0
 02584   400   NtAllocateVirtualMemory  (-1, 1171456, 0, 4096, 4096, 260, ... 1171456, 4096, ) == 0x0
 02585   400   NtCreateKey  (0x20006, {24, 48, 0x40, 0, 0,  (0x20006, {24, 48, 0x40, 0, 0, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions"}, 0, 0x0, 0, ... ) }, 0, 0x0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02586   400   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "SOFTWARE"}, 0, 0x0, 0, ... 476, 2, ) }, 0, 0x0, 0, ... 476, 2, ) == 0x0
 02587   400   NtCreateKey  (0x2000000, {24, 476, 0x40, 0, 0,  (0x2000000, {24, 476, 0x40, 0, 0, "Microsoft"}, 0, 0x0, 0, ... 480, 2, ) }, 0, 0x0, 0, ... 480, 2, ) == 0x0
 02588   400   NtClose  (476, ... ) == 0x0
 02589   400   NtCreateKey  (0x2000000, {24, 480, 0x40, 0, 0,  (0x2000000, {24, 480, 0x40, 0, 0, "Windows"}, 0, 0x0, 0, ... 476, 2, ) }, 0, 0x0, 0, ... 476, 2, ) == 0x0
 02590   400   NtClose  (480, ... ) == 0x0
 02591   400   NtCreateKey  (0x2000000, {24, 476, 0x40, 0, 0,  (0x2000000, {24, 476, 0x40, 0, 0, "CurrentVersion"}, 0, 0x0, 0, ... 480, 2, ) }, 0, 0x0, 0, ... 480, 2, ) == 0x0
 02592   400   NtClose  (476, ... ) == 0x0
 02593   400   NtCreateKey  (0x20006, {24, 480, 0x40, 0, 0,  (0x20006, {24, 480, 0x40, 0, 0, "Shell Extensions"}, 0, 0x0, 0, ... 476, 2, ) }, 0, 0x0, 0, ... 476, 2, ) == 0x0
 02594   400   NtClose  (480, ... ) == 0x0
 02595   400   NtSetValueKey  (476,  (476, "665578", 0, 1, "u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0", 38, ... , 0, 1,  (476, "665578", 0, 1, "u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0", 38, ... , 38, ...
 02596   400   NtSetInformationFile  (-2147482808, -132413644, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02597   400   NtSetInformationFile  (-2147482808, -132414044, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02595   400   NtSetValueKey  ... ) == 0x0
 02598   400   NtClose  (476, ... ) == 0x0
 02599   400   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Kazaa\LocalContent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02600   400   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 476, ) }, ... 476, ) == 0x0
 02601   400   NtWaitForSingleObject  (476, 0, {-1800000000, -1}, ... ) == 0x0
 02602   400   NtClose  (476, ... ) == 0x0
 02603   400   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02604   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02605   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 476, ) }, ... 476, ) == 0x0
 02606   400   NtQueryValueKey  (476,  (476, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02607   400   NtClose  (476, ... ) == 0x0
 02608   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02609   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 476, ) == 0x0
 02610   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 480, ) == 0x0
 02611   400   NtQuerySystemTime  (... {810305382, 29873133}, ) == 0x0
 02612   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 484, ) == 0x0
 02613   400   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02614   400   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 02615   400   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 02616   400   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 02617   400   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 488, ) == 0x0
 02618   400   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 492, ) == 0x0
 02619   400   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 496, ) }, ... 496, ) == 0x0
 02620   400   NtOpenKey  (0x20019, {24, 496, 0x40, 0, 0,  (0x20019, {24, 496, 0x40, 0, 0, "ActiveComputerName"}, ... 500, ) }, ... 500, ) == 0x0
 02621   400   NtQueryValueKey  (500,  (500, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (500, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (500, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02622   400   NtClose  (500, ... ) == 0x0
 02623   400   NtClose  (496, ... ) == 0x0
 02624   400   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 496, ) == 0x0
 02625   400   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 500, ) == 0x0
 02626   400   NtDuplicateObject  (-1, 496, -1, 0x0, 0, 2, ... 504, ) == 0x0
 02627   400   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02628   400   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 508, ) == 0x0
 02629   400   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02630   400   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02631   400   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242088,  (0xc0100080, {24, 0, 0x40, 0, 1242088, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 512, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 512, {status=0x0, info=1}, ) == 0x0
 02632   400   NtSetInformationFile  (512, 1242144, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02633   400   NtSetInformationFile  (512, 1242136, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02634   400   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02635   400   NtWriteFile  (512, 489, 0, 0,  (512, 489, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02636   400   NtReadFile  (512, 489, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (512, 489, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\202"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 02637   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\2\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\202"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\2\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\202"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 02638   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\250\0\0\0\2\0\0\0\220\0\0\0\0\0\30\0\0\0\0\0\225\303!k\340?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0\0\250\251A\0\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0\0\377\1\17\0\20\1\0\0\2\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\27\0\0\0"C:\WINDOWS\ntvdm.exe"\0a\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 168, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\225\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) C:\WINDOWS\ntvdm.exe (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\250\0\0\0\2\0\0\0\220\0\0\0\0\0\30\0\0\0\0\0\225\303!k\340?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0\0\250\251A\0\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0\0\377\1\17\0\20\1\0\0\2\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\27\0\0\0"C:\WINDOWS\ntvdm.exe"\0a\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 168, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\225\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 168, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\250\0\0\0\2\0\0\0\220\0\0\0\0\0\30\0\0\0\0\0\225\303!k\340?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0\0\250\251A\0\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0\0\377\1\17\0\20\1\0\0\2\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\27\0\0\0"C:\WINDOWS\ntvdm.exe"\0a\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 168, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\225\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02639   400   NtWaitForSingleObject  (489, 0, 0x0, ... ) == 0x0
 02640   400   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 516, ) }, ... 516, ) == 0x0
 02641   400   NtWaitForSingleObject  (516, 0, {-1800000000, -1}, ... ) == 0x0
 02642   400   NtClose  (516, ... ) == 0x0
 02643   400   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02644   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\3\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=52}, "\5\0\2\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 36, 1024, ... {status=0x103, info=52},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\3\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=52}, "\5\0\2\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02645   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0D\0\0\0\4\0\0\0,\0\0\0\0\0\34\0\0\0\0\0\227\303!k\340?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0\0\377\1\17\0", 68, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\3\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\227\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 68, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0D\0\0\0\4\0\0\0,\0\0\0\0\0\34\0\0\0\0\0\227\303!k\340?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0\0\377\1\17\0", 68, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\3\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\227\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02646   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\3\0\0\0\0\0\227\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\230\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\3\0\0\0\0\0\227\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\230\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02647   400   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 02648   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0D\0\0\0\6\0\0\0,\0\0\0\0\0\34\0\0\0\0\0\227\303!k\340?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0\0\2\0\0\0", 68, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\5\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\231\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 68, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0D\0\0\0\6\0\0\0,\0\0\0\0\0\34\0\0\0\0\0\227\303!k\340?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0\0\2\0\0\0", 68, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\5\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\231\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02649   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0X\0\0\0\7\0\0\0@\0\0\0\0\0$\0\0\0\0\0\230\303!k\340?\334\21\261\310\0\14)\371\246\305\2\0\0\0\2\0\0\00\372\22\0\12\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0D\372\22\0\1\0\0\0\1\0\0\0\270\13\0\0", 88, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\6\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\232\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 88, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0X\0\0\0\7\0\0\0@\0\0\0\0\0$\0\0\0\0\0\230\303!k\340?\334\21\261\310\0\14)\371\246\305\2\0\0\0\2\0\0\00\372\22\0\12\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0D\372\22\0\1\0\0\0\1\0\0\0\270\13\0\0", 88, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\6\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\232\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02650   400   NtWaitForSingleObject  (489, 0, 0x0, ... ) == 0x0
 02651   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0O\0\0\0\10\0\0\07\0\0\0\0\0$\0\0\0\0\0\230\303!k\340?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0T\372\22\0\260\251A\0\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0", 79, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\7\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , 79, 1024, ... {status=0x103, info=28},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0O\0\0\0\10\0\0\07\0\0\0\0\0$\0\0\0\0\0\230\303!k\340?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0T\372\22\0\260\251A\0\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0", 79, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\7\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02652   400   NtWaitForSingleObject  (489, 0, 0x0, ... ) == 0x0
 02653   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\11\0\0\0\24\0\0\0\0\0\10\0\0\0\0\0\231\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\10\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=28},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\11\0\0\0\24\0\0\0\0\0\10\0\0\0\0\0\231\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\10\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02654   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\12\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\230\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\11\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\12\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\230\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\11\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02655   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\13\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\232\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\12\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\13\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\232\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\12\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02656   400   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 516, ) }, ... 516, ) == 0x0
 02657   400   NtWaitForSingleObject  (516, 0, {-1800000000, -1}, ... ) == 0x0
 02658   400   NtClose  (516, ... ) == 0x0
 02659   400   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02660   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\14\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\13\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 36, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\14\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\13\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02661   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0D\0\0\0\15\0\0\0,\0\0\0\0\0\34\0\0\0\0\0\233\303!k\340?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0\0\377\1\17\0", 68, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\14\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\233\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 68, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0D\0\0\0\15\0\0\0,\0\0\0\0\0\34\0\0\0\0\0\233\303!k\340?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0NTVDM.\0\0\377\1\17\0", 68, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\14\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\233\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02662   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\16\0\0\0\34\0\0\0\0\0\37\0\0\0\0\0\234\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\15\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\234\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\16\0\0\0\34\0\0\0\0\0\37\0\0\0\0\0\234\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\15\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\234\303!k\340?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02663   400   NtWaitForSingleObject  (489, 0, 0x0, ... ) == 0x0
 02664   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\17\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\233\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\16\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=28},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\17\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\233\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\16\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02665   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\20\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\234\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\17\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\20\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\234\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\17\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02666   400   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\21\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\226\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\20\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\21\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\226\303!k\340?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\20\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02667   400   NtRaiseException  (1242540, 1241800, 1, ...
 02668   400   NtContinue  (1240604, 0, ...
 02669   400   NtTerminateProcess  (0, 1, ...
 00677   564   NtDelayExecution  ... ) == 0xc0
 00678   384   NtDelayExecution  ... ) == 0xc0
 00680   380   NtDelayExecution  ... ) == 0xc0
 00681   568   NtDelayExecution  ... ) == 0xc0
 00682   572   NtDelayExecution  ... ) == 0xc0
 00683   588   NtDelayExecution  ... ) == 0xc0
 00684   584   NtDelayExecution  ... ) == 0xc0
 00424   580   NtDelayExecution  ... ) == 0xc0
 00451   576   NtWaitForSingleObject  ... ) == 0xc0
 00977   596   NtWaitForSingleObject  ... ) == 0xc0
 00963   636   NtWaitForSingleObject  ... ) == 0xc0
 00987   740   NtWaitForSingleObject  ... ) == 0xc0
 00841   744   NtWaitForSingleObject  ... ) == 0xc0
 00967   676   NtWaitForSingleObject  ... ) == 0xc0
 00991   796   NtWaitForSingleObject  ... ) == 0xc0
 00889   792   NtWaitForSingleObject  ... ) == 0xc0
 00861   716   NtWaitForSingleObject  ... ) == 0xc0
 00906   836   NtWaitForSingleObject  ... ) == 0xc0
 00857   856   NtWaitForSingleObject  ... ) == 0xc0
 00873   860   NtWaitForSingleObject  ... ) == 0xc0
 00736   864   NtWaitForSingleObject  ... ) == 0xc0
 00910   868   NtWaitForSingleObject  ... ) == 0xc0
 00981   872   NtWaitForSingleObject  ... ) == 0xc0
 00877   876   NtWaitForSingleObject  ... ) == 0xc0
 00904   880   NtDelayExecution  ... ) == 0xc0
 02669   400   NtTerminateProcess  ... ) == 0x0
 02670   400   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02671   400   NtClose  (420, ... ) == 0x0
 02672   400   NtClose  (424, ... ) == 0x0
 02673   400   NtClose  (432, ... ) == 0x0
 02674   400   NtClose  (428, ... ) == 0x0
 02675   400   NtClose  (436, ... ) == 0x0
 02676   400   NtClose  (408, ... ) == 0x0
 02677   400   NtClose  (416, ... ) == 0x0
 02678   400   NtClose  (452, ... ) == 0x0
 02679   400   NtClose  (448, ... ) == 0x0
 02680   400   NtClose  (444, ... ) == 0x0
 02681   400   NtClose  (440, ... ) == 0x0
 02682   400   NtClose  (412, ... ) == 0x0
 02683   400   NtClose  (388, ... ) == 0x0
 02684   400   NtClose  (396, ... ) == 0x0
 02685   400   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 02686   400   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02687   400   NtClose  (392, ... ) == 0x0
 02688   400   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 02689   400   NtWaitForMultipleObjects  (2, (364, 368, ), 1, 0, 0x0, ... ) == 0x1
 02690   400   NtClose  (368, ... ) == 0x0
 02691   400   NtSetEvent  (364, ... 0x0, ) == 0x0
 02692   400   NtClose  (364, ... ) == 0x0
 02693   400   NtWaitForMultipleObjects  (2, (372, 376, ), 1, 0, 0x0, ... ) == 0x1
 02694   400   NtClose  (376, ... ) == 0x0
 02695   400   NtSetEvent  (372, ... 0x0, ) == 0x0
 02696   400   NtClose  (372, ... ) == 0x0
 02697   400   NtWaitForMultipleObjects  (2, (380, 384, ), 1, 0, 0x0, ... ) == 0x1
 02698   400   NtClose  (384, ... ) == 0x0
 02699   400   NtSetEvent  (380, ... 0x0, ) == 0x0
 02700   400   NtClose  (380, ... ) == 0x0
 02701   400   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 02702   400   NtFreeVirtualMemory  (-1, (0x2550000), 0, 32768, ... (0x2550000), 262144, ) == 0x0
 02703   400   NtUserUnregisterClass  (1243440, 1991376896, 1243428, ... ) == 0x0
 02704   400   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02705   400   NtClose  (296, ... ) == 0x0
 02706   400   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 02707   400   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 02708   400   NtClose  (256, ... ) == 0x0
 02709   400   NtClose  (264, ... ) == 0x0
 02710   400   NtClose  (268, ... ) == 0x0
 02711   400   NtClose  (260, ... ) == 0x0
 02712   400   NtClose  (252, ... ) == 0x0
 02713   400   NtWaitForSingleObject  (312, 0, 0x0, ... ) == 0x0
 02714   400   NtClearEvent  (312, ... ) == 0x0
 02715   400   NtSetEvent  (312, ... 0x0, ) == 0x0
 02716   400   NtClose  (312, ... ) == 0x0
 02717   400   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02718   400   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02719   400   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02720   400   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02721   400   NtClose  (76, ... ) == 0x0
 02722   400   NtClose  (68, ... ) == 0x0
 02723   400   NtClose  (64, ... ) == 0x0
 02724   400   NtClose  (72, ... ) == 0x0
 02725   400   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x0,}, 4, ... ) == 0x0
 02726   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc03b
 02727   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02728   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc03d
 02729   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02730   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc03f
 02731   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02732   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc041
 02733   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02734   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc043
 02735   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02736   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc045
 02737   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02738   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc047
 02739   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02740   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc049
 02741   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02742   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc04b
 02743   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02744   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc04d
 02745   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02746   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc04f
 02747   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02748   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc051
 02749   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02750   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc053
 02751   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02752   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc057
 02753   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02754   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc059
 02755   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02756   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc05b
 02757   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02758   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc05d
 02759   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02760   400   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc05f
 02761   400   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02762   400   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 02763   400   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2013032352, 2012568799, 1379990, 1379976}  (24, {20, 48, new_msg, 0, 2013032352, 2012568799, 1379990, 1379976} "\0\0\0\0\3\0\1\0\315\224s\366M>H\351\1\0\0\0" ... {20, 48, reply, 0, 396, 400, 1605, 0} "\0\0\0\0\3\0\1\0\0\0\0\0M>H\351\1\0\0\0" )  ... {20, 48, reply, 0, 396, 400, 1605, 0}  (24, {20, 48, new_msg, 0, 2013032352, 2012568799, 1379990, 1379976} "\0\0\0\0\3\0\1\0\315\224s\366M>H\351\1\0\0\0" ... {20, 48, reply, 0, 396, 400, 1605, 0} "\0\0\0\0\3\0\1\0\0\0\0\0M>H\351\1\0\0\0" )  ) == 0x0
 02764   400   NtTerminateProcess  (-1, 1, ...
 02765   400   NtClose  (40, ... ) == 0x0
NtCallbackReturn(>)	1	NtOpenProcessToken(>)	2	NtOpenProcessTokenEx(>)	10	NtUserRegisterClassExWOW(>)	34
NtConnectPort(>)	1	NtQueryInstallUILanguage(>)	2	NtOpenThreadTokenEx(>)	10	NtContinue(>)	35
NtGdiCreateBitmap(>)	1	NtRaiseException(>)	2	NtWriteFile(>)	10	NtQueryDebugFilterState(>)	36
NtGdiInit(>)	1	NtAddAtom(>)	3	NtQueryVolumeInformationFile(>)	12	NtRequestWaitReplyPort(>)	36
NtGdiQueryFontAssocInfo(>)	1	NtClearEvent(>)	3	NtQueryInformationToken(>)	13	NtQuerySystemInformation(>)	44
NtGdiSelectBitmap(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryDefaultUILanguage(>)	14	NtCreateEvent(>)	45
NtOpenKeyedEvent(>)	1	NtNotifyChangeKey(>)	3	NtReadFile(>)	14	NtSetInformationThread(>)	45
NtOpenProcess(>)	1	NtReleaseSemaphore(>)	3	NtUserFindWindowEx(>)	14	NtFreeVirtualMemory(>)	49
NtOpenSymbolicLinkObject(>)	1	NtSetInformationObject(>)	3	NtCreateKey(>)	15	NtCreateSection(>)	52
NtQueryEvent(>)	1	NtTerminateProcess(>)	3	NtSetValueKey(>)	15	NtQueryVirtualMemory(>)	53
NtQueryObject(>)	1	NtUserGetDC(>)	3	NtSetInformationFile(>)	17	NtUserGetClassInfo(>)	54
NtQuerySymbolicLinkObject(>)	1	NtWaitForMultipleObjects(>)	3	NtFsControlFile(>)	18	NtOpenSection(>)	56
NtQuerySystemTime(>)	1	NtDuplicateObject(>)	4	NtUserUnregisterClass(>)	19	NtOpenFile(>)	74
NtQueryTimerResolution(>)	1	NtEnumerateKey(>)	4	NtQueryInformationFile(>)	20	NtMapViewOfSection(>)	80
NtSecureConnectPort(>)	1	NtGdiGetStockObject(>)	5	NtUserRegisterWindowMessage(>)	22	NtProtectVirtualMemory(>)	82
NtSetInformationProcess(>)	1	NtCreateMutant(>)	6	NtUserFindExistingCursorIcon(>)	24	NtSetEvent(>)	92
NtUserCallNoParam(>)	1	NtDeviceIoControlFile(>)	6	NtCreateThread(>)	25	NtDelayExecution(>)	118
NtUserGetForegroundWindow(>)	1	NtOpenEvent(>)	6	NtFlushInstructionCache(>)	25	NtQueryAttributesFile(>)	118
NtUserGetObjectInformation(>)	1	NtOpenThreadToken(>)	7	NtQueryInformationThread(>)	25	NtWaitForSingleObject(>)	141
NtUserGetProcessWindowStation(>)	1	NtQueryInformationProcess(>)	7	NtResumeThread(>)	25	NtOpenKey(>)	157
NtUserGetThreadDesktop(>)	1	NtUserSystemParametersInfo(>)	7	NtCreateFile(>)	26	NtAllocateVirtualMemory(>)	224
NtUserQueryWindow(>)	1	NtQueryDefaultLocale(>)	9	NtRegisterThreadTerminatePort(>)	26	NtClose(>)	318
NtCreateIoCompletion(>)	2	NtReleaseMutant(>)	9	NtTestAlert(>)	26	NtQueryValueKey(>)	329
NtGdiCreateSolidBrush(>)	2	NtCreateSemaphore(>)	10	NtQuerySection(>)	33
NtOpenDirectoryObject(>)	2	NtOpenMutant(>)	10